SP-006: Wireless- Private Network Pattern

Diagram:

Your browser does not support SVG files! We recommend you upgrade to the latest version of Firefox so you receive patterns with hyper-linked controls.

Legend: Wireless Private Network.

Description: This pattern covers the connection of authorised endpoints (client machines such as corporate owned laptops) to a private wireless Local Area Network. The key aspects of this pattern are the use of strong authentication for the endpoint (ideally certificate based) to ensure that only authorised machines can access the network, encryption of the traffic transmitted over the wireless channel to prevent interception of traffic, a personal firewall for the endpoint to prevent compromise and subsequent access to networked resources.
It is recommended that the authentication mechanism for the endpoints should be linked with the organisations global directory which would allow simpler access management across multiple locations.
Use of a Wireless Controller combined with lightweight access points allows many access points to be managed centrally with common policies, and provides additional monitoring for rogue access points.

Assumptions: There is little value in utilising SSID hiding, obscure SSID names, or MAC layer controls, as to a determined attacker these strategies provide little protection. Instead all security should be provided by the appropriate level of authentication and encryption.
Frequent scans for unauthorised access should be made, via automated mechanism where possible. Ensure that Network Intrusion Detection and Protection devices are deployed to cover traffic from Wireless network segments.

Typical challenges: Authentication should be seamless if possible, which is why certificates offer a useful mechanism. Most operating systems will support the use of 802.1x challenges, and can integrate certificate issuance, renewal and revocation.
Where possible you should use WPA-2 encryption since this has a much stronger form of encryption between the client and access point (AES rather than RC4 with frequent session key renewal), however this is not supported by all access points or wireless cards, and you may need to fall back to WPA. WEP should be treated as an unencrypted channel since there are well publicised attacks, and should be supplemented by use of a VPN which naturally decreases usability since it tends towards the Wireless Public Hotspot pattern.
Try to ensure that the placement of Wireless Access points minimises the spread of signals beyond the perimter of the building or location to be covered.

Indications: You should apply this pattern when providing Wireless Access to your private corporate or organisation network from clearly defined locations. This pattern does not cover Bluetooth or Infrared.

Contra-indications: Environments where you need to provide guest access to a wide range of users and do not manage the endpoints. Any environment where security outweigh usability considerations, where you should still look to exclusive used of wired access to minimise denial of service, or the remote possibility that encryption may be broken, or that endpoint vulnerabilities will allow the attacker to piggyback onto an existing session.

Resistance against threats: Spoofing, eavesdropping, impersonation, unathorised access to computing resources.

References: Overview of 802.11i, WPA and WPA-2 http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
Detailed guidance to implement this pattern from NIST Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i http://csrc.nist.gov/publications/nistpubs/800-97/SP800-97.pdf
Free tools:
1. NetStumbler identifies basic wireless devices that will respond to an "anybody out there?" request.
2. Kismet unearths wireless devices that have their SSIDs hidden or otherwise won't respond to basic NetStumbler probes. If you're not into Linux you can run Kismet directly from the BackTrack Live CD.
3. Aircrack enables WEP and WPA pre-shared key cracking.
4. FakeAP on the BackTrack Live CD mimics a legitimate access point and sets up an evil twin attack to check if your users will connect to fake access points.

Related patterns: 08_02_Pattern_007_Wireless Public Hotspot

Classification: Network

Release: 08.02

Authors: Spinoza

Reviewer(s): Aurelius

Control details

AC-18 Wireless Access Restrictions
AC-19 Access Control For Portable And Mobile Devices
AT-01 Security Awareness And Training Policy And Procedures
AT-03 Security Training
AT-04 Security Training Records
AU-02 Auditable Events
CA-02 Security Assessments
CA-07 Continuous Monitoring
IA-02 User Identification And Authentication
IA-03 Device Identification And Authentication
IR-02 Incident Response Training
IR-04 Incident Handling
IR-05 Incident Monitoring
IR-06 Incident Reporting
IR-07 Incident Response Assistance
RA-05 Vulnerability Scanning
SC-08 Transmission Integrity
SC-09 Transmission Confidentiality
SC-13 Use Of Cryptography