At-a-Glance: Securing Wi-Fi
Why Should I Care About Wireless Security?
With wired networks, intruders need to gain physical access to a building to gain access to the network via a port. With wireless networks, security is a concern because intruders only need to be in the proximity of the building to “see” the wireless signal. In addition, with wired networks intruders need access to your wire to eavesdrop, but for wireless networks they only need to be in the proximity of your client to potentially conduct eavesdropping.
Additional security measures need to be employed on wireless networks to give them the same security confidence level as with wired networks.
An additional security threat presented by wireless networks is someone plugging in a “rogue” access point, essentially an unauthorized wireless network that can put a huge hole in a business’s network security policies.
What Problems Need to Be Solved?
For WLANs to be secure, the first challenge is how to secure the process of associating a client to the wireless network to prevent unauthorized wireless access.
Next, there needs to be a way to secure the communications between a client and the wireless network to prevent eavesdropping, balancing security measures with the ease of use still required for clients to access the network.
As mentioned earlier, a secure WLAN implementation needs to be able to mitigate the threat of “rogue” or unauthorized wireless access points.
Wireless security is not a trivial thing. Early attempts at so-called “wired equivalence” (WEP, for example) gave/give a false sense of security in this regard. That is, WEP made people think that they were secure when it was actually a pretty easy thing to crack.
Securing Wireless Networks
The Cisco Secure Wireless solution provides an integrated approach for deploying secure wireless and mobility services.
Clients are secured via a device “health check” and admission control with Cisco Clean Access (CCA).
Host intrusion prevention is assured with Cisco Secure Agent (CSA).
The wireless access interface is secured via 802.1x/EAP-FAST sign-on authentication, WPA and WPA2 Wi-Fi encryption, and best-practices wireless network.
Finally, the wireless network is secured via an integrated Intrusion Detection System (IDS) and “rogue” (unauthorized) wireless AP detection and mitigation. This is a unified approach to wired and wireless security because many of the features just discussed are also deployed in the wired network.
The first important step in securing wireless is to follow best practices for client authentication and encryption. By using Extensible Authentication Protocol (EAP) and Flexible Authentication via Secure Tunnel (FAST) to authenticate wireless clients, only authorized clients are given access to the network. After they are connected, WPA or WPA2 (preferred) is used for encryption key establishment. After EAP-FAST is successful, a pairwise master key (PMK) is created.
WPA and WPA2 use a four-way handshake process to generate a pairwise temporal key (PTK) that is kept secret. WPA2 uses the Advanced Encryption Standard (AES) algorithm, adding security above WPA.
By their nature, laptops and other mobile devices inherently get exposed to more opportunities for infections by viruses, malware, spyware, and so on. Given that, it is a good wireless security practice to add a “posture check” to the authentication process to ensure that the client is healthy before gaining access. Cisco Network Admission Control (NAC) using Cisco Clean Access (CCA) performs an additional challenge to client devices to “prove their health” before being allowed to access the wireless network. The definition of a “healthy” device is determined by the IT staff. It can include the following:
- Free of viruses and other malware
- Correct antivirus software and signature files are loaded
- Operating system updates are current
- Custom policy checks added by IT staff
Unhealthy devices are placed in a “quarantine” wired or wireless network for remediation and are not permitted to access the rest of the production network.
See Part V, “Securing the Network,” for a more in-depth discussion of NAC and CCA.
Rogue Access Points
“Rogue” or unauthorized wireless access points provide a serious security threat to a network. Locating and shutting down such unauthorized APs can be difficult without automated detection and location systems. The Cisco Unified Wireless solution uses authorized wireless access points to scan the environment for “rogue” access points. Detection information is provided to the WLCs, which can then assist in correlation and isolation and provide the information to the WCS. Wireless topology information can be married with building layout diagrams to provide visual indications of “rogue” AP locations so that IT staff can take appropriate actions to shut them down.