wp global security

7/30/2019 Wp Global Security

1/36

Jon Green, CISSPAruba Networks

www.arubanetworks.com

Building Global

Security Policy forWireless LANs


2/36


3/36

Building GlobalSecurity Policy for

Wireless LANs

Jon Green, CISSPAruba Networks


4/36

Building Global Security Policy or WLANs

Aruba Networks

Table of Contents

Introduction 1

Chapter 1Lessons Learned: What Doesnt Work 2

Chapter 2Architectures for Mobility 5

Chapter 3Locking the Air 6

Chapter 4Keeping the Bad Guys Out: Authentication 8

Chapter 5Hiding in Plain Sight: Encryption 10

Chapter 6People, Not Ports: Identity-based Security 12

Chapter 7Planning for Global Mobility: Remote Access 16

Chapter 8Defensive Networks: Knocking Out Malware 18

Chapter 9Strategies for Guest Access 20

Chapter 10Putting It All Together: Sample Security Policy 22

Summary 30

About Aruba Networks, Inc. 31


5/36


Introduction

As wireless devices become more and more common in todays

enterprise networks, now is a good time or CIOs and IT managers toplan their strategy or overall control, deployment, and management othis important technology. Security is one component o that strategy,and it is a big one. While a properly implemented wireless securitypolicy makes wireless more secure than wired networks, an improperlyimplemented or insucient plan can lead to disaster. The popularity owireless technology and an increasingly mobile workorce are leading toa new connectivity model where users connect over wireless networkswherever they go at the corporate oce, working rom home, or

traveling on the road. Mobility, including wireless technology, has thepotential to expose corporate networks to intruders, leak sensitive data,and subject the enterprise network to virus and worm outbreaks. Properplanning avoids these issues without necessarily costing a lot o money.This white paper rst explains wireless security techniques that haveailed, and then provides clear recommendations or building eectivesecurity policies. Also presented are pros and cons o two architecturalapproaches to wireless security a centralized approach and a

distributed approach. At the end o this document, a sample wirelesssecurity policy is provided.

Introduction


6/36


Aruba Networks

Chapter 1Lessons Learned: What Doesnt Work

A number o Best Practice guides or securing wireless networks havebeen written over time. While many o the more recent ones are useul,a number o them advocate older techniques that have been provenineective.

Policies Without EnforcementA written IT security policy is necessary in any size organization, but it ismeaningless without a way to check compliance. Too many companies

write a security policy banning all wireless devices, then ail to monitoror their use. Users demand mobility, and experience shows that iwireless networks are not provided by the IT department, users willinstall consumer-grade equipment themselves. Typically this consumer-grade equipment has no security turned on by deault, and most usersdo not bother with additional conguration steps to turn on evenbasic security. These rogue access points (APs) eectively open anorganizations network to anyone in the parking lot.

Some organizations establish no wireless policies and do periodicallyscan or unauthorized equipment. However, this eats up valuablepersonnel time as a network administrator walks through the buildingwith a laptop or other wireless scanner. I an AP is detected, theadministrator must then spend additional time to determine i that AP isinside the building, or i it belongs to another nearby business.

RF EngineeringA common question heard rom organizations looking to deploy wirelessis, How do I ensure that the wireless signal doesnt travel outside thebuilding? Some security analysts recommend using special directionalantennas to accomplish this, or recommend using decoy accesspoints with antennas pointed outside the building as a way to deeatwould-be intruders. Both techniques are costly, complex, and do notwork. Radio signals are invisible and travel in unpredictable ways aterbouncing o refective suraces such as le cabinets and whiteboards.

In addition, an attacker can use a high-gain directional antenna totransmit and receive signals rom ar away, even when a standard laptopwireless card does not detect a usable signal. Wireless networks shouldbe installed with the assumption that anyone can be within radio rangeo the network, and security should be adjusted appropriately.


7/36


SSID CloakingSome APs oer the ability to hide the broadcast o the Service SetIdentier (SSID), also known as the network name. Some wireless

security best practice guides in the past have advocated doing this,with the idea that the SSID can be used as a password. In theory, i anattacker doesnt know the SSID name in advance, he cant connect tothe network. In reality, it is simple to learn the SSID by simply monitoringthe normal process o an authorized client joining the network. SSIDcloaking is not harmul, but it should never be treated as a securitytechnique.

MAC Address FilteringA common wireless practice or consumer-grade equipment is to turnon MAC address ltering. With this eature, only computers on theapproved list are allowed on the wireless LAN. Unortunately, MACaddress ltering is ineective because it is trivial or an attacker toimpersonate a valid computer by changing the MAC address o his orher computer. MAC address ltering also does not scale in enterprisenetworks, since the address database must be updated each time a

computer is bought, replaced, or eliminated.

WEPWEP (Wired Equivalent Privacy) is the original wireless encryptionstandard provided or 80. wireless LANs. WEP is widely recognizedas being ineective as an encryption protocol on multiple ronts. Usingmodern attack tools, WEP can be cracked in one minute or less,rendering the interior network open to intruders. Two types o WEP

networks may be deployed: static WEP with pre-congured keys, anddynamic WEP with 80.x authentication. While dynamic WEP providesscalability benets in an enterprise setting, both orms o WEP areequally weak and are unsuitable or use today. Where application needsrequire WEP to be used, network access should be extremely restrictedusing rewall policies to allow the minimum access required.

