Secure Your Wireless Network
4/15/2004 By: Jane Bloomquist and Atif Musa
Imagine a completely wireless school, an open network in which all students and staff can roam around using laptops or handheld computers to browse the Internet, access files and applications on the school server, and communicate with each other and the world via e-mail.
It's a great picture — and at some schools the future is already here. But while wireless provides flexible, portable connectivity, with prices dropping rapidly as the technology becomes a commodity, it also brings attendant security challenges for which there are currently no easy answers.
For starters, most traditional network security methods schools are used to employing are incompatible with wireless technology; unlike wired networks, signals travel through the air like radio waves with no clearly defined boundaries. Complicating this is the fact that Wired Equivalent Privacy, the original industry standard protocol for securing wire-less networks, can be easily cracked by malicious users unless additional safeguards are in place. Finally, without proper security measures, troublemaking students or others could potentially set up rogue wireless access points to gain unfettered access to your wired network.
Given these challenges, how do you provide the ideal wireless network while still offering the level of security needed? The first step is to establish an overall security policy, components of which were covered in Part 1 and 2 of this series. Included in this document should be a section addressing concerns specific to your wireless network-everything from who gets access and how, to which encryption protocols you'll use. With that in mind, outlined below are key issues you'll need to consider when implementing a wireless network or shoring up the one you already have.
Did you know wireless hotspots can extend up to several hundred feet from their primary installation point? Consequently, many schools consider the possibility of providing public Internet access to the nearby community-hooking up computer users in the playground or even residential housing across the street. In fact, there's a popular movement afoot that encourages such open networks (www.freenetworks.org). The problem with this type of open access, however, is that without proper security safeguards it could put your entire electronic environment at risk. If you absolutely must provide Internet access to the public, we strongly recommend this traffic never touch your school's or district's network. You can engineer this by putting the community network in its own firewall interface, or at a minimum, in your secure perimeter server network. In addition, IT staff managing large environments can configure routers so community traffic tunnels to the Internet without "touching" your internal network.
To protect administrative data, including grades and attendance, it is important to put students on their own network. If your student computers and network do not contain sensitive personal information such as identities, e-mail addresses, street addresses, social security numbers, and so forth, you should be able to guard the network using wireless equipment based on the older, less secure Wired Equivalent Privacy standard. However, if your students are experienced computer users, it's much safer to deploy wireless equipment configured with newer, harder-to-crack encryption protocols such as 802.1x, EAP, and LEAP (see "What's the Protocol?" below for more information).
Given the sensitive nature of administrative data-including student identification and health information-any wireless connections to this traffic should be secured using advanced encryption methods (for more details, refer to the Encryption Methods section below).
Critical to any successful wireless security plan is control of network access. This is easily accomplished though Virtual Local Area Network technology, which is built into most business-class switches and can be easily configured through the switch interface. (Inexpensive switches for home use, such as those from Best Buy, do not come with VLAN capabilities.) In a nutshell, a VLAN allows you to divide your network into segments, creating multiple discrete networks within your one physical network and allowing traffic to be filtered between them. For example, computers used by administrators should be segmented and filtered from instructional computers used by students, especially when computer use is unsupervised. Likewise, your wired administrative networks should be separated via VLAN from your wireless networks.
Think of VLANs as intersecting highways where control signals are needed. Adding more VLAN zones is like adding more highways, and your network will require more traffic control. If your traffic filtering requirements are basic, you may be able to get away with configuring your router with access lists. Otherwise, a firewall with several physical ports may be needed. As firewalls with more than three physical ports are expensive, consider purchasing a secondary firewall that is used specifically to control traffic between internal networks.
Built into all wireless access points are configuration tools to help secure the network. An important step is to change the network name configurations-also known as Server Set Identifiers, or SSIDs-from their factory defaults, which typically allow complete open access. To do this, open the AP manager application that comes with the product. The default screen for the application usually provides a space to change the network name. If not, you can find it by clicking through the tabs. Be sure to avoid using an obvious SSID such as the name of your school or district. Also, turning off the broadcasting feature adds an extra level of safety by not revealing the SSID to potential intruders.
