Banning Wireless Doesn’t Stop Users: Understand How to Protect Your Network
Banning Wireless Doesn’t Stop Users Aruba White Paper Banning Wireless Doesn’t Stop Users: Understand How to Protect Your Network and Support Wi-Fi Enthusiasts Banning Wireless Doesn’t Stop Users Aruba White Paper Table of Contents Introduction 3 Implementing “no wireless” 3 “No wireless” policies without enforcement don’t work 3 Progressing from “no-wireless” to secure wireless mobility 6 Provide secure guest access 6 Implement time-of-day or location restrictions 7 Limit users and devices to specific applications 7 Implement strict firewall enforced user policies 8 Conclusion 9 About Aruba Networks, Inc. 10 Aruba Networks, Inc. 2 Banning Wireless Doesn’t Stop Users Aruba White Paper Introduction Despite great strides in wireless LAN (WLAN) technology, many organizations continue to choose a “nowireless” policy, meaning wireless deployments of any kind are expressly prohibited by organizational guidelines. The basic goal is to eliminate any occurrence of wireless access, sanctioned or unsanctioned, within a defined space or location. The rationale for such a policy can vary, ranging from security concerns to a perception of operational complexity and prohibitive costs. However, in the quest to shut wireless out completely, two issues have arisen. First, many organizations do not consider the infrastructure requirements necessary to effectively enforce a “no wireless” policy. It is incorrect to assume that wireless threats will not exist simply because there is a “no wireless” policy and no ITimplemented wireless deployment. In fact, it is likely that wireless-related threats will always exist, regardless of the network design or internal mandates. Second, many organizations have become myopic in their quest for “no wireless.” These organizations may not realize that, as wireless equipment has matured, the options for deploying secure network mobility have expanded. The options are no longer limited to a binary decision of allowing or disallowing WLAN access. A range of controlled, restricted wireless policies that fall in between “open-wireless” and “no wireless” are now possible. Implementing “no wireless” Organizations have spent years and millions of dollars building moats around their computing infrastructure to protect it from the outside world. More recently, however, concerns have surfaced around internal threats, where legitimate users compromise the integrity of the network or gain access to privileged confidential data. Trusted individual clients are often the most overlooked aspect of network security. Add wireless to the equation and it can exacerbate this security hole unless a well thought out plan is in place. A simple laptop with an embedded wireless network interface card (NIC) connected to the organization’s infrastructure could expose intellectual capital in ways that a non-wireless client would not. Unauthorized access points also pose a threat, even when they are deployed in a non-malicious manner. “No wireless” policies without enforcement don’t work Though well intentioned, “no wireless” policies are often poorly implemented. In the worst case, organizations simply publish guidelines and prohibit IT from deploying WLAN equipment. The hope is that this will protect the organization from wireless-related attacks. Some organizations take a slightly more proactive approach, using periodic walk-through assessments that can report on malicious wireless activity. However, this method only offers a snapshot of the RF environment and is far from a comprehensive “no wireless” policy enforcement. Both approaches underestimate the wireless threats that can surface in a wired environment, even when wireless installments are “prohibited.” Organizations that take this tack will quickly realize the decision to implement a “no wireless” policy requires a full evaluation of associated security threats, clearly stated expectations of such a policy, and the infrastructure required to enforce it. These organizations will find that the only way to validate the absence of unauthorized WLANs and mitigate wireless threats is to deploy a best-in-class WLAN system which, at a minimum, must be able to perform the following functions: Aruba Networks, Inc. 3 Banning Wireless Doesn’t Stop Users Aruba White Paper Prohibit rogue APs – The solution must prevent any employee from installing rouge Access Points (APs) within the confines of a protected organization. Whether a network is wireless-enabled or not, rogue APs are one of the greatest threats to network security today. One employee with a $50 access point from a home electronics store can single-handedly open up the entire security perimeter, allowing anyone with a laptop and a wireless card free access to the internal network. Installing a system to automatically locate and disable rogue APs is an essential part of any security strategy – especially for enterprises choosing not to deploy wireless at all. However, it is not enough to detect rouges. A complete solution must identify and disable rogue APs, both on “the wire” and “in the air,” so that no clients will be able to communicate through them. Network planners must be very careful when looking for systems to identify rogue APs. There are two varieties: those that classify and those that do not. Systems that classify are able to automatically determine if an AP seen over the air is actually connected to the network or not. The end result is 100% certainty that what is flagged as a rogue AP is a genuine threat to the network. Upon identifying a threat, an