White Paper. Understanding the Layers of Wireless LAN Security & Management

Transcription

1 White Paper Understanding the Layers of Wireless LAN Security & Management While a wireless LAN can be installed by simply plugging an access point into an Ethernet port, an enterprise wireless LAN deployment requires a more thought-out plan that incorporates advanced security and management technologies. Layered Approach to WLAN Security Over the last year, analysts and media have documented and publicized vulnerabilities of wireless LANs, such as encryption that can be broken and rogue access points that allow intruders to connect to your network. Standards Woes Plague WLAN Security Computerworld, July 2003 The Threat from the Inside New WLAN Attacks Identified InformationWeek, April 2003 Wi-Fi Planet, August 2003 Cisco Warns its WLAN Security Can Be Cracked Computerworld, October 2003 Through year-end 2004, employees' ability to install unmanaged access points will result in more than 50 percent of enterprises exposing sensitive information through WLANs. Gartner, September 2002 WLAN Chip Sets Open a New Door to Insecurity Computerworld, July 2003 These reports focus on breaking encryption, the risk of unauthorized access points connected to the wired network, and the failure of enterprises to incorporate security into their wireless LANs. The attention on the pitfalls of wireless LANs has inspired some enterprises to ban wireless LANs altogether, but any organization that utilizes laptop computers faces the risk of these easily becoming wireless stations that introduce security risks. However, security-conscious enterprises are fortifying their wireless LANs with a layered approach to security that resembles the accepted security practices of wired networks. This layered approach to security addresses all network components by locking down the wireless LAN's perimeter, securing communication across the wireless LAN, and monitoring network traffic. In fact, Gartner outlined the three must have requirements for enterprise wireless LANs: * Install a centrally managed firewall on all laptops that are issued wireless network interface cards or are bought with built-in wireless capabilities. This protects against ad hoc WLAN connections and Internet attacks when users connect to public hot spot Internet providers. * Perform wireless intrusion detection to discover rogue access points, foreign devices connecting to corporate access points and accidental associations to nearby access points in use by other companies * Turn on some form of encryption and authentication for supported WLAN use. Gartner, July 2003 Secure Wireless LAN Devices Like installing a door on a building to keep passersby from wandering in, enterprises must control the perimeter of their enterprise networks. For the traditional wired LAN, this was accomplished by installing firewalls to control the entry point to the network. However, wireless LANs present greater challenges from the hard-to-control nature of radio transmissions. With data and network connections broadcasting across the air and through windows, walls, floors, and ceilings, the perimeter of a wireless LAN can be as difficult to control as it to define. However, enterprises can control the perimeter of a wireless LAN by securing their WLAN devices that act as the endpoints of the network. Perimeter control for the wireless LAN starts with deploying personal firewalls on every wireless-equipped laptop and also includes a deployment of enterprise-class access points that offer advanced security and management capabilities. The wireless LAN should be segregated from the enterprise wired network as part of a VLAN to allow for wireless-specific management and security policies that do not affect the wired network. All access points should be completely locked down and reconfigured from their default settings. The SSIDs and Copyright 2003, AirDefense, Inc. Page 1

2 Data Protection Technology WEP 802.1X LEAP PEAP WPA TKIP Description Wired Equivalency Privacy Original security standard for wireless LANs. Flaws were quickly discovered. Freeware, such as WEPCrack, can break the encryption after capturing traffic and recognizing patterns in the encryption. (Industry standard) As the IEEE standard for access control for wireless and wired LANs, 802.1x provides a means of authenticating and authorizing devices to attach to a LAN port. This standard defines the Extensible Authentication Protocol (EAP), which uses a central authentication server to authenticate each user on the network. University of Maryland professor published vulnerabilities in early (Adopted industry standard) Lightweight Extensible Authentication Protocol Based on the 802.1x authentication framework, LEAP mitigates several of the weaknesses by utilizing dynamic WEP and sophisticated key management. LEAP also incorporates MAC address authentication as well. (Developed by Cisco) Protected Extensible Authentication Protocol Securely transports authentication data, including passwords and encrpytion keys, by creating an encrpyted SSL/TLS tunnel between PEAP clients and an authentication server. PEAP makes it possible to authenticate wireless LAN clients without requiring them to have certificates, simplifying the architecture of secure wireless LANs. (Developed by Cisco, Microsoft, and RSA Security) Wi-Fi Protected Access Subset of the future i security standard. Designed to replace the existing WEP standard. WPA combines Temporal Key Integrity Protocol (TKIP) and 802.1x for dynamic key encryption and mutual authentication. (Industry