Wireless Network Security

Wireless technologies cover a wide range of capabilities geared toward different needs and uses. Wireless local area networks (WLANs) permit users to move a laptop or personal digital assistant (PDA) from place to place within their work area without the need for cables, with the advantage of not losing network connections. There are networks utilizing Bluetooth protocols that permit data transmission between network components. Bluetooth technology can eliminate cables formerly required for printers and other peripheral devices.

Alas, there is a downside; risks are inherent in any wireless technology. Some risks are the same or similar to those of conventional wired networks, while others are exacerbated by the nature of wireless connectivity. The most notable difference between the wired and wireless networks is the communications medium and the risks associated with that medium. Communications transmitted through the airwaves are openly available to being intercepted. Attackers have the ability to locate and communicate with wireless networks with much-less effort than invading wired ones.

Losing confidentiality, integrity, and availability are risks associated with wired networks, and they are easily achieved in wireless networks. Malicious users may gain access to company systems and information and compromise critical asset confidentiality, integrity, and availability. Following are some examples of risks associated with wireless networks:

- All vulnerabilities existing in wired networks also apply to wireless technologies.

- It is possible that unauthorized intrusions may gain access to an organization's wireless network, bypassing firewall safeguards.

- Sensitive information not encrypted before transmission is subject to being intercepted and disclosed by third parties.

- Malicious entities may steal the identity of legitimate users and use them.

- Malware including viruses, Trojan horses, and back door programs permit damage and continuing unauthorized network access, reducing availability and potentially disrupting business operations.

Organizations should not deploy wireless technologies unless they thoroughly understand and manage the accompanying risks. In light of current wireless communications protocols, most commercial products provide inadequate protection and present significant unacceptable risks to business operations. Senior managers must proactively address these risks, protecting their critical assets before wireless network deployment. Often due to apathy or a lack of understanding or education, many organizations poorly administer their wireless networks, relying on "default" installation settings, failing to control access to their access points, failing to implement factory-provided security configurations, and not developing a security policy suitable to the wireless environment. Such wireless safeguards include firewalls between wired and wireless systems, packet screens where unneeded services and ports are blocked, and implementing strong encryption such as Virtual Privacy Network (VPN), or file encryption technologies before data is transmitted.

Organizations must understand the technical and security ramifications of wireless technologies. While wireless connectivity seems like the best solution to connection-without-cables, it is an immature technology coupled with relatively poor security, potential for lax administration, and limited user awareness. In wireless environments, data is transmitted through the air without any control over the geographical limits of these broadcasts. Organizations are unable to exercise typical physical and logical controls that are employed in wired networks. In short, data transmitted over a wireless network can be captured and transactions begun by unauthorized third parties. Because of radio wave attenuation, building construction, and the capabilities of high-gain antennas, the distance for controlling wireless technologies preventing eaves-dropping can be extremely difficult to control.

Following are some suggested best practices to help address wireless network risk issues:

- Organizations must formulate and enforce compliance of applicable policies addressing the use of IEEE wireless standards of 802.11 (a, b, g, and others), Bluetooth, and other wireless technologies. These policies must be implemented before the deployment of wireless connectivity.

- Configuration management and strict change controls must be adopted ensuring that equipment has the latest software patches, including security features addressing vulnerabilities.

- Organizations will adopt configuration standards for all wireless network hardware and software, ensuring consistency of operation. These configurations will reflect steps to proactively address risks. It is noteworthy that many wireless technologies have weak user authentication. Wireless systems using Wired Equivalent Privacy (WEP) have been demonstrated as being subject to unauthorized transmission capture and intrusion, leaving this encryption method of somewhat questionable value.

However, regardless of whether WEP's protection is considered strong, medium, or weak, it is certainly better than open transmissions without encryption. If a wireless system uses 64-bit encryption, by all means use it; and if your wireless system supports 128-bit encryption, better still. In most systems, WEP is disabled at the default installation, so you must manually enable it before thinking your system is protected.

If your system allows the option of setting authentication to Shared Key, it is a wise idea to enable this feature. Change WEP keys on a regular basis, even as often as daily or weekly to help avoid data capture and network intrusions.