effective system must automatically disable the rogue AP, preventing any clients from associating with it. Finally, network planners should choose a system that provides location tracking and real-time graphical views so the rouge AP can be quickly found and removed from the network. Figure 1. Rogue location tracking Less sophisticated systems flag everything seen over the air as “rogue” and leave the rest of the work to the network staff. An IT administrator must then associate with each “rouge,” try to figure out what network it is attached to, try to locate it, determine if it is a “rouge,” and then manually tell the system to shut it down. With so much room for error, it is easy for an administrator to either miss a real security threat or erroneously shut down a neighbor’s AP. At the end of the day, this type of system is almost like having no system at all. Aruba Networks, Inc. 4 Banning Wireless Doesn’t Stop Users Aruba White Paper Prohibit ad-hoc 802.11 – The solution must prevent all ad-hoc 802.11-based WLAN networks from occurring within the confines of a protected organization. Ad-hoc networks–uncontrolled WLANs operating only between clients, with no AP in the middle—constitute another class of rogue. The greatest danger posed by ad-hoc networking is a computing device running in ad-hoc mode while simultaneously connected to a wired LAN. Such a client can easily be compromised as an unauthorized entry point into the wired network, jeopardizing the company’s protected resources. Ad-hoc networks are particularly dangerous because anyone can join them – there is no authentication required, and typically no encryption is used. In an enforced no-wireless network, ad-hoc-enabled clients must be actively detected and disabled. A system that offers comprehensive RF monitoring can perform these functions by actively disrupting ad-hoc clients, as well as any clients attempting to associate with them, with de-authentication frames. This ensures that even if a device enabled for ad-hoc networking is connected to the network, it is rendered harmless. In turn, the RF monitoring system should send an alert to the network administrator so ad-hoc networking can be disabled on the violating client. Prohibit client bridging – A solution must give administrators visibility into misconfigured clients that are connected to the wired Ethernet network and are bridging their wired interface to a wireless connection. When bridging is enabled between two interfaces on a client, that client effectively becomes a rogue AP. A client configured as a bridge can inadvertently bridge two internal networks creating a network loop. Worse, in a “no wireless” environment, a client bridging an outside wireless network to an internal wired network represents a security hole. Public Network Internal Network Bridge Windows XP Laptop Figure 2. Client bridging An effective solution must implement advanced RF security to automatically detect wireless bridges, notify network administrators of their existence, and identify the location of the offending client on a building map. Aruba Networks, Inc. 5 Banning Wireless Doesn’t Stop Users Aruba White Paper Avoid disrupting other networks – A solution must prevent clients within the protected RF space from connecting to other organizations’ access points without disabling the operation of the other organizations’ access points or clients. Access points and clients at neighboring companies and hotspots aren’t harmful, but clients within a “no wireless” environment should be prevented from connecting to them. This must be achieved without hindering the operation of the neighboring networks and devices. An effective solution should automatically classify neighboring APs as “interfering,” not “rogue, and prevent “no wireless” clients from associating with them. This function can be accomplished with a combination of location-based services, client registration, and the same type of disruption methods used to prevent clients from attaching to rogue APs. Progressing from “no-wireless” to secure wireless mobility Most organizations recognize the benefits of user mobility, including productivity gains and the cost savings of overlaying convergence applications such as voice on a WLAN infrastructure. Concerns associated with wireless access have ebbed as security advancements have progressed, and many now consider wireless access to be more secure than the wired LAN. Wireless equipment compatible with 802.11i and the related WPA (Wi-Fi Protected Access) and WPA2 certifications provides rock-solid security without complicating the user experience. Some wireless equipment even complies with the stringent requirements of the U.S. government’s FIPS standards. Deployment of a WLAN solution has been greatly simplified as well. Early wireless implementations used distributed “fat” access points that were excessively difficult to deploy and manage. Even early centralized deployments were complex, requiring substantial hardware and software upgrades, as well as cumbersome reconfiguration to the existing network infrastructure. Additionally, the existing VLAN structure had to be greatly extended to accommodate the WLAN, adding significant complexity. It’s now clear that the risk of destabilizing the core network infrastructure to deploy a new service far outweighs the advantages. Next-generation wireless solutions now available eliminate these issues. These WLAN solutions are deployed as a simple overlay on top of the existing network without requiring upgrades or reconfiguration. Now mobility can be easily added as a new service, much like an additional server, without requiring any knowledge of or changes to the network to accommodate it. Because the underpinnings of an enforceable, comprehensive “no wireless” policy must include core components of an advanced WLAN infrastructure, it is relatively simple to incrementally enable mobility. In most cases, it’s simply a matter of adding APs to provide coverage or repurposing APs that were dedicated to RF monitoring to also provide client access. As wireless security and deployment concerns are addressed, organizations are beginning take advantage of the benefits associated with wireless mobility. A few examples are provided below. Provide secure guest access The first step for many organizations is to deploy dedicated wireless guest access, effectively treating wireless as an untrusted network. Organizations are under increasing pressure to provide wireless guest access, enabling visitors to perform their jobs and gain instant access to timely business information. Wireless guest access can be easily configured to protect internal network resources and even provide auditing of guest activity. Aruba Networks, Inc. 6 Banning Wireless Doesn’t Stop Users Aruba White Paper The impact on security and manageability should be negligible in moving from “no-wireless” to wireless guest access only. A guest access solution should not compromise the security of the network in any way and should not place excessive burden on the IT staff. In order to achieve this, the solution must include the following: • Secure Web Access – Client devices must be blocked from all access until a web browser is opened and authentication credentials are entered. The exchange of authentication credentials can be secured using industry-standard SSL. Mandatory acceptance of custom usage policies and guidelines can be required as part of the authentication process. • Firewalled Traffic Separation – A fundamental weakness in early guest access implementations was the reliance on VLANs for separating users. VLANs have proven unreliable in keeping users isolated and fully protected from one another. User-based policy enforcement must be done with an integrated firewall for maximum security. • Role-based Guest Provisioning – A role-based guest provisioning system enables secure and simple provisioning of guest users through a web browser interface. A receptionist can use such an interface to easily add, delete and modify guest user accounts, configuring each with an expiration date and time. • Secure Tunnel Redirection – Some advanced WLAN solutions allow guest traffic to be redirected to an IPSec or GRE tunnel for transport to another device located outside the corporate firewall. Using secure tunnel redirection, guest traffic is completely prevented from traversing any portion of the internal network, blocking any attempts to use crafted packets or VLAN hopping attacks. • Non-Disruptive Deployment – The existing network should be considered a no-touch zone, allowing for rapid on-demand deployment. Wireless devices should securely communicate with each other over IP networks. No reconfiguration of closet switches, routers, VLANs, or ports is required if the right solution is chosen. • Reporting – The system should provide auditing and reporting of who is using the network, when it is being used, and how it is being used. • Limited usage – A wireless guest access solution should allow the organization to limit guest access by protocol, thus restricting the type of traffic a guest user can send or receive. Restrictions should be able to be configured based on TCP port range, UDP port range, service type (e.g., HTTPS), and other Layer 4 protocols beyond TCP/UDP. Implement time-of-day or location restrictions In many cases, organizations find that the next step from a “no wireless” policy is secure wireless access restricted by time of the day and location. One of the operational benefits of a wired network is that access is only granted as long as the building is physically open. Some WLAN solutions available today provide the equivalent benefit with configuration options to turn an AP or group of APs off during certain time periods (e.g., overnight). This limits exposure to the wireless network and ensures that IT staff is always present to address issues as they arise Centralized WLAN systems with integrated firewalls can provide additional granularity by limiting WLAN access to certain users based on both time of day and location. This can be useful in developing access tiers for different groups of users. Limit users and devices to specific applications Another incremental step forward from a “no wireless” policy is to restrict users or devices to specific applications. Wireless solutions that include stateful firewalls can implement rules to match protocol, IP address and applications such as FTP, SIP, etc. Once application flows have been identified by the firewall, standard firewall actions such as permit, drop, log, or reject can be applied. Aruba Networks, Inc. 7 Banning Wireless Doesn’t Stop Users Aruba White Paper A stateful firewall is especially useful in securing and optimizing Voice over IP over WLAN (VoWLAN) networks through stateful recognition of traffic flows (e.g., SIP, H.323). Based on IP address, protocol and application information in the control channel, the firewall can selectively open ports for calls. This capability can prevent VoIP traffic from becoming a backdoor mechanism to attack the internal network Rules on the stateful firewall can also provide bandwidth controls on per-role basis (e.g., guests can be limited to specific