Recently some vendors have begun providing so-called WEP cloaking

or WEP shielding products. These are designed to be used inconjunction with a WEP network to deeat attackers by injecting decoytrac into the air that conuses WEP cracking tools, thus makingWEP saer or use. Attack tools were quickly modied to deeat theseproducts, and thus they do not measurably improve security o WEPnetworks.

Chapter - Lessons Learned: What Doesnt Work


8/36


Aruba Networks

Cisco LEAPCisco invented LEAP (Lightweight Extensible Authentication Protocol)as a way to provide authentication and dynamic encryption keying or

wireless networks beore standards existed to provide those services.While LEAP served a purpose in the past, it has now been broken andcan be exploited by attackers to break into a wireless network. The useo strong password policies may make such attacks more dicult, butultimately this protocol should be retired and replaced with strongersecurity standards that have been subject to widespread peer review.It should be noted that the proprietary replacement or LEAP, known asEAP-FAST, also has known security ailures and should be avoided in

preerence to standards-based protocols such as PEAP and EAP-TLS.

What Doesnt Work: ConclusionToday there are modern approaches to wireless security that render theabove techniques obsolete. Rather than sacrice security with stopgapmeasures that provide only partial protection, organizations can deploystandards-based technology that provides solid protection or mobilenetworks.


9/36


Chapter 2Architectures for Mobility

There are three major network architectures available or buildingwireless LANs, although or the purpose o security this can benarrowed down to just two: Distributed and Centralized. A distributedarchitecture, as the name implies, distributes security unctions tomultiple devices while a centralized architecture collapses securityunctions into one device. A distributed architecture may consisto standalone at access points, where the AP itsel contains allunctionality or wireless LAN operation. A distributed architecture mayalso consist o a controller with thin APs when the security unctions othe wireless LAN are broken up between multiple devices. For example,i an AP perorms encryption, the controller perorms authentication,and an external rewall perorms access control, this is a distributedsystem rom a security standpoint. A centralized system, on the otherhand, places all security unctions in a single unit. In the example justgiven, encryption, authentication, and access control would all bedone by a single controller in the centralized architecture. A centralizedarchitecture is always made up o thin APs and a central controller.

These architectures will be re-visited in each section below to providecomparison and contrast between the capabilities o each.

Chapter - Architectures or Mobility


10/36


Aruba Networks

Chapter 3Locking the Air

The rst step in any wireless security policy is to lock down the radiospectrum against threats. This step must be taken even i a wirelessnetwork is not actually deployed, to prevent against uncontrolledwireless devices that may be brought in. Once a wireless network hasbeen deployed, monitoring or attacks against that network becomes anadditional need.

Rogue APs

The very existence o wireless technology is a threat to security o thewired network. Employee demand or mobility is so great that manypeople, i not provided with wireless access, will install it themselves.Consumer-grade access points are inexpensive and easy to set up,and it only takes moments or an employee to install one o theserogue APs in an oce or cubicle. Connected to the corporate wirednetwork, rogue APs become instant portals into the network, bypassingrewalls and other security systems. Putting an automated system inplace to nd, classiy, and disable rogue APs is a critical requiremento a wireless security policy. This must be done or all points in theorganizations network where rogue APs could potentially be installed,including branch and remote oces.

Uncontrolled clientsA second category o threats to the enterprise network is that ouncontrolled client devices. Many end-user devices such as laptops,

PDAs, and mobile phones come equipped with wireless interaces.When these devices are not properly secured, they can become asecurity risk with intrusion or loss o condential inormation possible.

As one example, Windows XP can be congured to bridge a wirednetwork interace together with a wireless interace. I this happens,an attacker may be able to use the bridged connection as a gatewayinto the corporate network. As another example, many mobile phonessupport Bluetooth or connection to other wireless devices. I the mobilephone is not congured with correct security eatures, an attacker couldwirelessly tap into the phone and download address books, storedemail, and other inormation that could reveal business contacts orbusiness plans.


11/36


Active AttacksI a wireless LAN has been deployed, it must be monitored andprotected against malicious attacks. Attacks range rom simple RF

jamming up to sophisticated man in the middle attacks where anattacker inserts himsel into the communication path and is able toadd, delete, or modiy data in transit. The proper use o encryptionand authentication, discussed later, mitigates many o the risks, buta wireless intrusion prevention system is necessary or detecting andpreventing the remainder. At a minimum, a wireless intrusion preventionsystem will identiy active denial o service attacks so that valuabletime is not wasted troubleshooting wireless LAN connectivity problems

when the actual problem is an attacker. For companies that intend toprosecute attackers under the law, wireless intrusion prevention systemsprovide valuable orensic evidence o what activities took place.

Wireless Intrusion PreventionThe technology used to monitor and prevent these types o threatsis called a Wireless Intrusion Detection System (WIDS) or WirelessIntrusion Prevention System (WIPS). Two architectural approaches exist

to locking the air. In a centralized architecture, all intrusion preventionunctions, including rogue AP and uncontrolled client management,are included in the same system providing WLAN access. With thedistributed approach, a separate dedicated system is used or wirelessintrusion detection. O these, the centralized integrated approach isconsidered more cost-eective and secure or the ollowing reasons:

) Access points used or wireless access are also sensors or thewireless intrusion prevention system. This saves on cabling anddeployment costs since a single unit can do both jobs.

