Wireless technologies are convenient and so easy to connect anywhere anytime. Unfortunately, they are not at all secure. Here are some tips that you can implement to reduce your exposure to malicious intentions.
Defense-in-Depth
It seems that for any single measure that you take to thwart the villains, they have a library of ever more expanding insidious counter-counter measures. This is the reason that the implementation of all security measures must be as a suite rather than as a single stroke.
The deployment of a suite of security initiatives where more than one tool address different vulnerabilities at different points of susceptibility is known “in the trade” as security-in-depth. We are going to adopt this ethos as our approach to wireless security hardening.
The Physical
As always, security starts at the physical level. Initiatives that all of us can employ include lock-down and lock-up. Ensure your mobile devices are secure. Whenever left unattended, they seem to have a habit of growing legs. Restrict physical accessibility further reduces your systems security threats exposure.
Secure all Wireless Access Points (WAP) – This means to make sure that the placement of your Wireless Access Points (WAP) allows the desired coverage whilst maintaining minimal likelihood of displacement, tampering or unauthorised removal.
All wireless enabled networks risk collapse if enough Wireless Access Points go out of commission. This is most important in areas where public access is possible. Another point to consider here is that the wind can cause a WAP to become out of true alignment.
Coverage Pattern Shaping – Test to ensure that your wireless access covers those areas you wish to cover whilst maintaining zero leakage or as close to zero as you possibly can. The use of directional antenna is a possibility that merits consideration at the planning stage of deployment. The fewer “freeloaders” your network is exposed to the better your overall security will be.
War Driving – Remember that it is always advisable to place your wireless access points such that they face inward. This can dramatically reduce your exposure and subsequent security vulnerability to external mobile devices.
The practice of “war driving” using wireless scanning software with portable devices such as laptops and notebooks will not pose an attack risk if they do not get a signal.
Security Consciousness
Develop and foster a security conscious environment. Everybody does his or her bit to help. An organisation that is security “aware” is much harder to penetrate.
Social Engineering – Reduce the potential opportunities for social engineering tactics. Keep the insiders in and the outsiders out.
Security Policies – Develop and implement appropriate wireless usage security policies.
User Education – Educate your users in wireless security best practices. Update and communicate with wireless users whenever issues arise. What affects one user in all likelihood is capable of affecting them all.
Power-Off Unused Wireless Client Adapters
There are many benefits to powering off unused wireless client access adapters. Here are a few:
Battery Life – Powering off unused wireless client adapters will help promote battery life for mobile devices.
Prevention - Powering off the unused wireless client adapter is the simplest preventative measure to guard against a type of penetration attack known as “Microsoft Windows silent ad hoc network advertisement.” This type of attack takes advantage of the default configuration setting Microsoft Windows Zero Configuration.
The Microsoft Windows Zero Configuration is to enable anonymous ad hoc connections. It works on the “advertisement” principle. Both the wireless enabled client and wireless access points continually advertise their presence to the world.
“Is there anybody out there?” This is an offer to request connectivity (the client-side) or an offer to provide connectivity (the wireless access point side). Most operating systems, networks and wireless access devices also exhibit the same type of behavior when it comes to announcing their presence.
Disable Internal Anonymous Ad Hoc Connectivity – From a security standpoint once authorised users are internal to your perimeter, they do not need anonymous ad hoc connectivity capabilities. All they need do is logon to the network in their usual prescribed manner. Your authentication procedures will define who is, and who is not permitted access and Oh-La wireless accessibility is theirs.
The Boardroom – When it comes to “official” meeting places such as the boardroom, you really do not want outside of the boardroom access to be possible. This is one location where your job will depend upon ensuring maximum security and zero leakage.
Service Set Identifier (SSID) Verification
Service set Identifier (SSID) – SSID is the name used to identify different 802.11x wireless networks (WLAN) that a user wants to connect. Clients receive broadcasts from all wireless access points that are within range.
Selection of the wireless access point used for the connection depends on the specific configuration of the client, either a pre-configured wireless access point or one from a list that the user selects.
The Evil Twin Attack – Patterned after the Man-in-the-middle attack where a hacker falsely represents the true wireless network. The user obliviously connects and the hacker obtains every byte of traffic transmitted or received by that client.
