White Paper. Best Practices Guide: Eight Things You Can Do Today to Improve Wireless Network Security

White Paper |

Best Practices Guide:

Eight Things You Can Do

Today to Improve Wireless

Network Security

Managing WiFi networks in the complex operating environment of a large retailer involves challenges a traditional campus-based enterprise doesn't have, even though the underlying WiFi hardware is the same. The network is larger and more distributed, operating environments are more varied, onsite support resources are limited or nonexistent and network security is paramount. For a retailer, a robust management solution is not a luxury but a requirement.

• Manageability: Configure and control WiFi infrastructure, regardless of manufacturer or architecture.

• Security: Detect devices and enforce security policies across all WiFi devices.

• Visibility: View real-time information on every user

and device, as well as historical trend reports for planning and analysis.

• Flexibility: Fit the WiFi management solution to the existing network infrastructure

With the AirWave Wireless Management Suite, retailers can effectively control the largest wireless LANs in the world, in thousands of remote locations.

Overview

Primary and secondary (K-12) educational institutions are turning to computers and software applications to mprove the learning environment for teachers, administrators, students, and their parents. A growing number of public schools strive to provide one computer for every student. Computer technology has enabled new educational tools and methods, increased productivity, and improved communications. The utility of both computers and educational applications is a function of access to the networks on which these tools depend—limitations to network access prevent the realization of their full potential.

In any survey of CIOs, security consistently ranks as the number one concern related to wireless networks. Given the impact of the Sarbanes-Oxley Act, HIPAA, Payment Card Industry standard and similar regulatory programs around the world, this overwhelming focus on security is hardly surprising.

Over the past several years, technology advances and new industry standards have made it relatively straightforward to implement a secure wireless LAN in almost any environment.

The biggest challenge now is not developing an acceptable wireless security strategy, but enforcing security policies consistently and uniformly across the entire wireless network.

Delivering acceptable wireless security thus requires a robust centralized wireless management solution capable of network-wide policy enforcement, like the AirWave Wireless Management Suite™.

Organizations with an efficient centralized management solution can quickly and easily implement eight critical ‘best practices’ for wireless network security, including:

1. Maintaining an accurate inventory of the wireless network infrastructure 2. Centralizing management of complex security policies

3. Auditing the infrastructure to ensure compliance 4. Detecting rogue access points across the wired network

1. Maintaining an Accurate Inventory of the WLAN Infrastructure

security policies is ensuring that you know exactly what infrastructure you have and where it is located. Every IT organization must always maintain an accurate, up-to date inventory of every component of the wireless

infrastructure – including wireless access points, controllers, mesh devices and more.

Many IT organizations mistakenly believe that they have a 100% homogeneous wireless infrastructure, with access points and controllers from only one hardware vendor. As a result,

they may be tempted to use proprietary vendor-provided discovery tools that look only for that particular vendor’s hardware. In reality, other groups or divisions within the enterprise have often started implementing wireless networks on their own – and may have chosen hardware from a vendor other than the one selected by IT. Good security policy dictates that IT should assume nothing and search for everything.

Figure 1. AirWave Device Discovery Screenshot

The AirWave Management Platform automates network discovery, using a combination of SNMP, HTTP and proprietary scans (including CDP) to identify all wireless devices. Because AMP is a vendor-neutral platform, it reliably and accurately discovers access points and controllers from most leading hardware vendors. With this information, IT can then take steps to ensure that each of these devices is configured with the appropriate security policies.

Generating a one-time network inventory report that is filed away in a drawer in the network engineer’s desk is not enough to meet most security auditors’ requirements. To be useful for security purposes, this inventory must be kept ‘evergreen.’ AirWave automates this process, ensuring that a comprehensive inventory is completed at least once daily, providing detailed information on each network device, including:

• Name • Make/model • Serial Number • Software Version • MAC Address • IP Address • Location

2. Centralizing Management of Complex Security Policies

Many industry observers suffer from the misperception that leading IT organizations today have standardized on a single enterprise-wide wireless security policy. In fact, in large organizations with a diverse group of wireless users, this would be nearly impossible. While many IT organizations today are indeed striving to implement WPA2 whenever feasible, the list of exceptions is numerous:

• Few wireless VOIP handsets available today support WPA2.

