Wi-Fi security: Leverage what you know

How do you know that you've covered all the bases when it comes to wireless LAN security?

To finish up our short, basic series on getting started with securing enterprise Wi-Fi networks, Lisa Phifer, vice president at networking consultancy Core Competence, notes that it's easy to get focused on selected technologies and lose sight of the big picture.

"Certainly, 802.11 poses new challenges that require unique solutions such as ink-layer encryption and rogue access point monitoring," says Phifer. "But many existing network security practices also apply to wireless," she says. She advises to leverage what you know about wired best practices for your wireless network, too. For example, she says:

  • Wireless APs and switches must be hardened against attack and compromise, just as we harden WAN-facing devices like access routers and perimeter firewalls. Subjecting your APs and switches to "regular" (wired) network and system vulnerability assessment scans can help you find (and subsequently fix) open ports, unpatched software, default accounts, weak passwords, lax access controls and out-of-policy configurations.
  • Wireless stations of all types must also be protected. Most enterprises already have policy and procedures to secure Internet-connected laptops. These measures should be applied to wireless stations, not only at hot spots and homes, but even on-campus. In a WLAN, you can't assume that every other station is trusted. Desktop firewalls, integrity checkers, network-admission controls and centrally managed security policies can all be applied to wireless stations.
  • Some configuration details may differ - for example, you might block file sharing over wireless in some cases but not others. And some platforms, such as wireless printers and phones, might prove challenging. But it makes good sense to leverage what you already have when moving from (or between) wired and wireless networks.

  • Wireless intrusion detection and prevention (IDS/IPS) requires deep understanding of 802.11 (and often 802.1X) protocols, attack signatures, and expected/unexpected behavior, using wireless sensors (or APs) to monitor the air. However, that doesn't mean wireless IDS/IPS is an entirely new ballgame. If you have an existing wired network IDS/IPS, use it to watch for attacks that make their way from wireless onto your wired network. Re-use existing network management systems and log servers to monitor events on APs, switches and your wireless IDS/IPS itself. When possible, implement automated responses involving device reconfiguration through your network manager so that you'll have fewer points of configuration control and audit.

These are just a few examples. When deploying a new network technology, it's essential to understand new risks and new countermeasures. Just don't let all that's new distract you from leveraging what you already have and know, Phifer advises.