SSID Verification – By simply verifying the SSID of the wireless network you are about to connect with is the easiest way to overcome most evil twin security threats.
Firewalls
Install and run software firewall if you have not already done so. Microsoft Windows XP and Vista both have a built-in firewall application. Although it receives, criticism from some quarters the Windows Firewall application is free with the Microsoft Windows OS and has recently received additional improvements. If nothing else is available, use it.
There are however many alternatives which do offer considerably greater functionality than the Microsoft offering. Many of them are “free”. The free generally applies only to non-corporate users. You will need to check each candidate application for the specifics of their user licenses.
If you are looking for a range of applications from which to choose and want some background on each then I recommend that you pay the SANS institute a visit. They are a not-for-profit organisation that embraces all things “security”.
Disable Unused and High Risk Services
File and Printer Sharing – Users with new mobile devices such as new notebooks and laptops that run some version of the Microsoft Windows operating system will find that file and printer sharing disabled by default.
This can be a bother in the workplace environment. So it becomes enabled fairly soon after the device is first connected to the network.
On the Road – In fact, some administrators do so prior to issuing company laptops and notebooks to their users. It certainly saves a lot of help desk time.
Unfortunately, not everybody uses a wireless enabled computer only within the confines of corporate network space. The “road warrior” for example has the need to do so in the most insecure of all computing environments; the publically accessible ad hoc wireless network environment.
With file and printer sharing enabled anyone connected to any ad hoc network to which you connect can SHARE your files. No authorisation is required. Extra security precautions are therefore required. Disabling this feature is a good place to start.
The Microsoft Knowledge Base – The article entitled “Disable File and Printer Sharing for Additional Security” explains how to determine your current file and printer sharing status. It also outlines the procedure to disable this feature.
Let the Server Serve – Why file and printer sharing have become so inextricably linked? This question has had me transfixed for quite some time now. Given most users use client machines in a client-server environment, there is no “real” need for them to “moonlight” as servers. Leave the serving to the server. An old adage that is more applicable today than ever.
Security Risks Levels Increasing – Wireless devices include so many more computing devices today than ever before. Many “stationary” client machines are now wireless enabled. While this does add greater flexibility and plasticity to networks, it also poses a higher degree of risk than was previously the case.
Authorisation - You should also consider implementing “access by authorisation only” features. Even Microsoft Windows XP and Vista mobile devices have a Local Users and Groups management capability. It works very much in the same way that Active Directory Users and Groups works.
The main difference is that it only applies to that specific device. Security conscious network administrators will be very happy to show you how to use this feature. It is after all to their benefit that you do so.
Personally Identifiable Information (PII)
Information that explicitly identifies you must attraction additional security measures. The name given to this type of information is “Personally Identifiable Information (PII)”.
Personally Identifiable Information (PII) Requirements Variation – Different systems, networks, services, service providers and regulatory bodies all require certain information from you. The exact nature and type of information requested differs from one organisation to the next.
Commonly Requested Personally Identifiable Information (PII) – Various organisations require different types of Personally Identifiable Information (PII) including Account Login Names, Passwords (for authentication purposes), Banking and/or Credit Card Details, Tax File Number, Social Security Number, Residential Address Details, Phone Numbers etc.
Other less frequently requested Personally Identifiable Information (PII) include Health Records, Passport Details, Driver’s License and Registration Forms
Web Browser Access – Permitting your Web browser to remember your Personally Identifiable Information (PII) opens the door for hackers to compromise your assets. It is very easy to retrieve this sensitive information particularly in the event that you device is stolen.
Online Transactions
Although this may seem self-evident, it still constitutes one of the major avenues for breaching security in general and network security specifically. If you do not want everybody else to know, the details of every wireless online transaction then do not do it.
When it comes to sensitive information, the best advice is never use an unsecured publically accessible ad hoc wireless network service. This also holds true for many locations and circumstances inside your network security perimeter.
Wireless Device Updates
Regularly Update Wireless Enabled Devices – As with any other computer always update your wireless enabled devices operating system, applications, utilities, tools, etc.
Other Components – Additional components of your device that you must check and update regularly include antivirus software, firewalls, drivers, web browser and Wi-Fi client applications.
