by Perry Lynch
3:45 min read | Audio
Wireless access presents a special challenge for network security. A weak security implementation will allow intruders to gain an almost physical level of access; they may be able to bypass your firewall and directly connect to your information systems from locations that are within range of your facilities. CIS Control #15, "Wireless Access Control," provides guidance to minimize this risk.
The risk factors
Unmanaged wireless devices in the hands of trusted users present a significant risk: They provide access to information for trusted users, and are sometimes considered to be part of the network. However, they are not consistently managed or maintained, and are routinely exposed to malware and opportunities for corruption when they are not on your protected enterprise network.
To counter these risks, the access point should be considered as much a policy enforcement tool as it is a network gateway. Your network of access points should be maintained at current patch levels and at the highest possible encryption levels and configured to provide secured access to the enterprise network for corporately-owned devices. Guest devices, either staff or visitor-owned, should be restricted to a network segment or VLAN that provides access to the Internet only. To further limit risk, access points should also be configured to prevent ad-hoc wireless networking and direct client-to-client access within the Wireless LAN.
Configuring access points
The 802.11 security standard continue to evolve, with the launch of the WPA3 in the 2nd quarter of this year. The older security protocols, WEP and WPA, have known serious weaknesses and should no longer be used. The TKIP encryption protocol has been deprecated as well. The CIS recommendation is to use WPA2 with AES encryption. AES is the default when using WPA2 on modern devices.
Access point firmware needs to stay up to date. The KRACK vulnerability, discovered in 2017, affected virtually all WPA2 implementations. Manufacturers have issued firmware updates to address this issue; implementing these patches is necessary to maintain security.
If you are planning a future Wi-Fi implementation or upgrade, remember that vendors are submitting device designs for certification to the new protocol, with plans to fully support WPA3 in 2019. Make sure your hardware vendor will support a future-proof implementation to get the most from your investment.
Rogue access points
Unauthorized wireless access points can present a serious risk and should be removed from the network whenever they are discovered. Regardless of intent or configuration, they provide unauthorized and/or unprotected access to the network. Left unsecured, they could provide an unencrypted open access channel into your information assets.
Monitoring software that works from an inventory of authorized systems can recognize any unauthorized devices. This makes it possible to block the offending device from the network, then locate and disconnect it.
Many of the available managed access point solutions include Wireless Intrusion Detection Systems (WIDS) capabilities, providing the ability to detect and disable unauthorized access points or the use of various wireless attack tools.
Limiting other devices
Printers and other devices often include their own wireless access as a convenience feature. In a corporate environment, this should be disabled to prevent the printer from becoming an undocumented entry point to the network.
The use of Bluetooth in the environment is an often-overlooked concern: enabling unregulated pairings may permit intruders to gain direct access to computers on the network. Restricting Bluetooth-based services to only support headsets and input devices is easily handled with group policy and should be implemented whenever the environment contains Bluetooth-capable systems.
Limiting less trusted access
BYOD policies are useful but allowing personal devices to have unrestricted access to the same network your information systems rely on is never a great idea. Even with the most restrictive policies, the IT department doesn't have full administrative control over devices not owned by the organization. A reasonable compromise is to provide access to a guest VLAN, implement restrictive ACLS between it and the enterprise network, and permit out-bound only Internet access on that VLAN.
In any event, only wireless devices that are owned by the organization should be permitted on the enterprise network. This provides the IT staff with the authority to enforce adequate security restrictions for those devices.
Wireless networks provide value and convenience, but they require care and attention to avoid becoming a security problem. Facilities containing highly sensitive information assets should consider using it for guest access only or avoid using it at all. Enterprise networks that do use it need to employ the latest protocols, restrict its use to authorized devices, and be on the lookout for unauthorized access points.