• Employees purchase and use their own WiFi-enabled equipment (smartphones, PDAs, etc.) that are not fully managed by IT and thus are not configured for WPA2.

• Legacy devices (i.e., barcode scanners) may support only the older WEP security standard • Guests and contractors working in corporate facilities require Internet access.

Realistic IT organizations recognize that they cannot hope to maintain 100% uniformity across a rapidly growing user base with dozens of types of wireless devices. Instead, they define their network access policies to ensure that each user receives an appropriate level of network access based on (a) his or her identity and (b) the capabilities of the device being used. Most IT organizations are achieving this by configuring each access point to broadcast multiple SSIDs, each associated with a specific VLAN with pre-defined security policies. While complex, this approach ensures that a corporate user with a laptop supporting WPA2 can receive full network access while getting lesser access via her smartphone that does not support WPA2 (see below):

To manage complex policies across hundreds or thousands of access points and controllers, a centralized management solution is an absolute requirement. With the AirWave Management Platform software, IT simply defines its configuration policies once – and the software automatically pushes those policies to all the

appropriate devices. To make the configuration process even easier AirWave software can even create a configuration template from one of your existing APs or controllers.

3. Auditing All Devices to Ensure Uniform Enforcement

configuring the network infrastructure to comply with those policies are necessary steps, but they are not sufficient to guarantee robust wireless security. Leading research analysts estimate that as many as 90% of wireless security incidents will result from misconfigured devices and infrastructure. AirWave data support this conclusion, indicating that as many as 30% of wireless access points in the typical enterprise violate the organization’s own configuration policies. The potential causes of misconfigured devices are numerous:

Figure 2. AirWave Configuration Audit Report

• Human error during initial configuration or subsequent trouble-shooting • Unsuccessful application of configuration changes or software updates • APs that are reboot and/or restore to default settings

• Poorly documented or misunderstood configuration policies.

The unfortunate reality is that frequent, comprehensive configuration audits are the only way to ensure that policies remain in place across the entire infrastructure at all times. Yet, as enterprise wireless networks expand to encompass thousands of access points and controllers, manual configuration audits are so labor-intensive and error-prone that they simply do not get done – and wireless networks become more and more vulnerable over time.

The AirWave software completely automates the configuration audit process, comparing the actual

configuration of each wireless device with the policies IT has specified. Whenever a violation is detected, the software generates an alert and provides a detailed side-by-side report showing the exact settings that do not match the policy. To ensure that IT is not overwhelmed with alerts related to relatively insignificant

configuration variants and can focus on truly significant security issues, the AirWave software allows the IT department to specify what types of configuration violations should result in high-priority alarms and which should simply be logged. IT may even instruct the AirWave software to automatically ‘repair’ device configurations as soon as a violation is detected.

4. Detecting Rogue Access Points Over the Wired Network

most common and serious wireless security threats. With AirWave’s RAPIDS module (as well as some proprietary management solutions), you can use your existing enterprise-grade access points to ‘listen’ for other unknown APs broadcasting within RF range – reducing the need to buy or install additional RF sensors.

Unfortunately, wireless techniques alone usually cannot detect all rogues in an enterprise. The sad truth is that rogue APs on your network are far more likely to be installed by your own employees and users than by a malicious intruder. Your users are much more likely to install their own access points

where you do not yet have Wi-Fi coverage than they are to connect rogues right next to one of your own APs. As a result, wireless rogue scans may actually be least effective in detecting rogues in exactly those locations where the rogues are most likely to be.

Figure 3. The Fatal Flaw of RF-Only Rogue Detection

Since most organizations today do not have 100% wall-to-wall wireless coverage with APs or sensors, they are particularly susceptible to undetected rogues. The RAPIDS module uses a unique combination of discovery techniques across your wireless and wired network infrastructure to find rogues no matter where they are located.

Key features of the RAPIDS software include:

• Wireless rogue scanning using your existing access points (thick or thin) to detect, triangulate, and display the location of any rogue devices within range.

• Wireline discovery using SNMP and HTTP scans. Discovered devices are compared to RAPIDS’ database of 9,000+ ranges to determine which are most likely to be access points.