Automatic Update – Today most antivirus software includes an automatic update option. Automatic download and installation of new versions, virus databases, patches, fixes and updates take place without any input from the user.
Application Vulnerabilities – It is not until long after many applications, operating systems, software and drivers have been implemented into a production environment that unforeseen vulnerabilities surface. By regularly checking the manufacturer’s website, you will be able to keep up-to-date with the current state of affairs pertaining to your situation specifically.
Scheduler – You can also use the scheduler applications that come supplied with most operating systems, Microsoft Windows, UNIX, Linux and MAC OS. Many administrators will schedule automatic updates to discover and download those elements relevant to their systems.
Granular Control – If there were some critical updates, patches or fixes contained within the download the administrator can opt for installing them all or installing only those specifically applicable to their current network and network security requirements. The selection of specific units from a wider and more diverse pool of options is a technique known as granular control.
Eliminating Risk – The elimination of many potential points of attack arising from application vulnerabilities is achievable in this way.
Secure Web Surfing
Whenever possible make sure that you use secure and anonymous web surfing practices. This takes on greater importance when a Virtual Private Network (VPN) service is not being used or available. Safe web surfing practices help to minimize your risk exposure in the event of incorrect Virtual Private Network (VPN) configuration.
Web Based SSL VPN Solutions
Numerous web services currently provide SSL VPN solutions. An encrypted tunnel between your device and the provider of the SSL VPN solution’s servers is established. You are now free to surf the net.
Note: This solution only applies to web based applications.
Fully Encrypted – Full encryption to all traffic generated from or returned to a wireless device now occurs by default. This procedure eliminates a whole bunch of potential security and network issues. Some of these web based SSL VPN solutions include TOR, Megaproxy and IronKey.
The IronKey solution uses a secure USB flash drive. It is also capable of establishing and auto-configuring a secure SSL VPN tunnel once wireless Internet access becomes available.
Virtual Private Networks (VPN)
Since web based SSL VPN solutions only apply to web based applications another solution is required to deal with email applications such as Microsoft Outlook.
Remote Access – Here is where a full feature rich VPN solution is necessary. The VPN tunnel will allow authorised personal to connect to the home or office networks remotely. Now the company network will take care of all the normal business applications, file sharing, and Internet access.
Availability – Today on the open market, there are many hardware and software VPN application solutions from which to choose.
Remote Access Applications
Using remote access applications means that no sensitive data travels over questionable networks. The basic idea here is that specialty software allows you to control remote devices. The devices can be located anywhere.
The only proviso being that they have Internet connectivity 24/7 if you want to access or control them 24/7. An SSL tunnel is established. Then the remote access session takes place through it. Web surfing, e-mail, and other applications are active only on the remote computer.
LogMeIn and MioNet are two applications that deliver this type service.
Users, Groups and Guest Accounts
Users and Groups Accounts Administration – The administration of “regular” users by way of Active Directory Users and Computers to control their access rights and privileges is straightforward. It is far more difficult to administer the access rights and privileges for intermittent and transient users.
Fortunately, there are a number of ways in which to achieve this. Using Active Directory is one way to apply network access restrictions.
Local Users and Groups – Another is to use the Local Users and Groups snap-in at the client level. These access rights and privileges apply only to the local machine and not the entire network as is the case with domain controller applied access rights and permissions.
Special Accounts – Special guest accounts can be set up to allow security access rights for temporary, intermittent and or transient visitors. Once they gone the account is closed. Microsoft Windows Server 2003 allows you to set specific access times and account durations via Group Policy.
Access Point Associations – Visitors can have their wireless access privileges associated with specific wireless access points or LAN segments. For example, they can access the network via wireless access points in the boardroom but nowhere else. They may be giving a presentation that requires access for the duration of the meeting.
Authentication Controls – Increasing the time that Windows waits before permitting another logon retry is one way to negate brute force password attacks. You might want to change the number of password entry attempts before the system stops responding (locks itself). Customising the Time-To-Live (TTL) attribute is another.
Anti-Malware Software
Never forget to install antivirus software, spam filters, pop-up blockers, disable scripts and applets that you do not want or use. Antispyware and adware filters are more initiatives that merit consideration.
The full range and diversity of options available here is something that I will discuss in a future article. Until then enjoy!
Leave Your Response