SP-007: Wireless- Public Hotspot Pattern

Diagram:

Your browser does not support SVG files! We recommend you upgrade to the latest version of Firefox so you receive patterns with hyper-linked controls.

Legend: Wireless Public Hotspot.

Description: This pattern covers the connection of authorised endpoints (client machines such as corporate owned laptops) to an organisations private computing resources via a Wireless Public Hotspot, traversing the internet. It is applicable to scenarios where staff wish to access the corporate network from public locations such as hotels, home networks, or cafes. The key aspects of this pattern are the use of strong authentication for the user (ideally 2 factor certificate or token based) to ensure that only authorised users can access the network, encryption of the traffic transmitted over the public network to prevent interception of traffic, a personal firewall for the endpoint to prevent compromise and subsequent access to private networked resources.
It is recommended that the authentication mechanism for the users to establish a VPN connection should be linked with the organisations global directory which would allow simpler access management across multiple access points, including integrating authentication to resources accessed.
VPN access should be terminated in a DMZ, with consideration given to the use of role based access to specific network segments.

Assumptions: Wireless Access Points cannot be trusted therefore the client machines must have personal firewalls installed, ideally with the ability to detect malicious traffic via anomaly detection or signatures. Personal firewalls should be configured to silently drop all inbound connections. Confidentiality and integrity is provided by use of a VPN to connect to private networked resources. Strong authentication ensures only valid users can connect.
Ensure that Network Intrusion Detection and Protection devices are deployed to cover traffic from VPN.

Typical challenges: Strong authentication should be as easy to use as possible, with certificates stored on Smartcards a useful option. Other common approaches involve the use of tokens that generate a time based code that is entered along with a user ID and static PIN.
Clients need to have good configuration management to ensure that OS and application patches, signatures for antivirus and personal firewalls are kept up to date.

Indications: You should apply this pattern when providing access for remote workers via Wireless Hotspots to your private corporate or organisation network. This pattern does not cover Bluetooth or Infrared.

Contra-indications: Highly secure environments where risks from external connectivity must be minimised.

Resistance against threats: Spoofing, eavesdropping, impersonation, unauthorised access to computing resources.

References: Overview of Wifi hotspots http://en.wikipedia.org/wiki/Hotspot_(Wi-Fi)
NIST User's Guide to Securing External Devices for Telework and Remote Access SP800-114.pdf http://csrc.nist.gov/publications/nistpubs/800-114/SP800-114.pdf
NIST Guide to SSL VPNs SP800-113.pdf http://csrc.nist.gov/publications/nistpubs/800-113/SP800-113.pdf
Eric Geier- Wifi Hotspot Security http://www.wi-fiplanet.com/tutorials/article.php/3623061
Free tools:
1. NetStumbler identifies basic wireless devices that will respond to an "anybody out there?" request.
2. Kismet unearths wireless devices that have their SSIDs hidden or otherwise won't respond to basic NetStumbler probes. If you're not into Linux you can run Kismet directly from the Kali Live CD.
3. Aircrack enables WEP and WPA pre-shared key cracking.
4. FakeAP on the Kali Live CD mimics a legitimate access point and sets up an evil twin attack to check if your users will connect to fake access points.

Related patterns: 08_02_Pattern_006_Wireless Private Network

Classification: Network

Release: 08.02

Authors: Spinoza

Reviewer(s): Aurelius

Control details

AC-19 Access Control For Portable And Mobile Devices
AT-01 Security Awareness And Training Policy And Procedures
AT-03 Security Training
AT-04 Security Training Records
AU-02 Auditable Events
CA-02 Security Assessments
CA-07 Continuous Monitoring
IA-02 User Identification And Authentication
IR-02 Incident Response Training
IR-04 Incident Handling
IR-05 Incident Monitoring
IR-06 Incident Reporting
IR-07 Incident Response Assistance
RA-05 Vulnerability Scanning
SC-08 Transmission Integrity
SC-09 Transmission Confidentiality
SC-13 Use Of Cryptography