• Correlates data from wired and wireless scans to assign a score to each unknown device on your network, reflecting the likelihood that the device is a rogue AP

• Generates a high-priority alert containing all known information about the rogue, including SSID, security settings, switch port, etc.

• Interrogates the OS of potential rogue devices to eliminate costly ‘false positive’ results • Includes ‘ignore AP’ functionality to avoid reporting your neighbors’ access points as rogues.

5. Ensuring that All Security Patches are Applied

quite aware of the critical importance of network security and most are very good at quickly making software patches available to address known security issues. It is up to the IT department, however, to ensure that

these critical software updates are applied promptly to all devices. With thousands of access points and controllers in hundreds of locations, this can be a daunting task for IT – especially when they may receive several such updates from every vendor every year. Not surprisingly, many IT organizations find it difficult, if not impossible, to keep up.

Figure 4. Defining the 'Minimum Acceptable' Software

Yet, despite this difficulty, one of the first things that any competent security auditor will ask for is evidence that all relevant patches have been implemented.

AirWave helps automate this process by centralizing distribution of software updates. Network engineers simply use a drop-down menu to specify the ‘minimum acceptable’ software version for each brand and model of AP or controller. The AirWave Management Platform then automatically identifies any devices that currently have a ‘down-rev’ version of software installed and schedules them to be updated during a future maintenance window. Once the

software update has been applied, the AirWave software performs a final ‘before-and-after’ validation to ensure that the change was implemented successfully and that the resulting configuration matches policy settings.

Figure 5. AirWave Inventory Report

The AirWave software also generates a full “Inventory Report” daily, specifying the current software version running on every wireless device on the network. When the auditors arrive asking for proof that all patches and updates have been applied, the network engineers can simply email them a copy of this standard daily report to prove compliance.

6. Tracking All New Wireless Users and Devices

affordable and widespread that WiFi radios are being embedded in a wide variety of consumer devices like phones, PDAs, cameras, printers, and more. WiFi-enabled phones will become particularly common: by January 2007, the WiFi Alliance had certified more than 100 different wireless handsets alone.

This means that more and more employees will be purchasing their own WiFi devices and bringing them into the workplace without IT’s

knowledge or permission. The sheer volume of these devices means that it would be a losing battle for IT to attempt to block them all at the door – and since many employees will begin to use these devices to do their jobs even if the device itself was not purchased by the corporation, IT will often have to provide them with access to the unsecured guest network (at the very least).

Figure 6. AirWave New User Session Report

While IT cannot hope to stop these devices from entering the building, it absolutely must be aware of all them – and should be able to determine where they are located and how they are being used at all times. In addition to its real-time device and user monitoring capabilities, the AirWave software generates an automated report showing every new user and device that associated to the network, allowing IT to verify how the user authenticated onto the network (if at all).

The New User Report contains direct links to an individual user session history that shows: • Wireless APs used by the new device

• Current location of the device and its 24-hour roaming history • SSID/VLAN to which the user is connected

• Radio type (802.11b/g/a) utilized • Bandwidth utilization

• RF signal strength • IP address, and more.

With this information, IT can track every user and device, and can ensure that all new devices are connected to the appropriate network resources – and nothing more.

7. Establishing ‘Need-to-Know’ Administrative Access

literally hundreds of IT employees who need access to the wireless management system to do their jobs. Network Engineers need to be able to define and apply configuration policies. The Help Desk staff needs access to real-time monitoring screens and reports to accurately diagnose and resolve user problems. Security analysts need to see compliance reports and information about rogue access points.

Good security policy dictates that each employee should have access to the

information he needs to do his job – and no more.

Figure 7. Flexible Role-based Privileges

The AirWave software supports flexible, role-based administrative access policies with individual user passwords – and even integrates with systems like TACACS+ to inherit pre-defined roles. This allows IT to fine-tune permissions by role:

• “Read-only” (Help Desk) privileges are assigned to individuals who need monitoring data and reports but should not be permitted to change device configurations.

• “Read-write” (Network Engineer) privileges allow the user to change configuration settings. • “Auditor” (Security Analyst) permissions allow the user to view compliance reports but not to

change configurations.

• “Administrator” (Sys Admin) privileges allow the user to modify the setup of the AirWave software and define additional user roles.

