Wireless Security: A Defense-in-Depth Approach for Wi-Fi ClientsBy CWNP On 09/23/2009 - 30 Comments
Against those skilled in the attack, an enemy does not know where to defend. Against the experts in defence, the enemy does not know where to attack. – Art of War (Sun Tzu)
Two of my previous blog posts talked about defense-in-depth against Rogue APs and WLAN infrastructure-based attacks. We discussed that enterprises can achieve the best possible security by deploying a combination of wired solutions (e.g., 802.1X, NAC, Port security) and wireless solutions (e.g., WPA2, Wireless scanning, WIPS). The reason for this is that a combination of complementary security solutions provides better security than any of the individual solutions. This post talks about securing wireless clients.
Wi-Fi clients can be involved in communications that violate enterprise wireless security policies. With certain cases, it is an inadvertent client mis-configuration that can be exploited by an attacker. In other cases, it is an enterprise user trying to violate the policies voluntarily (e.g., ad hoc connections, access yahoo mail at work via a non-authorized AP). In my opinion, enterprises need to adopt a combination of solutions to secure against Wi-Fi client-based threats.
- Follow best practices: First of all, adopt acknowledged good practices in your enterprise wireless LAN (WLAN). Configure your enterprise WLAN with strong cryptographic security – WPA2/RSN. Protect your clients with good anti-virus software. Patch your operating systems regularly and install only those applications that are absolutely required in your enterprise. Educate your users on wireless security issues and the serious consequences of a security breach.
- Use Layer-3 Endpoint Agents: You should use Network Access Control (NAC) and Virtual Private Networks (VPN) to provide one layer of security to your WiFi clients. NACs are helpful in forcing policy-specific software configuration on clients. Further, they can quarantine clients that do not adhere to your policy. On the other hand, VPNs are of high value in securing remote enterprise users who need to access public Wi-Fi services. However, beware of the following issues/limitations of layer-3 agents. A NAC may not be able to protect against certain wireless security policy violations (e.g., an enterprise client connecting to a neighbor’s Wi-Fi network). Deploying VPNs for all WLAN users may neither be practical nor economical – challenges include guest access, hindrance to roaming, and high managerial overhead.
- Use Layer-2 Endpoint Agents: Layer-2 agents that are aware of the Wi-Fi layer must complement Layer-3 endpoint agents. Such Wi-Fi-aware agents can do a lot more than layer-3 agents. They enable you to implement fine-grain wireless security policies - you can create multiple security profiles on your enterprise clients. Thus, this is a lot more flexible than just having an “Allow/Deny Wi-Fi” policy on your clients. You can also have a layer-2 agent automatically select a profile based on certain parameters such as visible SSIDs. As an example of these policies, you may configure your layer-2 solution so that a user inside the enterprise is allowed to connect to enterprise APs only, while a user at a public Wi-Fi hotspot is allowed Wi-Fi access only via a VPN tunnel. Layer-2 agents can also be used to block the usage of non-Wi-Fi technologies such as Bluetooth and EV-DO.
- Wireless Intrusion Prevention System (WIPS): Given that you have already installed end-point agents on clients, you may be wondering whether WIPS has any value to add. The answer is “yes.” Following example scenarios show where end-point agents fail (and hence, WIPS can add value). An obvious scenario - an enterprise where users are allowed administrative access on their notebooks. In this scenario, users can simply turn off or un-install the end-point agent to bypass it. Even if administrative access is not allowed, users can potentially sneak-in their own notebooks on which none of these agents are installed. The next scenario is related to the recent surge in the use of smart-phones (e.g., iPhone, Blackerry). Today, it may be almost impossible to locate endpoint agents for all such devices. Discussions with network administrators confirm that the use of personal smart-phones in an enterprise is one of the major security pain points today. Administrators face difficulties in getting even a basic visibility of Wi-Fi devices used in their enterprise and their software configuration. Having a complementary security layer in the form of a WIPS to gain this visibility can be very handy. Further, depending on its capabilities, a WIPS can be used to block Wi-Fi client related threats and/or ban the usage of specific types of Wi-Fi devices (e.g., iPhones). Of course, WIPS acts as a complementary layer as long as a Wi-Fi client is within the enterprise – remote or public Wi-Fi access has to rely on endpoint agents. Do you think the above security solution suite provides sufficient depth in protecting your enterprise wireless clients? Please chime in with your thoughts.
Thanks,GopiTagged with: gopi