) The system monitoring or threats is also in the data path orwireless clients. This gives the system visibility rom the RF layer upto the application layer. I a valid client is the source o an attack, theattack can be prevented rather than just detected and reported.

) Where WIPS technology is deployed to enorce a no-wireless

policy, either a stand-alone distributed system or a centralizedintegrated system can do the job. However, with the centralizedintegrated system, the same equipment can later be used to provideWIPS + WLAN access i the organization decides to change theno-wireless policy. Thus such a system should be given seriousconsideration even i WLAN access is not currently planned.

Chapter - Locking the Air


12/36

8


Aruba Networks

Chapter 4Keeping the Bad Guys Out: Authentication

Because radio waves travel outside their desired coverage area, it iscritical to ensure only valid, authorized users obtain access to wirelessnetworks. This is accomplished with authenticationa process thatvalidates that a user is who he claims to be and is authorized to be onthe network. Authentication typically consists o providing a usernameand password, or some other credential, to the mobility system. Themobility system checks this inormation against a database, such asMicrosots Active Directory, and grants or denies access based on theoutcome. There are multiple ways to accomplish authentication, but themost secure method or wireless networks is the 80.x protocol. Thisstandard, widely implemented by equipment vendors and operatingsystems, provides a fexible ramework or authenticating multiple typeso users and devices through multiple types o credentials. 80.x isincorporated into the Wi-Fi Alliances WPA (Wi-Fi Protected Access)versions and , a certication ound on all enterprise-grade wirelessequipment as well as many consumer products.

Authentication must be done right. Done incorrectly, it can be thesingle biggest faw in wireless security. Recommendations or properly-implemented authentication include:

Use 80.x EAP methods that include encrypted tunnels. Theseinclude PEAP, TTLS, and TLS. Encrypted tunnels inside 80.xunction just like common SSL web sites used or e-commerce orsending passwords. Although an intruder can monitor the exchangeover the air, data inside the encrypted tunnel cannot be intercepted.Do not use non-tunneled EAP types such as EAP-MD or LEAP.

Always perorm mutual authenticationaccomplished by way oa digital certicateto ensure that clients only communicate withvalid networks. Upon joining the network, the client is presentedwith a server-side digital certicate. I the certicate is trusted by theclient, authentication will continue. I the certicate is not trusted,the process will stop. Do not disable server-side certicate checking

on the client. I this is done, any access point can claim to be validand cause the client to provide login credentials. One EAP type,EAP-FAST, does not use a server-side digital certicate and thusdoes not perorm mutual authentication unless extra labor-intensivesteps are taken. For this reason, EAP-FAST should be avoided inavor o more secure EAP types such as PEAP, TTLS, and TLS.


13/36


Lock down 80.x client settings. Many 80.x supplicantsprovide options or validating server certicates, or trusting onlyspecic authentication servers, or trusting only specic certicate

authorities (CAs), and or allowing the end user to add new trustedservers and certicate authorities. To achieve the best security,always use the most restrictive settings. The server certicate mustalways be validated. The client should trust only a specic set ocerticate authoritiesand or the strongest security, these shouldbe well-run internal CAs rather than public CAs. The client shouldonly authenticate against specic RADIUS servers. Finally, the enduser should not be permitted to allow new trusted authenticationservers or CAs.

Implement a strong password policy. It should not be easy or anatttacker to guess a username and password used to obtain accessto the wireless network. The best orm o wireless security uses one-time passwords such as SecurID or other token products. I one-time passwords are impractical, use strong passwords consisting oeight or more characters and a mixture o alphanumeric and specialcharacters. Most popular network operating systems provide

policies to enorce strong password usage automatically.

Consider doing two-stage authentication, authenticating thecomputer as well as the user, i the client operating system allowsthis eature. For example, on a Microsot Windows network, thecomputer can be authenticated as a valid domain member rst, andthen the user can authenticate as a valid user. I both steps do nottake place, the wireless system can block access to the network.

When it comes to authentication, architecture o the mobility systemmakes a dierence. With a centralized system, a single device or smallnumber o centralized devices acts as the 80.x authenticator, meaningthat only a small number o devices need to be recognized by theauthentication server. This results in greater system scalability, since lessadministrator time needs to be spent managing multitudes o entriesin a RADIUS server. In addition, wireless roaming is enhanced with acentralized system since a single centralized device holds all inormation

about authentication, encryption, and mobility. When a user roamsbetween multiple wireless APs, a centralized system can more quicklyre-authenticate the client since that client was previously authenticated.