As mentioned above, Wired Equivalent Privacy is the original encryption protocol for wireless networks that practically all manufacturers have incorporated into their access points. It's effective in discouraging the casual snooper or inexperienced attacker, and also has the advantage of having the broadest range of support among wireless vendors (including support for PDAs and other lightweight devices). Most wireless access points come with WEP disabled, so be sure to enable it via the AP manager application.
Unfortunately, the WEP protocol suffers from critical weaknesses that limit its effectiveness. That's because WEP uses a single encryption key for the entire network-a method that's considered cryptographically insecure and easily compromised by determined attackers. It's important to understand that if your WEP key is broken by an attacker, your wireless network will be completely open, allowing intruders to watch and record all of the traffic on your network and attack your systems from inside your firewall. These traffic sniffers can easily steal whole files as well as usernames and passwords.
Whereas WEP uses a single static encryption key for the entire network, Extensible Authentication Protocol Methods work by automatically changing multiple encryption keys on a regular basis faster than an attacker can break them. Using EAP often requires upgrading or replacing your existing wireless access points and wireless network interface cards with more current models. EAP methods also require additional software and hardware, such as expensive certificate servers or RADIUS authentication servers (again, see "What's the Protocol" on page 22 for details). Unless you're operating a fairly small network, where access points can store a limited number of user accounts, you'll want to consider EAP-compatible wireless equipment. Some EAP methods also support PDAs, which is good news for districts with handheld computing programs.
Another way to combat the basic insecurity of a wireless network is to use an internal Virtual Private Network gateway that serves as a filter for the wireless network. With this method, only computer users who properly log on to the VPN gateway will be able to access the rest of the network, and all VPN traffic is automatically encrypted. This option has the advantage of working with just about any brand of wireless equipment. Unfortunately, it requires the install-ation and management of a VPN server and VPN clients on all connecting devices-an expensive proposition that can involve complex configuration steps to operate it effectively. What's more, PDA support is limited or nonexistent.
Wireless Security: A Work in Progress
To be sure, cross-platform standards for wireless security are still not fully established, so incorporating advanced security features may leave you tied to one vendor. Nonetheless, we hope this article directs you to some simple best practice measures that everyone can and should take to make their wireless networks more secure.
Jane Bloomquist, Ph.D., writes network policy, standards, and procedures for the Chicago Public Schools.
Atif Musa is a network security engineer with the Office of Technology Services for the Chicago Public Schools.
What's the Protocol?
A quick guide to understanding the alphabet soup of wireless security standards.
|802.11a, 802.11b, and 802.11g are industry standards for wireless communication. 802.11b is the original standard and offers 11Mbps bandwidth; 802.11a followed later offering 54Mbps; 802.11g provides 54Mbps and is compatible with older 802.11b equipment.
||802.1x is a network authentication standard that allows port-based access control for both wired and wireless networks. Most wireless security protocols, such as EAP, are a subset of 802.1x.
|Extensible Authentication Protocol (EAP)
||EAP is a generic protocol that allows cross-platform authentication.
|Remote Authentication Dial-In User Service (RADIUS)
||RADIUS is an authentication and accounting system used by many vendors to control access to devices based on username and password. RADIUS servers provide the de facto standard authentication and authorization protocol in the industry.
|EAP Tunneled TLS Authentication Protocol (EAP-TTLS)
||Designed by Funk Software and Certicom Corp., EAP-TTLS is an open-source protocol specification.
|Lightweight EAP (LEAP)
||LEAP is a Cisco proprietary wireless authentication protocol heavily deployed in the industry. Cisco licenses the technology to manufacturers of wireless networking cards, and many now offer support for LEAP clients.
|Protected EAP (PEAP)
||A joint Microsoft, Cisco, and RSA protocol, PEAP support is limited to Microsoft 2000, XP, and 2003 servers.
|Wi-Fi Protected Access (WPA)
||WPA is a subset of the yet-to-be-released 802.11i wireless security protocol. WPA has been already incorporated by many vendors with the guarantees they'll provide upgrades to support 802.11i when ratified.
||This standard promises to finally relieve users from interoperability problems caused by competing vendor specifications. It is expected to be ratified soon.