Wireless Best Practices

Cisco Architecture for Voice, Video and Integrated Data (AVVID) also contains details on best practices for wireless networks. As wireless networks grow around the globe, Cisco intends to ensure that you can connect wherever you are, 24 hours a day, thereby boosting your connectivity to the workplace. This means, of course, that connectivity is required in areas where there are no cables, such as cafés, airplanes, street corners, and hotel lobbies.

Wireless networks have become one of the most interesting targets for hackers. Wireless technology deployment is growing at a rapid rate, and sometimes without consideration of all security aspects. This rapid deployment is due, in part, to the low cost of the devices, ease of deployment, and the large productivity gains. Because WLAN devices ship with all security features disabled, increasingly, WLAN deployments have attracted the attention of the hacker community. Several websites document freely available wireless connections throughout the United States.

Although most hackers are using these connections as a means to get free Internet access, a smaller group, using more sophisticated tools to capture data, modify data, capture passwords, or to hide their identity, sees this situation as an opportunity to break into networks that otherwise might have been difficult to attack from the Internet. Unlike a wired network (Ethernet for example), a WLAN sends data over the air and may be accessible outside the physical boundary of an organization. Power settings should be used, for example, to ensure that only the secure building floors have coverage and not café shops on the ground level.

When WLAN data is not encrypted, the packets can be viewed by anyone within radio frequency range. For example, a person with a Linux laptop, a WLAN adapter, and a program such as TCPDUMP can receive, view, and store all packets circulating on a given WLAN.

Vendors are constantly updating and providing new mechanisms to thwart hackers, such as with protocols like the following:

■ Extensible Authentication Protocol (EAP)—Provides enhanced functionality by allowing wireless client adapters, which may support different authentication types, to communicate with different back-end servers such as RADIUS

■ Lightweight Extensible Authentication Protocol (LEAP)—The Cisco implementation of EAP, based on the IEEE 802.1x authentication framework

To support all popular operating systems, Cisco designed and implemented LEAP on Cisco Aironet WLAN products and solutions. Microsoft's latest operating system, Windows XP, provides support for 802.1x (specifically EAP-TLS and EAP MD5). Thus, a variety of EAP authentication protocols can be used to authenticate users in today's WLAN networks.

The Cisco AVVID WLAN solution is a fundamental element of the Cisco AVVID network infrastructure. This means that there are few or no cables. What is still required, of course, is network security. This section covers the main methods used to ensure that wireless networks are secure when they are implemented and designed and that common best practices are used in today's wireless LANs. The need for security must also be balanced with users' need for maximum flexibility when accessing a corporate or public network.

This section also ensures that you have all the information that you need to answer the questions that may appear on the CCIE Security written exam.

The IEEE has defined a number of wireless standards, the most important of which are the following:

■ 802.11a—Standard for the 5.0-GHz UNI band (22 Mbps)

■ 802.11b—Standard for the 2.4-GHz UNI band (11 Mbps)

■ 802.11g—Standard for higher speeds (54 Mbps)

Cisco has implemented the following wireless LAN security features in its access points and bridges:

■ Dynamic or static Wired Equivalent Privacy (WEP) key management.

■ 802.1x user authentication, which is covered in Chapter 4, "Security Protocols."

■ Enhancement beyond the IEEE recommendations, such as dynamic WEP keys to prevent WEP spoofing. Other enhancements include Message Integrity Check (MIC) and the Temporal Key Integrity Protocol (TKIP), also covered in Chapter 4.

■ Wi-Fi Protected Access (WPA) support.

NOTE For more details on Cisco wireless enhancements, visit http://www.cisco.com/en/US/ products/hw/wireless/ps5279/prod_bulletin09186a00802134a9.html.

WEP is an 802.11 standard that describes the communication that occurs in wireless LANs. The WEP algorithm is used to protect wireless communications from eavesdropping. A secondary function of WEP is to prevent unauthorized access to a wireless network; this function is not an explicit goal in the 802.11 standard, but it is frequently considered to be a feature of WEP. WEP uses the RC4 encryption algorithm, which is known as a stream cipher.

