Contributed by Brian Johnson, FRSecure Information Security Analyst
“Pretty secure,” is the answer we hear many times when we’re doing assessments with clients. It’s kind of a loaded question, right? What exactly does secure mean when we’re talking about wireless? Well, there are a few key things we look at for starters:
- Network segmentation
- Password control
- Encryption type
Let’s dig into each of these items a bit more.
Many clients setup their wireless infrastructure to be an extension of their wired LAN. In other words, if a user were to join the wireless access point with a laptop, he/she would be able to do anything that could be done if the user had plugged the laptop into the regular corporate wired network. This means that if a malicious user was sitting in your parking lot and was able to connect to your wireless, your entire infrastructure – servers, workstations, network devices, everything! – would be at risk.
Unfortunately, we also often find that companies allow guests to connect to their wireless to check email and browse the Web, assuming the attention of their guests are good. However, as was stated earlier, people are the biggest risk when it comes to information security, so our recommendations in cases like these include some or all of the following changes:
- Divide guest and corporate wireless. First,reconfigure your wireless into an internal corporate segment (only to be used by company users/devices) and a second “guest only” segment.
- Lock down both networks. The “guest only” segment should be setup to allow users to connect to the Internet, and that’s it. No traffic – including DNS requests – should pass into the production network. In fact, if the guest wireless can be a completely separate Internet connection and network hardware, even better! Additionally, ensure technical controls are in place to protect the connection and filter traffic. We’ve worked with customers who have had their guest Internet connections abused by individuals downloading illegal software, music and movies.
More often than not, we find that companies setup wireless security configurations when the access points were originally installed, and they haven’t been touched since. This is understandable, since in most configurations, changing the password would involve touching many devices manually to get them to reconnect. Also, we tend to find that the wireless password is freely available – it’s posted on the break room or other public areas for employees and visitors to see. Therefore, the following recommendations are common:
- Don’t post the wireless passwords everywhere. For your corporate wireless segment, do all the employee iPhones really need to connect to it – for example, to talk with an internal server or application? Or, do they really just need Internet access to be able to keep tabs on email and Facebook? One approach would be to offer employees the “guest only” Internet password for their personal devices, and keep only the corporate systems on internal wireless. For office guests, offer the “guest only” password upon request, rather than have it posted freely in the lobby.
- Rotate wireless passwords regularly. For example, if you force users to change passwords every 90 days, update your wireless passwords every 90 days too.
When it comes to encrypting your wireless connections, there are many terms and configurations to learn about and be familiar with. But for the most part, we find companies use the following types of encryption: WEP, WPA and WPA2. And, in some cases, we see access points running “wide open,” meaning users need no password or form of authentication to join – much like you’d see at your local coffee shop. Here are a few things we look for, and recommendations we make, when looking at wireless encryption:
- Open should be shut. In general, even if your access points are segmented and secured properly, running wireless “wide open” is a significant security risk. You essentially have no control of who connects to your access point, and depending on what kinds of activities users partake in online (such as downloading pirated music and movies, as mentioned earlier), your Internet connection could get suspended and your company could face legal action.
- Don’t use WEP. Check your access points and ensure they are not using WEP encryption. To put it simply, WEP is an older type of encryption that can be very easily broken. I recently did a demonstration for a friend who used WEP at home. Using tools freely available on the Internet, I was able to launch a script that broke his WEP encryption key in under 2 minutes.
- WPA/WPA2 passwords need to be long and strong. Currently WPA/WPA2 are a few of the encryption standards that are considered to be very secure. However, it’s important to know that this type of encryption does not give us an excuse to use weak passwords to secure the connection. If a bad guy is able to capture the “handshake” that takes place between workstations and the access points (very easy to do), the bad guy can then run that handshake file against a database of words and phrases and if there’s a match – boom! – he’s got your password.
To put it in perspective, there are services online that will allow you to upload a handshake file and for just a few dollars, check the handshake against 300 million passwords in under a half hour. So, suffice to say, using a password liketwins123 or vikings2014 is not going to cut it. Instead, use a password management utility that has the ability to generate passwords, and make it give you one with a long combination of uppercase and lowercase characters, as well as special characters, such as 05GcA^Hb!$LzjKAEzujk.
In summary, it’s important to give your wireless network proper – and continuous – care. This includes correct segmentation, strong encryption, and strict control over who and what connects to it.
Keep in mind, these are specific technical controls to address what is really a people problem, as people are always the biggest risk in information security. These technical controls need to be backed by proper policy and governance as part of a managed and maintained information security program.
FRSecure, Compudyne’s security partner, specializes in full-service information security consulting and is dedicated to security education, awareness, application, and improvement. They assist clients with understanding, designing, implementing, and managing best-in-class information security solutions.