Chapter - Keeping the Bad Guys Out: Authentication


14/36

0


Aruba Networks

Chapter 5Hiding in Plain Sight: Encryption

Ater authentication, the second most important actor or solid wirelesssecurity is encryption. I an intruder cannot make use o intercepted databecause it is encrypted, then there is no need to worry about how ar theradio signals travel. The state o the art or wireless encryption is AES-CCMP (Advanced Encryption Standard-Counter Mode & CBC-MACProtocol) as dened by the IEEE 80.i standard. The Wi-Fi AllianceWPA certication includes AES-CCMP as an encryption component,along with 80.x authentication previously described. Thus, byinstalling a WPA wireless network, organizations can immediately getthe benets o strong authentication and encryption at the same time.In addition, with WPA the encryption keys are dynamic, meaning thateach user on the network has a dierent encryption key that changeseach time the user authenticates. This prevents one authorized userrom intercepting the communications o another authorized user, andalso makes the possibility o key cracking extremely remote.

The architecture o the mobility system is extremely important to doing

encryption properly and saely. The primary saety concern involvesthe passing o encryption keys across wired networks in a distributedsystem. Whether the system involves distributed at access points ora controller with thin access points that implements encryption on theaccess points, encryption keys must be passed rom a secured system(the authentication server) to the access point across a wired network.This introduces security risks to the network:

) An intruder or malicious employee on the wired network couldintercept encryption keys and use them to wirelessly monitor otheremployees communication. Wireless makes an attractive meansor such eavesdropping attacks, since it is impossible or theeavesdropper to be detected. Were the same attack conductedon a wired network, the use o ARP poisoning would give awaythe presence o the eavesdropper. One recent case where wirelesseavesdropping was used involved a large company about toconduct a major acquisition o another company. An employee was

able to intercept email communication o a senior executive overa wireless network, and the employee then used this inormationor nancial gain. The malicious employee obtained the wirelessencryption key by rst monitoring an access point rom the wiredside o the network.


15/36


) I a wireless access point in a distributed system perormsencryption/decryption, then that access point must be a trusteddevice in the network inrastructure. But access points are not

locked inside datacenters and wiring closets they must be closeto the users in order to provide wireless service. One attack targetsthin access points that perorm encryption: I the protocol runningbetween a thin access point and a controller is understood, becausethe protocol is a published standard or through reverse-engineering,then an attacker can build a sotware replica o an AP. The simulated

AP will contact the controller and will be given a conguration, aterwhich time it is treated as a peer o other APs in the system. I thissimulated AP provides wireless service to users, it is now capable operorming a man in the middle attack where data can be deleted,added, or changed. The situation becomes worse when ast-roaming schemes such as Proactive Key Caching are used, sinceencryption keys rom one access point are pushed out to all other

APs in the system in order to speed up roaming. I one o the APsis the intruders simulator, it now has encryption keys or the entirenetwork.

Centralized architectures get around these risks by perorming allencryption and decryption in a controller. This controller is typicallylocated in a physically secure area such as a data center, and is otenin the same room with the authentication server. With encryptionkeys never leaving the data center, there is no risk o interception byan unauthorized user. Access points in such a system are untrusteddevices an attacker building a sotware simulator o such an APwould obtain a channel and power assignment as part o conguration,

but would have no extra privileges on the network. Even i a userauthenticated through the imposter AP, no man in the middle attackwould be possible since encryption is maintained all the way to thecontroller.

Chapter - Hiding in Plain Sight: Encryption


16/36


Aruba Networks

Chapter 6People, Not Ports: Identity-based Security

Multiple types o users with multiple types o devices may be oundon wireless networks. Mobile networks are unique when it comes tosecuring them, because mobile users and devices, by denition, donot connect to the network through a xed port. For this reason, thenetwork must identiy every user and device that joins the network.Once this identity is known, custom security policies may be appliedto the network so that only access appropriate to the business needso the user or device is provided. A key concept is applying policies topeople or devices rather than ports. In a mobile world, xed portsare no longer a reliable indicator o the type o user connected. Instead,identity must be used. I this sounds like something the industry hasbeen promising through Network Admission Control (NAC), you wouldbe correct. Identity-based security is the rst and most importantcomponent o NAC, and wireless actually has a unique advantage overwired networks in implementing NAC, since authentication is a nativepart o wireless.

Identity is learned through the authentication process, during which thedevice or the user provides some type o identier, normally a username.Once identity is learned, it is mapped to the business role o that useror device. The business role may be determined through membershipin specic departments or groups, security clearance, or the actualbusiness position o a user. Role inormation is normally contained inan enterprise user database, such as Active Directory in a MicrosotWindows environment. Some examples o roles and their associated

security requirements include:

A member o the sales department, who needs access to theInternet and to internal web-based sales databases. A member othe sales department has no business need to communicate withservers in, or example, the human resources department.

An outside visitor, who needs only access to specic applicationson the Internet only during daytime business hours.

A POS (Point o Sale) handheld device in a retail environment thatmust send credit card data as well as download inventory and priceupdates. This device would communicate only with a specic serverusing specic protocols.


17/36


A public PC-based kiosk or use by the general public. This devicewould be permitted to do web browsing, but would be denied allother network access.

A voice-over-WLAN handset that needs to communicate usingthe SIP protocol to a SIP gateway. The voice handset supportsonly WEP encryption and cannot perorm a secure orm oauthentication.

All these users and devices have dierent privilege levels that mustbe enorced. In addition, data trac rom these users must be keptseparate and isolated so that a user with lower privilege cannot intercept

data rom a more privileged user. Finally, devices with lower securitystandards, such as the voice handset, must not be permitted to opensecurity holes in the network by nature o their lower security standards.Identity-based security is the mechanism through which all o theseproblems are solved.