The software allows privileges to be further refined by network segment. Thus, a network engineer may be granted configuration privileges for a certain set of devices (i.e., ‘retail store networks’ or ‘European facilities’) but not for others (i.e., ‘distribution center networks’ or ‘North American facilities’).

This allows the IT department to tailor the exact user permissions to match job responsibilities, ensuring that that no one has privileges or access to information that he should not possess.

8. Locating Lost and Stolen Devices

For a CIO, a lost or stolen laptop computer is more than a lost financial asset – it represents a potentially enormous security liability due to the data and network information that may reside on the device. While IT organizations must investigate tools designed to protect data and even to disable lost devices, it is critical to use every resource at IT’s disposal to locate missing devices as soon as they are reported. With the AirWave software, as soon as a user reports that a WiFi-enabled device is missing, IT can search for that device on the wireless network (by MAC address or username). If the device was misplaced or stolen by another employee, it is possible that the missing device may still be within the enterprise airspace, with its radio broadcasting a signal that can be detected by the APs in the area. If so, AirWave’s VisualRF application can triangulate the physical location of the device, enabling IT notify the appropriate local staff and instruct them to retrieve it as soon as possible.

Using AirWave’s user roaming view, IT can even track the movement of the device over the past twenty-four hours to better understand what happened to the device and where it has been – to determine whether the device (and the data on it) left the enterprise facility at any time while it was declared missing.

On the other hand, if the lost device cannot be located within the enterprise airspace any longer, AirWave’s historical records can still

be used to track the last known location of the device – so IT can review videos from security cameras in the area or take whatever other steps are required to locate and retrieve the device.

Figure 8. Simple 3-Step Process for Locating a Lost Device

IT can also use AirWave’s device search function as well as the User Session Report to determine whether that device ever reappears in any of its facilities. If so, AirWave’s location capabilities can pinpoint the location of the device as soon as it reappears.

Summary

There is no question that a robust centralized management solution is essential to wireless network security. Indeed, if the wireless infrastructure is not centrally managed, there is simply no way it can be considered secure.

The critical decision for an IT organization today is not whether to use a wireless management solution, but which solution makes its network most secure: the AirWave Wireless Management Suite or a proprietary element management system provided by one of the organization’s primary hardware vendors. The AirWave

software has been specifically designed for security from the ground up – and to ensure that every organization has the ability to implement these best practices, whether the organization is a large Fortune 500 organization with thousands of locations or a smaller enterprise with only a few facilities.

Additional Resources

• AirWave Resource Center (whitepapers, etc.): www.airwave.com/resource-center/

• Online Demo: http://www.airwave.com/airwave-demo/

About AirWave Wireless

People move. Networks must follow. Aruba securely delivers networks to users, wherever they work or roam. Our unified mobility solutions include Wi-Fi networks, identity-based security, remote access and cellular services, and centralized multi-vendor network management to enable the Follow-Me Enterprise that moves in lock-step with users:

AirWave is the leading developer of world class multi-vendor management for the next generation network - where wireless and wired combine to provide the enterprise with greater flexibility, speed, security, and performance. A division of Aruba Networks (NASDAQ: ARUN), a publicly-traded company listed on the NASDAQ and Russell 2000? Index, AirWave software is used by hundreds of IT organizations, including Fortune 500 companies, retailers, manufacturers, banks, governments, hospitals, MSPs, schools, hotels, Internet service providers, and other institutions. AirWave supports wireless products made by more than 16 vendors including Alcatel, Aruba, Avaya, Cisco, Enterasys, Foundry, Meru, Motorola/Symbol, Nortel, ProCurve, Proxim, Trapeze, and Tropos. To learn more, visit AirWave at http://www.airwave.com.

© 2008 Aruba Networks, Inc. AirWave®, Aruba Networks®, Aruba Mobility Management System®, Bluescanner, For Wireless That Works®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect, The All Wireless Workplace Is Now Open For Business, Green Island, and The Mobile Edge Company® are trademarks of

1700 S. El Camino Real, Suite 500. San Mateo, CA 94402

Tel. +1.650.286.6100 | Fax. +1.650.286.6101 | info@airwave

.