standard adopted in 2003) The Temporal Key Integrity Protocol, pronounced tee-kip, is part of the IEEE i encryption standard for wireless LANs. TKIP provides per-packet key mixing, a message integrity check and a re-keying mechanism, thus fixing the flaws of WEP. (Industry standard) passwords of the access points should be changed from their default names. Some organizations choose to establish set channels of operation for each AP to identify all off-channel traffic as suspicious activity. Secure Communication Authentication & Encryption In deploying secure wireless LANs, IT security and network managers face the most difficult decision in choosing how to secure WLAN communication with multiple forms of authentication and encryption. Like installing locks and keys on a door to control who can enter, the next layer of wireless LAN security is to control which users can access the wireless LAN. To provide basic authentication, most access points support simple MAC address filtering that maintains a list of approved stations' MAC addresses. While this is not foolproof, MAC address filtering provides basic control over which stations can connect to your network. Organizations that rely upon MAC address filtering for access control leave themselves vulnerable to simple identity thefts as mentioned in Chapter 2. Larger enterprises with more complex wireless LANs with hundreds of stations and dozens of access points require more sophisticated access control through incorporating remote authentication dial-in service (RADIUS) servers. Cisco Systems, Microsoft, and Funk Software are recognized leaders in this area. In regards to industry standards, the IEEE introduced 802.1x to provide port-based access control, which incorporates a central authentication server. However, some versions of 802.1x have been shown to be vulnerable to hackers. (See An Initial Security Analysis of the IEEE 802.1x Standard a paper by University of Maryland professor William Arbaugh.) Cisco introduced Lightweight Extensible Authentication Protocol (LEAP) as a proprietary authentication solution that is based on 802.1x but adds proprietary elements of security. LEAP has its own security issues, and Cisco is moving away from LEAP toward Protected Extensible Authentication Protocol (PEAP). Encryption provides the core of security for wireless LANs by protecting the data that crosses the airwaves. However, fail-proof encryption and authentication standards have yet to be implemented. Temporal Key Integrity Protocol (TKIP) has been introduced to address the flaws of WEP with per-packet key mixing, a message integrity check and a re-keying mechanism. New industry standards and proprietary solutions are now being introduced to handle both encryption and authentication. Cisco, RSA Security, and Microsoft developed PEAP as one of these proprietary solutions. However, Microsoft and Cisco have separated their PEAP development efforts and introduced their own versions of the protocol. Microsoft s version of PEAP does not work with Cisco s version of PEAP. While Microsoft is bundling its version of PEAP on the desktop, Cisco s version of PEAP requires client software to be installed and managed on each WLAN user stations. In April 2003, the Wi-Fi alliance launched Wi-Fi Protected Access (WPA) as a subset of the future i security standard based on TKIP. Most vendors have announced that existing access points can be upgraded to support WPA with a firmware upgrade. However, new access points will be needed once i is finally ratified. Copyright 2003, AirDefense, Inc. Page 2

3 Virtual Private Networks or WLAN gateways provide another alternative to standards-based encryption and authentication. Traditional firewall and VPN gateway vendors, such as Check Point and NetScreen Technologies, offer VPNs that funnel all traffic through their existing VPN gateway. These VPN solutions are generally IPSec based and do not work well with wireless LANs where users roam between access points or signals may vary and drop off, which forces the user to re-authenticate and begin a new session. Vendors, such as Bluesocket, ReefEdge, and Vernier Networks, offer wireless LAN gateways that include added features for network roaming and bandwidth management that are tailored to wireless LANs. Another segment of wireless VPN vendors, including Fortress Technologies and Cranite Systems, offer more secure solutions with Layer 2 encryption. While VPNs provide strong encryption and authentication, most require client-side software, which introduces management headaches. WLAN Monitoring Like a video camera that monitors all activity in a secure building 24 hours a day, a critical layer of wireless LAN security requires monitoring of the network to identify rogue WLANs, detect intruders and impending threats, and enforce WLAN security policies. As an example of the need for monitoring, access points that are upgraded for WPA must be monitored to ensure the access point remains properly configured, according to Gartner. WPA access points must be configured to disable legacy WEP security because the access points may still accept WEP client connections Security is handled in the access point, reaffirming the need for validation of access-point implementation. Gartner, July 2003 WLAN monitoring must scale to fit the specific needs of an enterprise. Some piece-meal solutions work for smaller organizations but do not scale for large enterprises with dozens or hundreds of locations around the world. Large enterprises require a cost-effective solution that can be centrally managed and