When implementing identity-based security, the architecture o themobility access system is important. Because user identity is the keyactor when making access control decisions, it must be impossible ora user to assume the identity o another user. Three components o thesystem must be aware o each other and, ideally, integrated into thesame system in order to provide the necessary level o security:

) Authentication, which supplies the system with identity inormation.Authentication must be done in a secure manner, such as through80.x.

) Encryption, which provides condentiality and integrity o data.When using WPA or wireless access, encryption provides an extrabenet or identity-based security: Because the encryption key itselis derived during authentication, data that decrypts successullycan be assured o coming rom the authenticated user and only theauthenticated user.

) Authorization, which enorces identity-based policies. When thesystem knows who the user is (through authentication), and knows

that received data came rom that user (through encryption), itcan then reliably perorm identity-based authorization and policyenorcement.

Chapter - People, Not Ports: Identity-based Security


18/36


Aruba Networks

In a distributed system, as shown in the diagram below, authorizationis perormed by an external rewall. The rewall is not aware o useridentity, because it does not perorm authentication. Additionally, the

rewall does not perorm encryption and decryption o user data, so itcannot be sure that data claiming to come rom a user actually camerom that user. This makes the external rewall unreliable or perormingidentity-based security. The rewall applies rules to IP addresses ratherthan to users this makes it suitable or macro-level global policyenorcement, such as enorcing policies that apply to all wireless users.But without user identity and assurance o non-tampering with userdata, it cannot perorm identity-based security.

Attacker

Employee Access Points

AuthenticationIdentification Authorization

Disconnect

Switch Firewall

Encryption

Security with Distributed System

A centralized system, in contrast, implements all three unctionsdescribed above in a single system. Because these unctions areintegrated and aware o each other, identity-based security can be

provided. Even an authenticated user who tries to ool the system byinjecting crated packets or changing an IP address cannot gain excessprivilege on the network.


19/36


Attacker

Employee Access Points

AuthenticationIdentification Authorization

Switch Mobility Controller

Encryption

Security with Centralized System

Think o this dierence using the analogy o an airport. A distributedsystem is like a domestic airport, where typically a check o your identityis made only once as you pass through a security checkpoint. There,your identication (authentication) is matched against a boarding pass(authorization). But nothing stops you rom printing a ake boarding passwith a name that matches your identication; this is possible becauseauthentication and authorization are not linked together, and there is

no way to validate the authorization token. In addition, once inside thesecurity checkpoint, you are ree to exchange boarding passes withanyone else, and board their fight instead o your own. Contrast thiswith an international airport, where your identication is checked as youboard the aircrat this is also the time when your authorization tokenis checked against a database. Here, your identication provides yourname, your boarding pass must match your name, and additionally theboarding pass will be checked against a computer system to make

sure it is valid. Linking these security steps together at the same pointprovides a much stronger security system, and the same is true withcentralized wireless architectures.

Chapter - People, Not Ports: Identity-based Security


20/36


Aruba Networks

Chapter 7Planning for Global Mobility: Remote Access

Users are not only mobile within a corporate headquarters location.They also move between dierent oce sites, telecommute romhome, and work in o-site locations such as partner oces, hotels,and public hotspots. An organizations security posture cannot weaken

just because users are not at the corporate headquarters it must beuniorm wherever users access the network.

The rst step towards eective global security is establishing a uniormauthentication inrastructure this gets into the realm o single sign-

on and identity ederation. Wherever a user travels, the user should berequired to authenticate to the network. But users cannot be orced tomanage multiple user identities, accounts, and passwords. A single seto access credentials should provide or authentication at any location ideally this is the same set o credentials used to login to the users ownworkstation. Authentication servers should be set up to coordinate withone another by replicating user inormation. Alternatively, the networksystems should be set up to understand domain names, realms, and

other regional identiers so that authentication requests can be routedto the correct set o authentication servers. Using this principle, a usercan travel to any enterprise location in the world and be granted accessto appropriate network resources.

Second, the access method needs to be consistent wherever the userroams. Users do not want to recongure systems as they move romthe corporate oce to branch oces to their homes. This means thatthe same wireless SSID (Service Set Identier) should be present in alllocations with the same authentication and encryption policies present.

All locations should use the same authentication inrastructure. A usershould be able to start an email application at the corporate oce, puta laptop in sleep mode, go home, start up the laptop again, and havethe email application continue to work without intervention rom the userand without the user needing to start a separate VPN client. When thishappens, support help desk calls go down dramatically.

Third, the solution needs to take voice mobility into account. Manyorganizations are evaluating voice over WLAN (VoWLAN) technologytoday with expected large-scale deployments sometime in 00 or00. One o the key benets o this technology will be the ability to useit wherever wireless LAN service is available. When employees travelto remote locations, voice mobility will allow their VoWLAN handset


21/36


to continue operation just as it would in the normal work location.Specically, the mobile network inrastructure must provide quality oservice control, secure transport o voice trac back to a corporate

telephony server, and consistent authentication and encryption schemesthroughout the global network.

The mobility system must be architected properly to support globalmobility. A traditional distributed system normally treated each ocelocation as a separate network, possibly with dierent authenticationservices, dierent SSIDs, and dierent security policies. Telecommutersand traveling employees were serviced using Internet-based VPNs, with

VPN client sotware installed on laptop computers. Notably, any devicewithout support or VPN client sotware could not join the network thisincludes voice handsets, some PDAs, and any client operating systemnot supported by the VPN vendor. With a centralized architecture,global mobility is treated just like intra-oce mobility. Wireless accesspoints are placed in any location where wireless access is desired the corporate oce, branch oces, retail outlets, and home oces.Traveling users may carry small personal access points with them andconnect these to ubiquitous wired Ethernet ports commonly available

wherever business travelers may be ound. Because the architecture iscentralized, the access points are not responsible or service delivery,security enorcement, or authentication. Instead, a network o mobilitycontrollers actually provides the network services, while the accesspoints serve as secure wireless portals to make the connection to themobility controller. In a centralized architecture, there is no need or VPNclients. Instead, WPA serves as the common security ramework orglobal mobility. All access to the network is authenticated using 80.x

and encrypted using AES.

Chapter - Planning or Global Mobility: Remote Access


22/36

8


Aruba Networks

Chapter 8Defensive Networks: Knocking Out Malware

The old model o data networks was a number o PCs connected toan oce LAN with an Internet connection through a rewall. Attachedto the rewall might have been an intrusion detection system, a VPNconcentrator, and perhaps service appliances such as an anti-virusgateway or a web proxy. These devices ormed the security perimeteraround a companys inormation resources. Today, mobility has becomeso prevalent that the security perimeter is rendered ineective. The saleo laptop computers in the enterprise space has now surpassed thesale o desktop computers, meaning that more and more employeesare being equipped with mobile computing. These laptops leave thecompany oce with its associated perimeter protection on a regularbasis, many times connecting to the Internet through unprotected anduntrusted networks. When the user returns to the corporate oce andconnects the laptop to the network, any malicious sotware that oundits way onto that laptop is now inside the rewall and is ree to spread toother unprotected devices in the network.

This problem is not unique to wireless it is caused by mobility ingeneral. However, the prevalence o wireless hotspots makes theproblem appear more oten. Thus, addressing client security is anecessary component o any wireless security policy. Client security canbe addressed in two major ways:

) Client integrity control. This is another element o NetworkAdmission Control (NAC) where agent sotware is loaded oneach client device, either as a permanent sotware install or as atemporary dissolvable agent that terminates ater running its scan.The agent sotware monitors the system or compliance with variousenterprise policies. One policy may be that anti-virus sotware mustbe installed, enabled, updated within the past three days, and thesystem scanned within the past week. Another policy might be thatpersonal rewall sotware is installed and enabled. When a systemattempts to join the wireless network, the integrity agent signals thecurrent policy compliance state to the network. I the device is out

o compliance, it is quarantined rom the network and optionallyredirected to a remediation server that automatically orces updatesto bring the system back into compliance.


23/36


) Network-based services. This is a third element o NAC, whereclient trac is inspected and passed through network-basedservice appliances such as anti-virus gateways and intrusion

detection systems. This technique is particularly useul or clientdevices that cannot or do not have client integrity agents installed.Examples o such devices would include barcode scanners, PDAs,voice handsets, certain client operating systems, and laptopcomputers belonging to visitors and contractors. Depending onequipment capabilities, it may be possible or only certain typeso trac rom certain clients to be passed through scanningappliances or example, HTTP trac may be scanned or malwarewhile SIP trac may not.

At the same time, patch management o the client device is also criticalwhen it comes to network driver sotware. A number o well-publicizedattacks against popular operating systems were perormed by sendingmalormed data directly to a wireless workstation, where faws in thedriver sotware or the wireless hardware allowed buer overfows andin some cases, remote code execution. The same attacks have beencarried out against wired systems that were on public networks. Client

devices should always be updated with the latest driver sotware, andparticular attention should be paid to security related announcementsrom network device vendors.

Chapter 8 - Deensive Networks: Knocking Out Malware


24/36

0


Aruba Networks

Chapter 9Strategies for Guest Access

Guest access is oten one o the rst requirements or a wirelessnetwork. Many companies want to provide Internet access or visitors inconerence rooms, lobbies, and other meeting areas. Visitors are betterable to carry out their work when instant access to timely businessinormation is available. But guest access must be provided in a waythat does not pose a security risk to the corporate network, and mustalso not allow unauthorized persons to steal network access. Controlledguest access increases network security, since guests with authorizedaccess will not cause a security breach by plugging their laptopinto an internal network port. There are two pieces to guest access:authentication and policy control.

Authentication orces a guest user to prove to the system that he orshe is authorized to use the network. This prevents outsiders, such aswardrivers, rom using the organizations Internet access as a reeconnection. There are several popular strategies or providing guestauthentication:

) Open access. Guest access is available to anyone who can receivethe wireless signal. This is oten used in isolated buildings on largeplots o land where wireless signals would not easily reach anoutsider. It is also used by some companies who are not concernedwith outsiders using their Internet access. In general, it is not arecommended strategy rom a security perspective.

