MobileIN.com Perspective
Setting Up a Secure Wireless LAN
By Simon Ford, International Director, NCP engineering GmbH



Book Shop

MarketResearch1.gif (2625 bytes)
 Research




Customized
Training

MobileIN.com
Perspectives Home



Before You Begin

There are many reasons you might want to set up a wireless LAN in the workplace. For one, a WLAN affords employees flexibility-they can connect to the network from a variety of wireless devices for different working situations. WLANs also allow a degree of network openness, permitting visitors and guests to access the network while on-site. However, there are several security challenges unique to wireless networks that administrators need to be aware of before deploying one. Incorrectly deployed, a security breach of a WLAN could cause fines for non-compliance-or in the worst cases, catastrophic data loss.

Full security of a wireless LAN requires layering defenses by combining data encryption with a secure virtual private network (VPN).

Getting Started

Before beginning to deploy a wireless LAN, you'll want to fully verify the network's physical environment. What specific hardware is in use? How many access points to the network will be permitted? What are the access borders, and are they constrained enough to be safe, while wide enough to accommodate all the necessary use cases? When these questions are satisfactorily answered, you can put the networking components (routers, firewalls, etc.) in place.

Next, you can begin to configure the environment. Decide upon and define the encryption protocol. The appropriate encryption method will depend on the relative sensitivity of the data in your environment, the anticipated network traffic and the regulations governing your business or industry. Then you can configure the VPN clients and access points for users-establishing their authentication process and levels of access granted. Finally, you will need to configure the network so that you have a separate way of viewing WLAN users versus LAN users. It is central to your security intelligence that you be able to tell the difference between users, because the vulnerabilities inherent in each are different.

Mistakes to Avoid

There are some common misconceptions and mistakes that can put your new WLAN severely at risk:

1. Assuming a WLAN stays inside the building

There is no good reason a network's borders should coincide with a building's walls, and yet most users (and many administrators) assume that no one could access or identify a WLAN from outside the building. This is in fact one of the most vulnerable areas for a security breach-a "drive-by" attack in which unauthorized users access a WLAN from a parking lot or nearby building. To protect against this, make sure to have a VPN in place. This is also where a view of wireless users can come in handy, allowing you to see if there is any traffic on the network from machines that aren't accounted for inside the building.

2. Assuming users stay inside the building

Because a wireless network usually extends beyond the boundaries of a building, even unauthorized users who cannot connect to the network can still get enough information about your WLAN to simulate it. Where this becomes dangerous is in situations where authorized users leave the building-perhaps for a nearby park or coffee shop-and their devices automatically connect to the WLAN impersonator. This is known as a "man-in-the-middle" attack, and was demonstrated by security expert Moxie Marlinspike at this year's Black Hat. The possibility of this type of attack is often used as a point of rhetoric when debating the merits of one type of VPN over another. However, if you have employed proper data encryption, a man-in-the-middle attack will be unsuccessful on its own.

3. Keeping static keys

This is one of the most obvious and avoidable mistakes administrators make when setting up WLANs. Every workplace experiences personnel turnover, and there is no greater security threat than the one from inside-therefore, it's important to know your insiders. A disgruntled employee (or former employee) is far more likely to cause a security breach than any independent attacker. Consider Terry Childs, the former City of San Francisco network administrator who locked all city officials out of their own network in July 2008. You should change passwords and authentication keys, at the very least, whenever an employee leaves. A more sustainable solution is to implement an automated process that changes passwords on a regular and ongoing basis.

Summary

In securing a WLAN, there are two major elements to address: protecting private data and establishing user-specific access and authentication. Data encryption is a preventative measure that will help avoid data loss if unauthorized users access the network, but a VPN is necessary to keep unauthorized users out in the first place.

About the Author

Simon Ford currently serves as international director for NCP engineering GmbH, which is headquartered in Nuremberg, Germany. He has been working with security technologies for more than 20 years.



DISCLAIMER
The views and opinions expressed in this article do not necessarily represent the views of MobileIN.com.

[MobileIN.com Home Page]

Copyright © 2009 MobileIN.com- All Rights Reserved