does not overtax personnel resources. Manual site surveys are particularly unreasonable for enterprises operating dozens of offices around the country or retailers with hundreds of stores. Even if these organizations could feasibly devote a network administrator's full attention to survey each site on a daily, weekly, or monthly basis. Wireless LAN security experts advocate 24x7 monitoring of the airwaves to secure wireless LANs by identifying rogue WLANs, detecting intruders and impending threats, and enforcing WLAN security policies. To truly secure wireless LANs, enterprises must monitor their airwaves to detect intruders and threats that can come from unscrupulous hackers and well-meaning employees. Monitoring the airwaves of a wireless LAN is an essential element of security that should also include advanced encryption and authentication. Gartner, November 2002 AirDefense pioneered real-time, 24x7, stateful monitoring of wireless LANs with a distributed system of remote sensors that passively monitor all WLAN activity and report back to a central appliance that analyzes the traffic for threats, attacks, and policy violations. This approach scales to support wireless LANs in a single office or hundreds of access points in dozens of locations around the world. WLAN Management Requirements Just as wireless LAN security mirrors security of the wired network, the same holds true for wireless LAN management. Network managers should already be familiar with the general requirements of managing wireless LANs but must implement wireless-focused solutions for fault diagnostics, configuration management, accounting for network usage, performance monitoring, and policy enforcement. Managing a small wireless LAN deployment of 5 or 10 access points can be easily accomplished with the builtin functionality of access points. However, managing a larger wireless LAN deployment of dozens or hundreds of access points in a corporate campus or in multiple locations across the country requires add-on solutions that scale to support the distributed nature of the network. These wireless LAN management requirements can be satisfied with a combination of 24x7, real-time monitoring of the airwaves and wired-side solutions offered by WLAN infrastructure providers, such as Cisco Systems and Symbol Technologies. Numerous start-up companies, such as Aruba Networks and Trapeze Networks, have introduced wireless LAN switches for an integrated approach to managing all access points in a network. However, most WLAN management systems are often limited by their ability to only manage access points manufactured by the vendor of the WLAN system. Copyright 2003, AirDefense, Inc. Page 3

4 Configuration Managing a wireless LAN's configuration across all access points and stations often provides a major challenge to network managers. At the most difficult level, each device must be touched to ensure proper settings for security, performance, and policy compliance. WLAN management offerings, such as Cisco's Wireless LAN Solution Engine (WLSE) or Symbol's Wireless Switch System, can remotely manage access point configuration and apply multiple configuration templates to various segments of a wireless LAN. Managing the user configurations provides a bigger challenge because network managers may not have direct access to all stations, and touching each station can be a time-consuming project. Real-time monitoring of the airwaves complements wired-side configuration to ensure that access points and stations remain in their defined configurations. Power surges or outages can reset access points to default settings. Employees can alter device settings to allow for open network access. Analysis of the WLAN traffic while in the air identifies these network misconfigurations. Fault Diagnostics Employees and users can benefit from the wireless LAN only when it is up and running. Responding to support calls can be an overwhelming task for an IT department responsible for supporting wireless LANs in remote locations. WLAN management offerings, such as provided by Cisco and Symbol, can poll network devices from the wire to observe device characteristics and attributes and alert operational staff to some issues. For a higher level of fault diagnostics, real-time monitoring of the airwaves continuously surveys WLAN devices to analyze traffic patterns and alert network managers of device failures and excessive noise in the air that cripples a WLAN. With 24x7, real-time vigilance, wireless monitors alert network managers to network failures the minute they arise. Performance Monitoring After first ensuring that the network is up and running, network managers must then analyze the performance of a wireless LAN to guarantee a maximum return on investment. WLAN management tools, such as Cisco WLSE, can provide some performance information about specific access points by polling information from the wire. In addition, real-time monitoring of the airwaves identifies performance issues that can only be seen from the air, such as signal degradation from channel overlap, frequency interference from non devices, and excessive overloading of an access point. Accounting Network Usage Much like fault diagnostics and performance monitoring, accounting for network usage is accomplished with a combined approach that includes a WLAN management platform and 24x7 monitoring of the airwaves. Network management platforms from the likes of Cisco and Symbol track WLAN stations connecting to various applications on the wired side of the network for inhouse accounting purposes. Monitoring