Restricted Airspace

Protect your wireless network from the latest generation of security risks.

Wireless networks improve user productivity by enabling them to work anywhere in the office, but wireless networks also introduce security vulnerabilities. The hacker community is constantly working to develop new tools to connect to your wireless networks, intercept wireless communications or to simply disrupt your wireless communications. To protect the privacy of your data and keep your wireless network running, you need to regularly re-evaluate leading-edge wireless security technologies.

The good news is that makers of wireless networking equipment continue to enhance the security features of their products, and many of those designed for business use can be kept in sync through regular firmware or software updates. The key component of a wireless network, known as a wireless access points (APs), sport a robust spectrum of user authentication and data encryption features that can passively and actively protect you against a wide variety of attacks. These features include:

Wired Equivalency Privacy (WEP) and Dynamic WEP. WEP is the most commonly used wireless authentication and encryption protocol. However, there are many tools that enable attackers to break WEP encryption and connect to WEP-protected networks or capture private traffic. Dynamic WEP improves on static WEP by automatically changing keys, however, the encryption is still considered weak, and Dynamic WEP is still vulnerable to several types of attacks.
WiFi Protected Access (WPA). WPA provides authentication and encryption, like WEP, but with greatly improved security. For the best security, configure WPA to use 802.1X authentication to a RADIUS server. This may require additional infrastructure, but it provides much better protection than WPA, with pre-shared keys. While most modern wireless clients support WPA, most APs do not support mixing WEP and WPA. Therefore, every client on your network must support WPA to take advantage of the security benefits. Using WPA may require you to replace some legacy client hardware.
WPA2/802.11i. The next-generation of WPA provides extremely highlevels of security. However, because it is relatively new, many wireless clients do not currently support WPA2. While there is a patch available [1] for clients running Windows XP with Service Pack 2, existing wireless appliances such as printers and video cameras may never support WPA2.
Virtual Private Networking (VPN). WEP and WPA provide Layer 2 encryption. For even stronger defense, some AP vendors provide Layer 3 encryption in the form of a VPN between the wireless client and the AP. Not all clients can support VPNs.
VLAN (Virtual Local Area Network) assignments. Most business-class APs can place wireless users in a specific VLAN if your wired network infrastructure supports it. This enables you to limit the communications of wireless clients to specific servers, reducing the damage attackers can do if they successfully connect to your wireless network.
Wireless guest services. Once you enable encryption on your network, you make it very difficult for visitors to use your wireless network to access the Internet. Some APs provide tools that enable guests to connect to the wireless network using a special username and password, granting them Internet access without allowing them to access to the rest of your network. If an AP does not support wireless guest services natively, you may be able to implement a similar service using VLANs.
Centralized management. If a product is difficult to manage, it’s difficult to secure. Fortunately, most business-class APs support centralized management tools. If you use an enterprise management tool, check with the AP vendor to determine whether you can integrate the APs into your management tool.
Intrusion prevention. Many APs monitor traffic from clients and can detect possible attacks. If an attack is detected, the AP can alert administrators who can then take action to stop the attack.
Rogue AP detection. One of the biggest wireless threats comes from your own users. Many users have APs set up in their homes, and may decide to set up an AP at the office for their own convenience. However, such rogue APs may not meet your security requirements, and can allow attackers to connect to your internal network. Some APs can detect signals from unapproved APs and alert administrative staff who can then find and remove the AP.
Anti-virus and anti-spyware. Some APs, such as those from SonicWall and Watchguard, provide antivirus and/or anti-spyware detection by monitoring network traffic. Typically, there is a recurring fee for updated signatures. Wireless clients are often the source of viruses and spyware because they may connect to unprotected networks. As an alternative, you can use Windows Server 2003 [2] Network Access Quarantine Control [3] and 802.1X authentication with your AP to scan clients to ensure they meet your security requirements.

Feature Comparison

The following table shows a representative sample of APs and how they compare on security features.

Feature	Nortel WLAN Security Switch [4]	Cisco Aironet [5]	Fortress Wireless Security Gateway [6]	SonicWALL TZ Series [7]	Watchguard Firebox [8]
Price	$850 and up, plus Nortel WLAN Access Points [9]	$420 and up	$2,000 and up	$400 and up, includes firewall and router capabilities	$475 and up, includes firewall and router capabilities
Dynamic WEP	X	X	-	-	-
WPA	X	X	X	X	Pre-shared key only
WPA2/ 802.11i	X	X	-	X	-
VPN	-	-	X	X	-
VLAN assignments	X	X	X	X	X
Wireless guest services	X	-	-	X	X
Centralized management	X	X	X	X	X
Intrusion prevention	X	X	X	X	-
Rogue AP detection	X	X	-	X	-
Antivirus	-	-	-	X	X
Anti-spyware	-	-	-	X	-

This table doesn’t compare non-security features, so don’t base your buying decision on these factors alone. Additionally, many APs provide enhanced capabilities when matched with network hardware from the same vendor. Therefore, consider using the same vendor for your wired network infrastructure and wireless APs. The SonicWALL and Watchguard offerings are intended for smaller businesses, while the Nortel, Cisco and Fortress offerings are aimed at enterprises.

Always Accessorize

To aggressively protect yourself from rogue APs and clients, check out AirMagnet’s [10] laptop [11] and handheld [12] analyzers. With either product, you can detect and physically track down intruders attempting to connect to your internal network or preventing legitimate users from connecting with a denial-of-service attack. AirMagnet’s analyzers can also ensure connected devices conform to predetermined security policies and standards.

Unlike servers, APs often have to be placed in non-secured locations to enable the best reception. To help prevent an attacker from physically tampering with the hardware, consider a security cabinet designed for wireless access points [13]. Standard security cabinets may interfere with wireless signals.

Wireless network security has improved greatly in the last year, and you may need to upgrade your APs even if they are less than two years old. Fortunately, the cost of upgrading your APs is probably less than the cost of a successful exploit. For more information on wireless security, read 802.11 Security [14] from O’Reilly.

Tony Northrup is a developer, security consultant and author with more than 10 years of professional experience developing applications for Microsoft Windows.