Service Set Identifier (SSID)
SSID is essentially the wireless network's identification. SSID helps to secure the network by ensuring the proper clients can access the system's access point. In the wireless platform, the access point is essentially a small transceiver operating on the designated frequency. For example, in an 802.11b system, the AP operates on the 2.4-GHz band with a few hundred feet of range, and in certain circumstances this can be extended to more than 500 feet. The AP is the location where the Internet and the internal network are connected, with the access point then broadcasting to any receiver capable of processing its traffic. This broadcast is received by wireless transceivers known as clients. Because the transmissions travel in all directions, they may possibly be received by intended and unintended recipients.

If WEP is disabled and the SSID is broadcast, it may be captured by anyone. Attackers may begin by compromising the network's access password. In order for clients to gain system access, they must have the SSID and the system password. If passwords are transmitted in the clear, they might be intercepted by any suitable client.

Wireless systems manufacturers usually install default SSIDs. Intruders are well aware of these default SSIDs, consequently changing the default SSID makes your network more difficult to access by someone who is not authorized.

Disabling any options for broadcasting the SSIDs is a good idea. This ensures the client SSID matches the access point SSID before any access is permitted. There is a secondary benefit of concealing the SSIDs — it hides the existence of your wireless network to the world.

Virtual Privacy Network (VPN)
Use of VPN technology between networks and clients assures strong user authentication and message privacy. VPNs are basically closed networks implemented through open-ended networks, including wireless. They allow for secure, authenticated transmissions to take place between designated points. If unauthorized persons intercept VPN-protected traffic, it is encrypted so there is little that can be done with it. Without the correct VPN technology, keys and passwords can be read. Such technology is very cost effective and secure, allowing confidentiality and message integrity over wireless networks.

Secure Sockets Layer (SSL)
Another technology worth considering in a wireless environment is the deployment of SSL technology. Simply stated, SSL provides a secure connection between a workstation's Web browser and a specific Web server. Data transmitted between the server and client is encrypted using technology called public key encryption, ensuring only the intended recipient can decrypt and read the information. In order to secure SSL, each Web site has its own unique digital certificate that defines the public and private encryption keys used during secure communications. If you leave the secure site and browse to another, the original SSL connection is closed. If you return to the SSL secured site or another SSL secured site, a new secure connection is made using a different set of encryption keys. By de facto standard, SSL is the most popular Web-based message security protocol with practically all online purchases and monetary transactions using it.

SSL effectively permits secure transmissions to take place between intended points and stifles intruder attempts to read them. SSL coupled with WEP provides an effective means to pass information over a wireless network with little fear of some unauthorized person reading your traffic.

Wireless Policies
Following are some examples of wireless network policy considerations:

- Organizations will actively sponsor administrator and user security awareness training to raise consciousness about the risks associated with wireless technologies.

- Organizations must have policies specifically addressing employees who are permitted to install wireless equipment and software.

- Organizations must have policies that describe the type of information that can be transmitted over a wireless network.

- Organizations must have policies requiring the reporting of the loss of wireless devices, fixed and mobile.

- Organizations must have policies requiring the reporting of security incidents.

- Organizations must have policies requiring network user IP addresses to be assigned dynamically via DHCP (Dynamic Host Control Protocol).

- Organizations must have policies regarding use of wireless VPN technology.

- Organizations must have policies regarding the use of SSL technology on Web sites.

- Organizations must have configuration policies regarding wireless equipment.

- Organizations must have policies regarding the implementation of WEP.

- Organizations must have policies requiring firewalls to be installed, configured properly, and maintained on all wireless network equipment.

- Organizations must have policies prohibiting the use of equipment or software that would extend the useable range of wireless network equipment.

- Organizations must have policies requiring all wireless equipment to be audited for legal, regulatory, and policy compliance.

Forensics Policy: Looking for Evidence

There are many compelling reasons for employing computer forensics, but before business managers make the decision to do so, they need to understand what it is and when to use it. Risk management is the leading reason for deploying computer forensics. Any business that does not have a policy and procedure to stop malicious behavior may count on being victimized with little recourse against the perpetrator. Computer forensics is the investigative practice of collecting, examining, and analyzing evidence retrieved from computers and computer-related equipment. At times it would seem that computer forensics analysis is akin to magic in that trained, experienced professionals can find relevant evidence through sophisticated collection and restoration techniques. More than one competent analyst has been called "a miracle worker."

Collecting and analyzing computer evidence is useful for confirming or dispelling concerns about whether an unlawful act has been committed. Further, this type of work has been able to document workstation, applications, and network vulnerabilities after a critical incident.

