WLAN

SANSEnterpriseWirelessNetworkAuditChecklist-1.pdf

Home >Computer Science homework help >WLAN

Interested in learning more about wireless security?

SANS Institute Security Consensus Operational Readiness Evaluation This checklist is from the SCORE Checklist Project. Reposting is not permited without express, written permission.

Enterprise Wireless Audit Checklist

https://www.sans.org/score/

https://www.sans.org/curricula/penetration-testing

https://www.sans.org/score/

https://www.sans.org/score/checklists/wireless

https://www.sans.org/

Enterprise Wireless Network Audit Checklist Prepared by: Dean Farrington Version: 1.0

References: 1. NIST, Special Publication 800-48, “Wireless Network Security – 802.11,

Bluetooth, and Handheld Devices”, 2002

2. Center for Internet Security, “Wireless Networking Benchmark (version 1.0)”, April 2005

3. Planet3 Wireless, “Certified Wireless Network Administrator, Official Study

Guide (3rd Edition)”, Berkeley, Ca. Osborne, 2005

4. Planet3 Wireless, “Certified Wireless Security Professional, Official Study Guide”, Berkeley, Ca. Osborne, 2003

5. Gast, Matthew , “802.11 Wireless Networks, the Definitive Guide” 2nd Edition,

Sebastopol, Ca. O’Reilly, 2005

6. Potter, Bruce and Fleck, Bob, 802.11 Security”, Sebastopol, Ca. O’Reilly,2002

7. Edney,Jon and Arbaugh,William, “Real 802.11 Security”, Addison-Wesley Professional, 2003

8. Cisco Press, “Cisco Wireless LAN Security”, Cisco Press, Indianapolis, In, 2004

9. National Security Agency, “Guidelines for the Development and Evaluation of

IEEE 802.11 Intrusion Detection Systems (IDS)” http://www.nsa.gov/snac/downloads_wireless.cfm?MenuID=scg10.3.1

10. DISA, “Wireless Security Checklist”

http://www.ncrdoim.army.mil/ia/documents/wireless-chklstv2r11-073003.doc

Introduction: The purpose of this paper is to offer guidance to Enterprise Architects on creating a secure 802.11 wireless network environment. Wireless networks, with their promise of increased productivity have become a requirement of managers and executives. At the same time that 802.11 wireless networking is increasing the productivity of workers, it is also forcing a shift in traditional network design strategies. Because wireless is based on Radio Frequency (RF) technology, it means your internal network is no longer confined to the inside of your building and you may well have a new avenue for network access that bypasses your carefully placed perimeter firewalls and perimeter defenses. Now more than ever, network architecture needs to embody the principal of Defense in Depth.

When designing wireless networks you need to build your security measures in overlapping rings, like the concentric defense of a medieval castle. