Developing a Secure Wireless Infrastructure - Pt. 1

wireless

Wireless Security Best Practice

Wi-Fi networking is ubiquitous; it is in use everywhere around us. Some of the more familiar technologies are the wireless Internet access, and the cell phones that we use. Convergence and DLNA are bringing the workplace, entertainment, telephony, and data to our home, vehicles, and our mobile devices. Wireless connectivity gives mobility and flexibility, however, it is not as robust or secure as a wired connection. Wireless connectivity also usually entails shared access, resulting in everyone at your place of business, school or hotspot competing for the same resource, with a subsequent decrease in bandwidth. Whether it is because wireless must connect with a wired LAN backbone to access the Internet, or because of throughput and security issues, eventually the two components combine.

Thus, no matter our degree of reliance upon the usefulness and convenience upon wireless networking, the wireless and wired networks will ultimately interconnect, and co-exist. Therefore when planning the integration of our wireless network with the wired components, we must be consider the security not only of the WLAN itself;  but also how it may affect the security of other networks.  The “Guidelines for Securing Wireless Local Area Networks” from the NIST states, “A WLAN is usually connected to an organization’s wired networks, and WLANs may also be connected to each other. This means that the WLANs and WLAN devices are not only subject to WLAN-specific attacks, but also nearly all the attacks that wired networks and devices on those networks face”.

Therefore, best practice dictates that for WLANs that need wired network access, that their client devices should access only the necessary hosts on the wired network using the minimum required protocols. In addition, an organization should have separate WLANs if there is more than one security profile for WLAN usage; for example, an organization should have logically separated WLANs for external use, such as for their guests and their internal end-users. Additionally, devices on one WLAN should not be able to connect to devices on a logically separated WLAN.

Organizations should have policies that clearly outline which forms of dual connections they permit for their WLAN client devices. These policies should be enforced by disabling all network interfaces that are non-authorized for use with WLAN client devices. . Further, configure these devices to prevent end-users from enabling them, or otherwise circumventing the restrictions.  The devices should also be configured to disable bridging, which will prevent passing traffic between the networks. This is precautionary in the event an unauthorized dual connection occurs.

However, there are instances when WLAN clients is authorized for dual connections, on those occasions we should ensure that that these connections occur only when necessary, and that any other non-essential connection are not allowed. Once again, we should configure the devices to prevent bridging.

As control mechanisms, we can configure the device’s BIOS so that WLAN connections terminate automatically when wired connections are detected, this type of configuration is known as LAN/WLAN switching.  We may also implement software-based controls that permit either WLAN or wired network access, but not both simultaneously. These controls typically favor wired connections over WLAN because of their relative reliability, performance, and security.

An additional control mechanism is the utilization of host-based IDS / IPS applications to prevent multiple network interfaces from implementation at one time. By the use of OS / domain controls, third party policy-based software, et cetera, we may designate and enforce authorized network profiles and/or unauthorized profiles.

Wired Broadband Delivery Systems

Overview

As previously stated, the wireless and wired elements of our network are interwoven; we cannot discuss one without considering the other. Therefore, we shall begin our discussion with an overview of the features, and vulnerabilities of a few common wired broadband delivery systems

Cable networks. For cable networks, the Data Over Cable Service Interface Specification (DOCSIS) is the telecommunications standard that permits the addition of high-speed data transfer to an existing cable TV (CATV) system. It allows many cable television operators to provide Internet access over their existing hybrid fiber-coaxial (HFC) infrastructure.

Cable networks are shared-media networks. All users within the same hybrid fiber-coax (HFC) segment share a common cable line running between their cable modems (CM) and the cable modem termination system (CMTS) servicing that segment. The traffic to and from any user is visible to all other users on the same network segment, and an eavesdropper can view this traffic using a packet-sniffing tool (A Guide to Securing Broadband Cable Networks: DOCSIS 2001). Figure 1(a) illustrates a typical setup of a cable access network.Figure.1(a)

Cable security. To counter this problem the cable operators employ a system known as Baseline Privacy Plus (BPI+). This encrypts all your data to ensure that no one can intercept your transmissions. The BPI+ also stops the illegal use of someone's connection to gain free access ("DOCSIS, Insecure by Design", 2008)

The encryption used must travel with the information wherever it goes. The US has laws as to the level of encryption that is permitted to be exported; as such the maximum encryption level is 128 bit. To have a data exchange there is first a key exchange. The key exchange uses triple DES as its encryption. This is quite a strong encryption level, and provides a satisfactory protection for the key exchange, and the algorithm used is a public key exchange. Cable Modems do not require a username and password in the same way the dial up connections do.

The authentication is hard- coded into the cable modems when built. This authentication is the X.509 digital certificate, and is comprised of a serial number, public key, MAC address, and manufactures identification. The X.509 is verified by the head end, also known as distribution hub. Once this has been verified the following data sent by that user is encrypted using their public key (Lee 2005).

Digital subscriber line. DSL access networks use existing telephone wiring to connect home users to the Internet. Unlike cable customers, DSL customers do not share their access link.  Each customer’s DSL modem uses a dedicated point-to-point connection to exchange data with a Digital Subscriber Line Access Multiplexer (DSLAM). The connection carries both data and telephone signals, which are encoded in different frequencies (Dischinger et al. 2007).  On the customer side, a splitter separates the two signals and forwards the data signal to the DSL modem. Figure 1(b) illustrates a typical setup of a DSL access network.