There are some very common best practices that you should consider when deploying wireless networks:

■ Use dynamic, per-user, per-session key enhancements to mitigate a variety of passive attacks. Enhancements detect and drop packets that have been (maliciously) modified in transit.

■ Deploy authentication between the client and user. This may connect to a RADIUS server or, for example, may need to authenticate through a firewall. The authentication is still only between the client and the access point.

■ Use rekeying policies that can be centrally configured by external servers such as an AAA server. This allows the secret key rotation to occur transparently to end users. Customers can also configure broadcast key rotation policies at the access points.

■ Keep accounting records. Every time a wireless client associates with an access point or disassociates from an access point, a record should be kept for auditing purposes.

■ Use TKIP to defend against an attack on WEP in which the intruder uses an unencrypted segment called the initialization vector (IV) in encrypted packets to calculate the WEP key. TKIP removes the predictability that an intruder relies on to determine the WEP key by exploiting IVs. TKIP protects both unicast and broadcast WEP keys. TKIP still requires the WEP key to be changed every 16.7 million packets.

■ Use MIC to prevent attacks on encrypted packets, called bit-flip attacks. During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate. MIC, implemented on both the access point and all associated client devices, adds a few bytes to each packet to make the packets tamper proof.

■ Use EAP authentication, which provides dynamic unicast WEP keys for client devices but uses static broadcast keys. With broadcast WEP key rotation enabled, the bridge provides a dynamic broadcast WEP key and changes it at the interval you select. Broadcast key rotation should be used with TKIP. If the wireless clients do not support TKIP, using broadcast key rotation just means that the client keys get hacked first.

Intruders typically use a number of tools, freely available on the Internet, to sniff out the airwaves for access points. Thus, it is vital that you make sure every wireless access point in your network has the most secure features enabled. Some common tools include:

■ MAC address auditing—A device is placed on the network and pings a number of local devices and caches the MAC. The intruder can then, for example, configure their NIC to receive packets for devices acting as the gateway and thereby redirect them to the wrong location.

■ Sniffers—By using a simple network monitor, of which many are available on the Internet, such as Ethereal, an intruder can sniff packets over the airwaves by using any wireless adapter.

■ Operating system imperfections—By using the fingerprint of Windows and Cisco IOS, intruders can discover weaknesses in the code to develop tools to bypass internal security. Recent reports of code thefts from Cisco and Microsoft have further heightened this flaw. Examples of tools freely available on the Internet include Airsnort, Asleap, and Network Stumbler.

■ Disable SSID broadcast—Not allowing the SSID to broadcast protects against someone gaining unauthorized association. Although the SSID is not for security, it is a simple means of access control.

This section discussed in brief some of the main points you should consider when designing a wireless network. Simple practices such as dynamic key management, deploying authentication between a client and access point, and enabling 802.1X authentication encompass the crucial wireless best practices.

There are more wireless security features available to administrators:

■ Using access control between wired and wireless networks

■ Suppressing broadcast SSIDs

■ Deploying multiple VLANs across various wireless networks

■ Providing firewall protection between wired and wireless networks

802.11 networks are insecure, and only careful design and monitoring will ensure that your IP network is not compromised. Prevention and detection are the keys to a safe wireless network.

Prevention is best designed with these points in mind:

■ Corporate policy

■ Physical security

■ Supported WLAN infrastructure

■ 802.1x port-based security on edge switches Detection is best designed with these practices in mind:

■ Using wireless analyzers or sniffers

■ Using scripted tools on the wired infrastructure

■ Physically observing WLAN access point placement and usage

■ Implementing various levels of VLAN support for various levels of wireless access—for example, ensuring that users who are permitted only Internet access are not placed on corporate LAN-based networks

For more details on common best practices in wireless technologies, refer to the "SAFE: Wireless LAN Security in Depth - version 2" white paper:

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/ networking_solutions_white_paper09186a008009c8b3.shtml

0 0

Post a comment