New Wireless Security Guidelines

Wednesday, March 21, 2012 @ 03:03 PM gHale


The growth of mobile devices across the government is causing agencies to look twice at how they can secure their internal WiFi networks.

While these guidelines focus on the government, the private sector could review these and also apply them to their organizations. The National Institute of Standards and Technology said there are six steps agencies should take to secure wireless local area networks, or WiFi.

RELATED STORIES
Cloudy Days Ahead
Azure Cloud Suffers Outage
FBI Pushes Cloud Security Rules
Wireless Security Lags Wired
Enhanced Security for Cloud Computing

Among the security considerations, agencies should have two separate WiFi networks — one for employees and one for guests. They should have policies to determine the risk of having a laptop or other device connected to the network via WiFi and by a wire coming from the wall.

Organizations should implement the following guidelines to improve the security of their WLANs:

Have standardized security configurations for common WLAN components, such as client devices and access points (APs). A standardized configuration provides a base level of security, reducing vulnerabilities and lessening the impact of successful attacks. Standardized configurations can also significantly reduce the time and effort needed to secure WLAN components and verify their security, particularly if the configuration can be deployed and verified through automated means.

When planning WLAN security, consider the security not only of the WLAN itself, but also how it may affect the security of other networks. A WLAN usually connects to an organization’s wired networks, and WLANs may also connect to each other. For WLANs that need wired network access, their client devices should access only the necessary hosts on the wired network using only the required protocols. Also, an organization should have separate WLANs if there is more than one security profile for WLAN usage; for example, an organization should have logically separated WLANs for external use (such as guests) and internal use. Devices on one WLAN should not be able to connect to devices on a logically separated WLAN.

Have policies that clearly state which forms of dual connections are permitted for WLAN client devices, and enforce these policies through the appropriate security controls.
The term “dual connected” generally refers to a client device that connects to a wired network and a WLAN at the same time. If an attacker gains unauthorized wireless access to a dual-connected client device, the attacker could then use it to access or attack resources on the wired network. Organizations should consider the risks posed not only by the traditional form of dual connections, but also other forms involving multiple wireless networks. It is common today for client devices to connect to multiple wireless networks simultaneously, such as cell phone, WiMAX, Bluetooth, and WLAN networks. Organizations should assess the risk of the possible combinations of network technologies for their WLAN client devices and determine how to mitigate those risks. If one or more of the networks cannot mitigate risk to an acceptable level, then dual connections involving that network may pose too much risk to the organization.

Ensure the organization’s WLAN client devices and APs have configurations at all times that are compliant with the organization’s WLAN policies. After designing WLAN security configurations for client devices and APs, an organization should determine how to implement the configurations, evaluate the effectiveness of the implementations, deploy the implementations to the appropriate devices, and maintain the configurations and their implementations throughout the devices’ lifecycles. Organizations should standardize, automate, and centralize as much of their WLAN security configuration implementation and maintenance as practical. This allows organizations to implement consistent WLAN security throughout the enterprise, to detect and correct unauthorized changes to configurations, and to react quickly when newly identified vulnerabilities or recent incidents indicate a need to change the WLAN’s security configuration.

Perform attack monitoring and vulnerability monitoring to support WLAN security. Security monitoring is important for all systems and networks, but it is generally even more important for WLANs because of the increased risks they face. Organizations should continuously monitor their WLANs for WLAN-specific and general (wired network) attacks. Organizations should do largely the same vulnerability monitoring for WLAN components that they do for any other software: Identifying patches and applying them, and verifying security configuration settings and adjusting them as needed. These actions should occur at least as often for WLAN components as they are for the organization’s equivalent wired systems.

Conduct regular periodic technical security assessments for the organization’s WLANs. These assessments should occur at least annually to evaluate the overall security of the WLAN. In addition, organizations should perform periodic assessments at least quarterly unless continuous monitoring of WLAN security is already collecting all of the necessary information about WLAN attacks and vulnerabilities needed for assessment purposes.



Leave a Reply

You must be logged in to post a comment.