of wireless LAN traffic across the airwaves allows network managers to track the network usage based on the peak capacity of each access point and the highest bandwidth-consuming stations and access points. This allows network managers to plan for additional capacity as needed and deal with individual users who abuse the WLAN by downloading large, non-business related files, such as MP3s. Policy Enforcement Policy compliance across the wireless LAN touches almost every aspect of network management and security. Network policies govern wireless LAN configuration, usage, security settings, and performance thresholds. However, security and management policies are useless unless the network is monitored for policy compliance and the organization takes active steps to enforce the policy. Real-time, 24x7 monitoring of WLAN traffic identifies policy violations for: Rogue wireless LANs including Soft APs; Unencrypted or unauthenticated traffic; Unauthorized stations; Ad hoc networks; Default or improper SSIDs; Access points and stations operating on unauthorized channels; Insecure stations with default Windows XP settings; Off-hours traffic; Unauthorized vendor hardware; Unauthorized data rates; and Performance thresholds that indicate the overall health of the wireless LAN. Copyright 2003, AirDefense, Inc. Page 4

5 The AirDefense Solution AirDefense provides the industry s only security appliance for wireless LANs to discover wireless LAN vulnerabilities, enforce security policies, and detect and respond to intruders. More simply put, AirDefense is a wireless LAN intrusion protection and management system that discovers network vulnerabilities, detects and protects a wireless LAN from intruders and attacks, and assists in the management of a wireless LAN. AirDefense: (i) Discovers vulnerabilities and threats such as rogue APs and ad hoc networks as they happen; (ii) Secures a wireless LAN by detecting intruders and attacks and eliminating those threats; and (iii) Provides a robust wireless LAN management functionality that allows users to understand their network, monitor network performance, and enforce network policies. Remote Sensors & Server Appliances The AirDefense solution consists of distributed sensors and server appliances. The remote sensors sit near Access Points to monitor all wireless LAN activities and report back to the server appliance, which analyzes the traffic in real time. The remote sensors: Are deployed near access points; Provide 24x7 monitoring of all wireless LAN activities; Capture wireless traffic from access points and stations; and Report to a back-end server where they are centrally managed. The server appliances: Analyze traffic in real time; Discover wireless LANs and rogue deployments; Detect intrusions and impending threats; Disconnect intruders and protect against attacks; Enforce wireless LAN policies; Monitor wireless LAN performance and troubleshoot network issues; Offer a secure web-based interface; and Provide comprehensive reporting. AirDefense Functionality The State-Analysis Engine, Multi-Dimensional Detection Engine, ActiveDefense technologies power AirDefense s core functionality to discover all rogue WLANs, protect against intruders and attacks, enforce network policies and provide operational support for WLANs. Rogue Detection Because new risks can arise with the easy deployment of unauthorized Access Points or an intruder driving into the parking lot, WLANs must be constantly monitored for new unauthorized devices. AirDefense provides 24x7 vigilance to identify rogue wireless LANs the minute they appear in your airspace. Intrusion Detection & Protection AirDefense provides the greatest level of WLAN security with effective measures that include 24x7, realtime monitoring of wireless networks, intrusion detection, attack prevention, and forensic auditing. By statefully monitoring WLANs in real time, AirDefense provides critical information regarding suspicious or late night activities, unauthorized stations scanning your network, and attacks against your WLAN stations and access points. AirDefense is designed to accurately detect: Identity theft By stealing an authorized MAC address, an intruder has full access to the network. However, AirDefense tracks the digital fingerprints vendor-specific characteristics and personal trademarks of authorized users to identify intruders in the network. Denial-of-Service (DoS) attacks AirDefense quickly recognizes the early signs and protocol abuses of a DoS attack that jams the airwaves and shuts down a WLAN. Man-in-the-Middle attacks By posing as an Access Point, intruders can force workstations to disassociate from authorized Access Points and route all traffic through the intruder. The intruder can then gain access to the network by posing as an Copyright 2003, AirDefense, Inc. Page 5

