As with many new technologies, IT seems to have let wireless networking gain a foothold in the enterprise without properly securing it. The news abounds with corporate penetrations facilitated via weak wireless security—particularly ubiquitous 802.11 "WiFi" WLANs. The fallout has cost industry billions of dollars in outright theft, lost business, and remediation expense. One recent high profile case—the TJX WiFi point-of-sale debacle that dumped 40 million consumer credit card records into the hands of identity thieves—was settled with U.S. state regulators for nearly $10 million in fines. And this was on top of untold millions in losses to compromised consumers.
If you don’t want to be the next IT staffer explaining to news media just how the hackers managed to steal your corporation’s info assets, better read on; chances are your WLAN has one or more well-known exposures just waiting to be exploited. A recent survey of financial districts by WiFi security vendor AirTight Networks (tinyurl.com/atstudy [2]) showed 57 percent of the WLANs in seven cities were subject to immediate, trivial compromise. Worse, a large fraction of these were using outdated security practices, indicating their owners believed they were protecting themselves.
That’s the bad news. The good news is that it is possible to securely integrate WiFi into your enterprise IT ecosystem. The semi-good news is that you may be legally required to take measures to screw down wireless security, which will help you justify the costs of such measures to management. If, like many enterprises, you already have WiFi, it’s also straightforward to assess your existing WLAN’s exposures and remediate your network to counter them. But the process isn’t automatic, or even intuitive. You must first learn about the latest wireless vulnerabilities and the technologies you can call on as defensive measures. There’s no better way to do that than to study the aftermath of one highly visible disaster.
The TJK incident led to new corporate governance rules that may affect you, so listen up. As a result of the massive blow TJK’s data breach dealt to the retail sales industry, in late 2008 the Payment Card Industry Security Standards Council (PCI SSC) published a new PCI DSS Wireless Guideline that literally lays down the law for any organization processing credit or debit cards. Retailers scrambled to make their point-of-sale WiFi networks compliant.
Then in June 2009 PCI SSC issued a clarification stating that the new rules applied not just to wireless POS, but to any organization—with or without WiFi—that even touches the credit card transaction data flow. You may well fall into this new category of governed organization.
The WiFi-specific PCI rules in PCI DSS 1.2 (tinyurl.com/pcidss12) are not numerous, but they are not trivial. Compliance requires the following steps:
Even if you don’t fall under the aegis of PCI SSC, that specification is a useful low bar to aim for in your own wireless security stance. It’s a low bar because, despite its seemingly comprehensive rules, PCI SSC doesn’t address every exposure that WiFi brings to your network. Before finalizing your wireless security plan, it’s a good idea to review just what the latest vulnerabilities are.
The 802.11 WiFi standards are among the most volatile in industry, changing on almost a monthly basis. The standards cover new technologies as they are developed, such as the 802.11n high-performance specification. But they also cover existing specs: the WiFi Protected Access (WPA) standard has been revised several times to address newly discovered vulnerabilities. Here is a cheat-sheet on vulnerabilities you should know about and mitigate:
You should first establish a formal policy prohibiting rogues, and ensure that everyone gets the memo. But you’ll also have to be proactive in finding and eliminating rogues on a continuous basis. You can do that with an off-the-shelf WISP, and also by locking down vulnerable LAN ports using Network Access Control (NAC). WISPs detect rogues by periodically scanning for them using existing APs, then alerting you to their presence for removal. NAC, properly implemented, can stop a rogue from ever getting a port, by dint of requiring 802.1x authentication (MAC address or user ID and password login) for every Ethernet device.
One defense against counterfeiters is WPA2 with digital certificate authentication. You create a signed digital cert on your WPA2 authentication controller and install it on every user’s remote client. When the user connects, the cert automatically verifies that the AP being accessed belongs to your network and not the hacker’s. Alas, distributing and maintaining these certs can be an administrative nightmare.
A better approach is to employ a wireless controller that establishes a VPN tunnel to each user. The VPN automatically performs just this kind of certificate validation, and it is completely independent of encryption performed in the AP, adding another layer of protection between users and hackers. If you can’t forklift upgrade your existing WiFi infrastructure to add this feature, an easy way to gain it is via an SSLVPN appliance: users connect to the appliance using a web browser to create an HTTPS-based VPN tunnel overlaying the existing WiFi network. You can then block all other network access from WiFi.