) Common guest password. A guest network is set up with a single

username and password or guest access. The guest inormationis posted on conerence room walls or otherwise made availableto employees. Visitors needing Internet access will be given thisusername and password, and will use it to login to a web-basedportal system. This is a good option or a low-maintenance guestsystem, but it does not provide any individual accountability oractivities on the network. Many organizations are willing to acceptthis trade-o in exchange or simplicity.

) Provisioned guest access. With this scheme, each guest user isgiven a unique time-limited username and password. This maybe done by a receptionist when the guest checks in, or may berequested ahead o time by an employee through an automatedsystem. This method provides the best security and accountability,


25/36


but is also the most work to set up. Once set up, however, thissystem is or the most part sel-maintaining and does not require theongoing involvement o IT resources.

Whatever guest authentication method is chosen should beimplemented globally so that employees and visitors have a commonexperience at any work location.

Policy control or guest users manages what resources the guest is ableto access, when they are able to use the network, and what quality oservice they receive rom the network. O these, the most important isaccess control. Guest users must be prevented rom accessing internal

corporate resources while still being provided with Internet access. Forliability reasons, it is also desirable to restrict what protocols and evenwhat destinations a guest user may communicate with. For corporateguest users, the only protocols needed may be HTTP or web browsing,POP or email, and IPSEC/PPTP or VPN access. Outgoing email usingSMTP should be blocked to prevent the network rom becoming a spamrelay, and peer-to-peer le sharing should also be blocked to limit legalliability. In addition to protocol control, guest trac may be limited by

time o day so that it is not available outside o normal working hours.Guest trac may also be bandwidth limited so that guest users cannotconsume excess amounts o network capacity.

The network architecture must provide identity-based security inorder or guest access to be implemented saely and eectively.Without identity-based security, there is potential or guest users tocommunicate with internal network resources, since tight access controlcannot be perormed. With identity-based security, guest users are

placed into a guest role with an associated guest access policy, whileemployees are placed into an appropriate internal role. While the twoclasses o users share the same wireless inrastructure, no crossover ispossible.

Chapter - Strategies or Guest Access


26/36


Aruba Networks

Chapter 10Putting It All Together: SampleSecurity Policy

The ollowing is a sample security policy that ties togetherrecommendations and best practices discussed in this paper. It maybe easily cut and pasted rom this document and adapted to yourorganizations needs

1 Purpose

This policy establishes standards that must be met when wireless

communications equipment is connected to networks. The policy prohibits access to networksvia unsecured wireless communication mechanisms. Only wirelesssystems that meet the criteria o this policy or have been granted anexclusive waiver by Inormation Security are approved or connectivityto s networks.

2 Scope

This policy covers all wireless data communication devices (e.g.,personal computers, cellular phones, PDAs, etc.) connected to anyo s internal networks. This includes any ormo wireless communication device capable o transmitting packetdata. Wireless devices and/or networks without any connectivity tos networks do not all under the purview o thispolicy.

3 Policy

3.1 Approved equipment

.. All wireless LAN access must use corporate-approvedproducts and security congurations.

3.2 Monitoring o uncontrolled wireless devices

.. All company locations where permanent data networksare installed will be equipped with sensors and systems to

automatically detect, classiy, and disrupt communicationwith unapproved wireless access points.

.. All company locations where permanent data networksare installed will be equipped with sensors and systemsto automatically detect the presence o wireless devices


27/36


28/36


Aruba Networks

3.4 Encryption

.. All wireless communication between Company devicesand Company networks must be encrypted. Wireless

networks providing only Internet access or guest usersare exempted rom this requirement.

.. The strongest orm o wireless encryption permitted bythe client device must be used. For the majority o devicesand operating systems, WPA using TKIP encryption orWPA using AES-CCM encryption must be used. WPAwith AES-CCM is preerred wherever possible.

.. Client devices that do not support WPA or WPA shouldbe secured using VPN technology such as IPSEC whereallowed by the client device.

.. The use o WEP requires a waiver rom InormationSecurity. Client devices that require the use o WEPmust be isolated rom all other wireless devices and willbe restricted to the minimum required network access.

Violations o the congured rules, indicating that an

intrusion has taken place, must cause the device to beimmediately disconnected and blocked rom the network.

3.5 Access control policies

.. Access to corporate network resources through wirelessnetworks should be restricted based on the business roleo the user. Unnecessary protocols should be blocked, asshould access to portions o the network with which theuser has no need to communicate.

.. Access control enorcement shall be based on the usersauthenticated identity, rather than a generic IP addressblock. This is also known as identity-based security.

.. The access control system must be implemented in sucha way that a malicious inside user is unable to bypass orcircumvent access control rules.

.. Access control rules must use stateul packet inspectionas the underlying technology.


29/36


3.6 Remote wireless access

.. Telecommuting employees working rom remote locationsmust be provided with the same wireless standards

supported in corporate oces... Employees should be discouraged rom connecting

Company computers though consumer type wirelessequipment while at home in lieu o Company-providedequipment.

3.7 Client security standards

.. Where supported by the client operating system, the

wireless network will perorm checks or minimum clientsecurity standards (client integrity checking) beoregranting access to the Company network. Specically:

.... All wireless clients must run Company approvedanti-virus sotware that has been updated andmaintained in accordance with the Companysanti-virus sotware policy.