                   

There are two important differences between DSL networks and other access networks. First, like cable networks, DSL networks often have asymmetric bandwidths; their downstream bandwidth is higher than their upstream bandwidth, commonly known as ADSL. Second, the maximum data transmission rate falls with increasing distance from the DSLAM. To boost the data rates, DSL relies on advanced signal processing and error correction algorithms, which can lead to high packet propagation delays.

DSL security. Best practice dictates that the end-user connect through an external device, such as a router, which obscures the connected device from an attacker’s view. Use firewall, IDS and antivirus software. Businesses running sites on broadband links should consider a commercial-grade product that will support e-mail and Web servers. In addition, it advised to turn off all unnecessary network-related services other than basic TCP/IP.

Another major issue reported in “DSL Security Threat” is that many DSL ISPs provide their DSL customers with dynamic IP addresses on Point-to-Point Protocol over Ethernet (PPPoE), an authentication program that sets up Ethernet sessions as needed. By selling customers dynamic IP addresses, as opposed to static IP addresses, they would experience difficulty connecting to VPNs and hosted servers.

Dynamic IP addresses, which some ISPs now use, are less secure than static IP addresses for two reasons. One, they cannot be permanently assigned to a firewall, making it harder for enterprises to control access to their networks. Moreover, PPPoE make it easier for attackers to gain unauthorized access by seizing or guessing at dynamic addresses.   PCs connected to the Internet via cable or DSL service tend to be "always on." They may use the same IP address for days or weeks at a time. This makes them an easy target for attackers.

Another inherent DSL problem stems from the ability of a user to establish an authenticated link to a computer network or location while using a second channel on the line to access the Web. An attacker could get into your PC from your Internet connection and then use the second link to reach headquarters. Solutions include setting up DSL modem passwords and installing firewall software on the user's PC or requiring remote users to access the Net through a firewall at company headquarters.

Fiber to the home (FTTH). The main drivers for fiber are the telecoms use it regain revenue lost to cable companies, and because of consumer demand for IPTV, VoIP and data services. Fiber to the home (FTTH) is the delivery of a communications signal over optical fiber from the operators’ switching equipment all the way to a home or business, thereby replacing existing copper infrastructure such as telephone wires and coaxial cable.

“Advantages of Fiber to the Home” asserts, “Wireless alternatives such as Wi-Fi and WiMAX cannot deliver HDTV – and in fact have trouble delivering standard-definition television. Variants of DSL, and even the latest cable and satellite links, can deliver HDTV only with difficulty, low reliability, and high operating costs”. They further contend, one bundle of fiber cable not much thicker than a pencil can carry “ALL” of the world’s current communications traffic.

Security concerns. A primary concern is the protection of the hardware, software, and systems from power and data loss, viruses, SPAM, denial-of-service attacks, and the like. To do this across the last mile is literally a matter of bandwidth, which fiber has discretionary excess capacity to accommodate sophisticated security and filtering tools available.

With phones, Internet, broadcast TV, alarms, and especially services (such as medical monitoring) all riding the same pipe, a disruption of service for any length of time would be disastrous. These security and business continuity hurdles must be overcome for FTTH to succeed.

Broadband over power lines. On Friday 15 October 2004, the FCC cleared the way for power companies to roll out broadband over power line service. In order to comply with FCC Part 15 regulations, the utility companies must shield their systems from producing interference with other licensed signals. Some BPL products use an Orthogonal Frequency Division Multiplexing (OFDM) modulation technique which allows the products to transmit at a very low energy level over a few selected MHz of the 1.7 to 30MHz spectrum. This low energy level allows products to meet all FCC Part 15 regulations.

The communication speed of BPL is comparable with DSL or cable with some BPL service providers claiming up to three Mbps. The only equipment an end user needs is a special modem plugged into an electrical receptacle. Technically, combining power and data in the same wire is nothing new. Phone companies have been powering telephones for decades with central office switch over the same wires that carry voice. The IEEE 802.3af PoE (power over Ethernet) standard has made it possible to provide more power across LAN wiring VoIP phones and WAPs (Qiu 2007).

Security concern. In the wake of the September 11 terrorist attacks, government officials and security experts have identified the need for the United States to possess communications network redundancy. By providing a third broadband technology, the nation would gain some of that needed redundancy.   (“Broadband Over Power Lines A White Paper”). Additionally, under the Mission Essential Voluntary Assets (MEVA) guidelines, utilities are responsible for ensuring secure infrastructure power for federal facilities, including military bases, and state, city and local government. BPL will also enhance security and enable other security applications such as video surveillance consistent with the MEVA guidelines.

BPL most likely will always be a rural niche solution, by 2011; it will have no more than 2.5 million subscribers. BPL alone cannot support these low-density areas because the equipment to carry the service there costs too much. It can extend the reach of DSL and back-haul WiMAX base stations, and expand broadband to rural areas. In areas already served by other broadband providers, BPL will increase competition, which in turn will bring better service and lower prices for consumers, as indicated by this chart (“Broadband Over Power Lines A White Paper”).

     

Please click here to continue reading.....