Guard against this exposure by extending VPN tunneling to these outside venues. You often can use the very same VPN server—WiFi controller, VPN concentrator, or SSLVPN appliance—as both WAN and LAN secure gateways. To fully enforce this protection, you’ll have do disallow casual Internet surfing at hot spots. Do this by disabling split-network wireless, so that all Internet access goes through the VPN tunnel (and your main office Internet connection), rather than directly to the Internet via the hotspot’s router.
NAC can help here, in the form of an endpoint widget installed on every client device to implement your security policy prohibiting direct remote web surfing. Many smart phones, such as the iPhone, now have this capability built in via their enterprise administration interfaces.
As you can see, despite the strong security stance of PCI DSS, even that standard doesn’t protect against roaming user vulnerabilities, since retail sales from coffee shops was never envisioned as a possibility. When designing your new enterprise WiFi rollout—or planning security remediation of your existing network—you should take care to ensure you cover each of these critical exposures.
The vulnerabilities above highlight the value of WiFi-specific intrusion prevention systems, but they don’t cover all the bases of what WIPS can accomplish. Those are the minimal features you should seek to mitigate WiFi vulnerabilities. Other major features include ad-hoc wireless prevention, denial of service attack (DoS) blocking, and hostile device blacklisting.
Ad-hoc WiFi connections are those made between end user devices, such as two notebook connections. Users often start using ad-hoc connectivity for the convenience of moving files directly between computers without an intervening server, and sometimes to circumvent policies prohibiting data exchange between users in different groups, such as sales and engineering. The problem with ad-hoc connections is that they don’t require passwords or encryption, and thus can leak sensitive information to waiting hackers. And users often don’t close ad-hoc services when they’re done with them, leaving a notebook or desktop open to attachment by passersby, with the attendant bad consequences.
Because ad-hoc connections occur at will between cooperating (and oblivious) users that may not even be connected to the corporate LAN, they’re difficult for traditional IPS systems to prevent. If you have administrative control of a Windows XP or Vista device, you can push a policy restricting WiFi to infrastructure-only connections, which blocks the ad-hoc variety. But Mac OS X, Unix, and some smart phone devices would still be ad-hoc enabled. Some WISP systems can employ dedicated wireless security sensors dedicated to probing the airwaves for problems such as ad-hoc connections, and they have the ability to force them to disconnect.
DoS attacks are prosecuted by hackers intent on breaking something, hoping that the breakage will leave your network open and vulnerable to penetration. Several such attacks exist today in the wild, although the latest vendor patches will at least stop the exposure, if not the actual denial of service. A good Intrusion Prevention System, however, is able to instruct your APs and WiFi controllers to ignore attacking MAC addresses, or to rate limit associations and other protocol events, blunting the attacks and in many cases neutralizing them entirely.
That neutralization comes in handy when chronic wireless bad actors appear. Wireless networking knows no boundaries, so sometimes a malicious attacker or benign interferer lies physically just beyond the reach of the IT enforcement squad. Dynamic WIPS detection and prevention is designed to only temporarily block such attackers, eventually letting their bad behavior resume until it once again seems to be a threat. You really want to permanently blacklist these evil seeds, both to prevent constant WIPS alerts, and to ensure that troublemakers don’t interfere with legitimate users. WIPS systems accomplish blacklisting by recording a unique signature for each potential intruder. At any time you can mark that signature as periphera non gratis, so to speak, and the WIPS system will instruct all APs to keep the annoyer at bay.
The flip side of blacklisting is whitelisting, and it is equally important. Sometimes a wireless device just looks threatening and thus gets constantly interdicted by your WISP. If you own the device, that’s a nuisance. If a neighboring company owns it, that’s a lawsuit. You want a WISP that can accurately classify friends and foes, but when it misses, lets you register friendlies as friends, protected against WISP harassment.
Other features you should look for in a WIPS include alert level filtering, to keep you from getting paged constantly by innocuous events, reporting that proves the WIPS was operational to regulatory agencies, and event tracking to help you assess the levels of attack your network is experiencing over time.
Securely deploying WiFi isn’t impossible or even necessarily difficult. But you have to understand the risks you’re trying to mitigate and the changing WiFi technology landscape, as well as available product features, before you can lock down your WLAN. Only then will it be safe to watch the evening news.
Mel Beckman is a senior technical editor for System iNEWS.
Links:
[1] http://systeminetwork.com/author/mel-beckman
[2] http://tinyurl.com/atstudy