Nov 02, 2006
Wireless Security
Some things to ponder
Security is always a trade off between client side ease of use versus protecting an organisations information assets.
So someone needs to step up and make a call - what happens if security is compromised ? If no one is prepared to take the fall for a breach of security due to ease of use then you need to lock things down and deal with client complaints.
With regards to security there are really only three reasonable options -
- Connect your Wireless system to your internal LAN and use MAC filtering and a WPA2PSK - definitely the path of least resistance. Be sure to change your WPA2PSK regularly and insure theres a safe mechanism to distribute updates. In terms of risk its pretty easy to fake a MAC and difficult to crack the PSK - then again if you update the PSK regularly it is only as secure as the update mechanism. Unfortunately apart from sending and archiving syslog files the auditing and accountability aspect of this option is pretty poor because the authentication is tied to the asset not the person.
- Connect your Wireless system to your internal LAN, use MAC filtering and Radius authentication. A step up in terms of security and it provides for auditing and accountability. The Microsoft Radius solution even allows for a client side certificate for extra security. Again the MAC address can be faked and login/password combinations can be cracked by dictionary attack - possibly less secure than a PSK but using a certificate infrastructure does improve security.
- Connect your Wireless system to your firewall, use MAC filtering, a WPA2PSK and allow access via VPN. Probably the most secure option but it may drive your clients insane unless they're used to using VPN. You get security, auditing and accountability - plus if someone hacks your WLAN they still need to get through the firewall/vpn gateway.
There is probably a fourth option - if you are in an urban area you may be able to use free wireless or an ISP's wireless service in conjunction with VPN. Not a good idea unless you have good laptop firewalls and well educated clients.
In fact if you use Active Directory you may want to restrict which SSID's you want clients to connect to and wether or not they can work in Adhoc mode or not. To be safe you should lock both down.
If you do use VPN be sure to pipe all traffic through it and not just an organisations data.
Ideally you would use a Wireless LAN Controller to coordinate your AP's and do basic IDS. On top of that a dedicated Wireless IDS with sensors is also recommended (some WLAN Controllers have AP's that can access as sensors for third party IDS products - its worth investigating as you can save some money). If possible separate out your wireless traffic via VLAN - it makes tracking, auditing and isolation easier.
Useful references
[/tech/network] | [permalink] | [2006.11.02-21:13.00]