The Layered Approach to WLAN Security



There’s no question that wireless LANs (WLANs) offer compelling benefits in terms of mobility and productivity. WLAN security can be problematic, however, preventing organizations from fully reaping the rewards of wireless.

It is possible to balance mobility with robust infrastructure security. The key is to take a layered approach to WLAN security by identifying and protecting against wireless-specific vulnerabilities. This requires a mix of security solutions based upon industry standards along with continuous real-time monitoring and policy enforcement. Network administrators must learn what to look for and effective ways of addressing WLAN vulnerabilities.

Beware Rogue Access Points

For a small investment, an end-user can introduce a consumer-grade wireless access point (AP) into the network, exposing the entire infrastructure to easy attack. Rogue APs can also lead to noncompliance with regulations such as the Payment Card Industry (PCI) Data Security Standard (DSS).

The first step in securing the WLAN is to find rogue APs and either eliminate them or ensure that they meet security standards. Many network administrators will use a handheld “sniffer” and walk through the WLAN coverage area looking for wireless data transmissions. However, this is one of the least effective ways of eliminating rogue equipment — new rogue APs can be added after the scan.

A better solution is 24×7 monitoring of the WLAN for security risks. This enables the network administrator to know immediately when and where a rogue AP is deployed, and also identify new vulnerabilities.

Protect against Intruders

The next step is to ensure that the WLAN is protected against attack. Organizations should install WLAN-specific intrusion detection systems (IDSs) to keep hackers from accessing the wired network via the WLAN.

WLAN IDSs continuously monitor 802.11 protocols for security policy violations, known attack signatures and statistical anomalies. They are able to detect and thwart man-in-the-middle attacks, MAC spoofing and unusual activity.

Security software should be installed on all wireless-equipped devices to alert the network administrator of any vulnerabilities. Only enterprise-class APs with robust security should be used, and they should be configured to limit which stations can connect to them.

The Service Set Identifier (SSID) — the name of the AP — should be changed from well-known factory presets. In addition, the default SSID broadcast mode should be turned off so that only user stations that know the SSID can connect to the AP.

What’s Your Policy?

It’s critical that organizations develop — and enforce — a WLAN security policy. Robust WLAN security depends upon the installation and use of security software on individual devices, and the proper configuration of APs and stations. A WLAN security policy should establish these requirements and prohibit users from circumventing them.

A WLAN security policy must be flexible in terms of the technologies it can support. WLANs enable access by laptops, PDAs, smart phones and more, each with different features, capabilities and security requirements. This diverse set of clients cannot be secured with a “one size fits all” policy.

In addition, most WLANs are designed with end-user mobility and productivity in mind so it is important to develop security options that support end-user requirements. WLAN security policies also must integrate with the organization’s wired network security scheme to ensure seamless protection across the organization.

While WLANs present unique security challenges, it still boils down to controlling who has access to specific information., your outsourced IT department, can help you understand and minimize WLAN-specific vulnerabilities so you can enjoy the mobility and productivity benefits of Wi-Fi without putting business-critical applications and data at risk.