Organizations today must have policies regarding when computer forensics examiners should be called in. Usually information-related threats involve a computer of some kind or a communication's network because they are the means by which companies conduct their business and information processes. Businesses employ computer forensics when there is a serious risk resulting from compromised intellectual property, a threat of lawsuits stemming from employee conduct, or potential damage to their reputation or brand. There are many organizations that regularly use forensic means to audit employee workstations with the idea that employees who know and recognize they are being monitored are less likely to stray from policies and procedures. When a random selection of employees' computers is made monthly, and forensic examinations are conducted, the appropriate steps are taken if unauthorized use, pornography, or abuse is discovered.

Any experienced computer forensics examiner starts and completes assignments with his or her testimony in mind. This means the examiner must always collect, analyze, and preserve evidence according to the rules of evidence. A good standard for this professional is the Federal Rules of Evidence. Basically, the examiner has three important tasks: finding, preparing, and preserving evidence.

Another aspect of forensic computer examination is the testimony of the forensics professional. This person must never attempt to perform an examination for which he or she is not trained. There are times when untrained or inexperienced persons are tempted to conduct examinations, which can corrupt or damage potential evidence. Just because a person has a detailed knowledge of computers and networks does not mean the person is qualified to conduct forensics examinations. Following is a list of what to look for when selecting forensics computer examiners:

- Prior experience in computer forensics examinations

- Specialized training

- Specialized experience in collecting, analyzing, and preserving evidence

- Experience as an expert witness

- Possession of pertinent professional certifications

- Personal and professional integrity; examiners must withstand thorough scrutiny on technical and personal levels

- A laboratory equipped with tools for evidence recovery

Another matter of significance: organizations should understand that reporting unlawful activities is required under many state statutes and is required under U.S. law. According to Title 18, USC 4, "whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years or both"

Network Management Policies

Network Management Policies
Network management policies include resource accountability, reporting errors and malfunctions, and preventative maintenance. There are some repetitions of policy elements here, but it is recommended that this section is reviewed. Network protection policies address the continuing need for risk analysis, security awareness and training, security administration, and facilities security. Following are some measures that address network management policies:

Initiate and maintain a formal inventory of network components such as hardware, applications, and attendant components including serial numbers, physical location, version numbers, and dates of acquisition, implementation or installation.

All company network users must be formally authorized to use the network. All users must request access in writing, accompanied by the approval of their supervisor or manager. All access requests, approvals, and denials are retained and archived.

Regularly review network configuration ensuring that all attached components are authorized and configured correctly. Any attempt by employees to alter network configurations by installing unauthorized software or hardware must be reported immediately. Verify network interface equipment and configurations after a unit has been serviced or an audit has been performed. Verify the identity of network interface card user at time of unit maintenance. Deny access to anyone having no authorized network interface card, and report violations.

Depending on the type of work, maintain logs of all network transactions including but not limited to identity of user, log-in time, files accessed, transactions performed, and log-off time.

All media where logs, when feasible, are recorded on WORM media.

Through manual or automated means, all logs are reviewed and filed daily as permanent records.

All security and risk-related events are to be reported immediately and receive immediate senior management attention.

All corrective actions are documented and reported in a timely fashion.

Develop and maintain a schedule of preventative maintenance activities for applications, and equipment. Any hardware and software not conforming to policy, procedures, or standards will be addressed appropriately, with reports made to senior managers. Ensure there is documentation relative to the time and type of maintenance performed on all network components.

Remove any and all data from storage media, e.g., floppy disks, hard drives, tapes, and CDs, before equipment is delivered to maintenance or disposal personnel.

Periodic risk assessments and audits are the responsibility of the network owner and the audit unit. Documentary evidence of these processes is to be made and maintained.

Risk analyses will be performed during the network's SDLC design stage and at any time changes are made to the network design or components. These analyses should measure, among others, the network's vulnerability to:

Improper disclosure of information

Fraud, theft, and abuse

Inadvertent harmful errors

Financial losses to the organization

Harm to individuals' privacy rights

Loss of intellectual property

Loss of continuing profitable operations

Employees responsible for the company's network security and administration must have the necessary experience and should receive sufficient formal training to be able to perform their duties.

All network users are required to attend training sessions and sign an agreement regarding their security responsibilities, privacy, proper use of network facilities, and the safeguarding of data.

Employees have the responsibility to challenge strangers and other individuals who do not possess appropriate identification badges. At no time is an employee to allow someone access to any area by holding open a door equipped with an access control device.

All user activities and their accounts are subject to unannounced audits.