throughput levels) to provide Quality of Service and prevent VoIP traffic from being overrun by data. Application-based prioritization requires stateful inspection, and this capability is a crucial difference between competing wireless solutions. Another powerful feature of advanced WLAN systems with a stateful firewall is blacklisting, where the administrator can automatically blacklist – or block from all network access – any client that violates specific firewall rules. This is particularly useful when single-purpose devices, such as voice over IP handsets, are used. For example, if a voice handset is observed attempting to conduct database queries or file server browsing, it is likely that the device credentials have been compromised by an intruder. Automatic blacklisting immediately disconnects the device from the network and generates an alert message to the administrator. Implement strict firewall enforced user policies An identity-based wireless solution that integrates encryption, authentication and access control into a single device can offer all the benefits of advanced mobility with a security level comparable to a network that fully enforces no-wireless. Because wireless devices authenticate to the network, identity is learned. Because encryption from those wireless devices terminates centrally, the system can ensure that network traffic was not forged by an intruder or tampered with in transit. Finally, if access control is done through a firewall, policy can be tightly tied to the identity and role of the user rather than to an arbitrary parameter such as IP address. This means that even a malicious insider cannot alter a MAC or IP address to “become” someone else; access control decisions are made on the basis of user identity, not network address. Wired desktop Access Controller Wireless laptop Access Point Authentication Authorization Identification Encryption Figure 3. Centralized authentication, authorization and encryption Aruba Networks, Inc. 8 Banning Wireless Doesn’t Stop Users Aruba White Paper Traditional fixed networks can only apply access rights to ports or VLANs. Mobile users and devices, by definition, do not connect to the network through a fixed port. The network must therefore identify every user and device that joins the network. A centralized wireless solution with an integrated firewall has the ability to be identity-aware and make permit/ deny decisions based on the identity of the user or device Once the role of the user is determined, appropriate rules may be applied that control what that user or device is permitted to do on the network. Conclusion Many organizations will continue to choose a strict “no wireless” policy in their network. It is critical that these organizations conduct a full assessment of the risks associated with this decision. Even with a “no wireless” policy, an advanced next-generation WLAN infrastructure has become a mandatory requirement to detect and mitigate wireless attacks. Advanced WLAN solutions provide much greater security whether deploying “no wireless” or adding some level of mobility. The figure below shows the relative level of security between deploying a next-generation WLAN infrastructure that enforces “no wireless” policies (upper curve), and a deployment that fails to properly enforce a “no wireless” policy or implements mobility with a legacy WLAN solution (lower curve). The overlaid benefit curve shows how improved network functionality and well-implemented security can greatly increase user productivity. Figure 4. Balancing security against the benefits of wireless Technology advancements now make it simple for organizations to deploy the infrastructure necessary to initially enforce “no wireless” policies and then take incremental steps towards providing advanced mobility, all without compromising security or adding network complexity. The key here is that a next-generation WLAN solution is essential to maintain stronger security both when there is a “no wireless” policy and when advanced mobility is added to realize greater user productivity benefits. Aruba Networks, Inc. 9 Banning Wireless Doesn’t Stop Users Aruba White Paper About Aruba Networks, Inc. Aruba Networks is a leading provider of next-generation network access solutions for the mobile enterprise. The company’s Mobile Virtual Enterprise (MOVE) architecture unifies wired and wireless network infrastructures into one seamless access solution for corporate headquarters, mobile business professionals, remote workers and guests. This unified approach to access networks enables IT organizations and users to securely address the Bring Your Own Device (BYOD) phenomenon, dramatically improving productivity and lowering capital and operational costs. Listed on the NASDAQ and Russell 2000® Index, Aruba is based in Sunnyvale, California, and has operations throughout the Americas, Europe, Middle East, Africa and Asia Pacific regions. To learn more, visit Aruba at http://www.arubanetworks.com. For real-time news updates follow Aruba on Twitter and Facebook, and for the latest technical discussions on mobility and Aruba products visit Airheads Social at http://community. arubanetworks.com. www.arubanetworks.com 1344 Crossman Avenue. Sunnyvale, CA 94089 1-866-55-ARUBA | Tel. +1 408.227.4500 | Fax. +1 408.227.4550 | [email protected] © 2013 Aruba Networks, Inc. Aruba Networks’ trademarks include AirWave®, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, and Green Island®. All rights reserved. All other trademarks are the property of their respective owners. WP_BanningWLAN_01XX13
© Copyright 2024