.... All wireless clients must run host-based rewallsotware in accordance with the Companys hostsecurity policy.

.... All wireless clients must have security-relatedoperating system patches applied that havebeen deemed critical in accordance with theCompanys host security policy.

.... All wireless clients must be installed with

Company-standard wireless driver sotware.

.. Clients not conorming with minimum securitystandards will be placed into a quarantine condition andautomatically remediated.

.. Client operating systems that do not support clientintegrity checking will be given restricted access to thenetwork according to business requirements.

Chapter 0 - Putting It All Together: Sample Security Policy


30/36


Aruba Networks

3.8 Wireless guest access

.8. Wireless guest access will be available at all acilitieswhere wireless access has been deployed.

.8. All wireless guest access will be authenticated through aweb-based authentication system.

.8. A single username/password combination will be assignedor all guest access. The password or guest accesswill be changed monthly and distributed to local acilitymanagers.

.8. Wireless guest access is available rom the hours o :00

until 0:00 local time..8. Wireless guest access is bandwidth limited to Mb/s per

user.

.8. Guest access will be restricted to the ollowing networkprotocols:

HTTP (TCP port 80)

HTTPS (TCP port )

POP (TCP port 0)

IKE (UDP port 00)

IPSEC ESP (IP protocol 0)

PPTP (TCP port )

GRE (IP protocol )

DHCP (UDP ports -8)

DNS (UDP port )

ICMP (IP protocol )


31/36


4 Defnitions

Terms Defnitions

80. A set o Wireless LAN/WLANstandards developed by the IEEELAN/MAN standards committee(IEEE 80). Also commonly reerredto as Wi-Fi.

80.i An amendment to the IEEE 80.standard speciying securitymechanisms or wireless networks.

80.x A ramework or link-layerauthentication specied by the IEEE.

AES-CCMP Advanced Encryption Standard-Counter with CBC-MAC Protocol.

A wireless encryption protocolspecied by IEEE 80.i. Currentlyregarded as the strongest orm owireless encryption.

EAP Extensible Authentication Protocol.A series o authentication methodsused inside 80.x to achievewireless authentication.

IEEE Institute o Electrical and ElectronicsEngineers. An internationalproessional organization dedicatedto the advancement o technologyrelated to electricity. The IEEE isone o the main standards bodiesassociated with networkingtechnology.

IETF Internet Engineering Task Force.Develops and promotes Internetstandards, in particular those o the

TCP/IP protocol suite.IPSEC IP Security. An IETF standard or

protecting IP communication byencrypting or authenticating allpackets.

Chapter 0 - Putting It All Together: Sample Security Policy


32/36


33/36


34/36

0 Aruba Networks

Summary

Wireless technology is a act o lie in todays enterprise networks.

The technology has been an area o rapid change over the pastseveral years, which has led to conusion regarding best practicesor deployment. This white paper, while not providing exhaustivecoverage o all options, has provided current best practices along witha discussion o how these practices can be implemented using dierentwireless architectures. The best security approach or wireless is alayered approach consisting o the ollowing layers:

Wireless intrusion protection

Authentication Encryption Access control Client security

Organizations implementing these best practices will be well protectedagainst unauthorized and uncontrolled wireless as well as the malicioushacker bent on network intrusion. By implementing these best practices

in a global wireless policy, organizations will nd that wireless networksprovide stronger security protection than current wired networks, withthe economic benets brought about by mobility.



35/36

About Aruba Networks, Inc.

People move. Networks must ollow. Aruba securely delivers networks

to users, wherever they work or roam. Our unied mobility solutionsinclude Wi-Fi networks, identity-based security, remote access andcellular services, and centralized multi-vendor network management toenable the Follow-Me Enterprise that moves in lock-step with users:

Follow-Me Connectivity: Adaptive 80.a/b/g/n Wi-Fi networksoptimize themselves to ensure that users are always within reach omission-critical inormation;

Follow-Me Security: Identity-based security assigns access policiesto users, enorcing those policies whenever and wherever a network isaccessed;

Follow-Me Applications: Remote access solutions and cellularnetwork integration ensure uninterrupted access to applications asusers move;

Follow-Me Management: Multi-vendor network management providesa single point o control while managing both legacy and new wireless

networks rom both Aruba and its competitors.

The cost, convenience, and security benets o our unied mobilitysolutions are undamentally changing how and where we work. Listedon the NASDAQ and Russell 000 Index, Aruba is based in Sunnyvale,Caliornia, and has operations throughout the Americas, Europe, MiddleEast, and Asia Pacic regions. To learn more, visit Aruba athttp://www.arubanetworks.com

008 Aruba Networks, Inc. AirWave, Aruba Networks, Aruba Mobility Management

System, Bluescanner, For Wireless That Works, Mobile Edge Architecture, PeopleMove. Networks Must Follow, RFProtect, The All Wireless Workplace Is Now Open

For Business, Green Island, and The Mobile Edge Company are trademarks o ArubaNetworks, Inc. All rights reserved. All other trademarks are the property o their respectiveowners.

WPB_SEC_US_080



36/36


wp global security

Documents