6 authorized user and simultaneously operating on multiple channels. AirDefense detects man-in-themiddle attacks by ensuring that Access Points only operate on set channels and proper protocols are used. AirDefense recognizes these and other attacks and can eliminate any direct attacks by using ActiveDefense technologies. AirDefense integrates with enterprise WLANs and can command an Access Point to drop its connection to a malicious station. By monitoring wireless device traffic, AirDefense can isolate, prevent, or mitigate network intrusions and subsequent downtime. InfoWorld, March 2003 AirDefense provides a forensic database to audit a WLAN with a minute-by-minute report on the status of each Access Point and wireless station. AirDefense documents all information it gathers into a relational database that becomes a source of detailed traffic history. The database can pinpoint which systems were targeted with what type of attack and can provide the play-byplay detail of how the attack occurred and can track if the attacker had previously visited the network for reconnaissance or a prior attack. Policy Enforcement With 24x7 monitoring of all WLAN activity, AirDefense powers enterprises to enforce WLAN policies to maximize network performance, and reduce exposure to inherent security flaws of wireless LANs. The policy manager is used to define, monitor, and enforce business rules for WLANs such as: Off-hours traffic Notify security managers of latenight traffic. Ad hoc networking Prohibit the use of this common feature where standard wireless networking cards can easily be configured to establish direct laptop-to-laptop connections without an Access Point. Channels Limit Access Points to operate only on authorized channels. SSIDs Prohibit unmasked broadcasts of Service Set Identifiers. WEP usage Require all WLAN traffic to be encrypted with WEP. Once a policy violation is identified, AirDefense can use its ActiveDefense technologies to enforce most policies by reconfiguring network devices or commanding an Access Point to disconnect from a station that violates the WLAN policy. Health Monitoring & Operational Support By constantly monitoring wireless activity, AirDefense provides a comprehensive solution to monitor the health of the WLAN and provide operational support that maximizes network performance. AirDefense gives network administrators a complete survey of the network to troubleshoot problems, make better decisions, and plan for future implantations and upgrades. Threshold monitoring enabled me to see the overall health of my deployed access points so I would know if I needed to deploy more access points in a certain area to alleviate wireless bottlenecks or f there was a possible access point failure that otherwise would have gone unnoticed. Federal Computer Week, April 2003 AirDefense s WLAN management functionality is based upon: WLAN network view & characteristics AirDefense gives network managers a real-time view of a WLAN with detail into network usage and inventory of Access Points and stations. Network administrators are given a survey of all authorized Access Points and stations and quickly view any new users, network failures, or new security threats. Fault diagnostics A key management feature includes fault diagnostics that track CRC errors from failed connections, interference from neighboring WLANs, network misconfigurations, and a complete history of network and station failures. Rather than manually backtracking through the last known actions before failure, network administrators are given detailed information on exactly what happened leading up to the problem. Performance monitoring Information gathered allows network administrators to monitor performance of WLANs by identifying usage characteristics and bandwidth hogs who tie-up the network with capacity-draining activities, such as trading MP3 files. Appropriate actions can then be taken to curb such network abuses and boost network performance. Capacity planning With historical data of network usage related to individual Access Points and the overall WLAN, administrators can plan for appropriate network capacity by monitoring network usage over time to make better decisions for adding additional Access Points or wired-end capacity. Overall system reporting is the key benefit of AirDefense, not only as an aid to security auditing but as a troubleshooting and performance-planning tool. I am not aware of any other WLAN product that provides the same level of detail and flexibility for reporting. Network Computing, May 2003 Copyright 2003, AirDefense, Inc. Page 6

7 Alarms & Reports AirDefense includes a highly accurate alarm manager to alert IT administrators and security managers to identified rogue WLANs, intrusions and attacks, policy violations, and performance issue. The alarm manager intelligently filters and aggregates events. Alarms can be sent via , page, or SNMP traps to other network management applications. Detailed reports are provided to document and summarize all network activity. AirDefense comes with dozens of default reports and allows users to customize their own reports to query for specific information. The State-Analysis Engine and Multi-Dimensional Detection Engine power AirDefense s core functionality to discover wireless LAN vulnerabilities, protect against intruders and attacks, and manage the wireless network. About AirDefense, Inc. AirDefense is a thought leader and innovator of wireless LAN security and operational support solutions. Founded in 2001, AirDefense pioneered the concept of 24x7 monitoring of the airwaves and now provides the most advanced solutions for rogue WLAN detection, policy enforcement, intrusion protection and monitoring the health of wireless LANs. As a key element of wireless LAN security, AirDefense complements wireless VPNs, encryption and authentication. Based on a secure appliance and remote sensors, AirDefense solutions scale to support single offices, corporate campuses or hundreds of locations. Blue chip companies and government agencies rely upon AirDefense solutions to secure and manage wireless LANs around the globe. For more information or feedback on this white paper, please contact: AirDefense, Inc Northpoint Parkway, Suite 100 Alpharetta, GA phone: info@airdefense.net Copyright 2003, AirDefense, Inc. Page 7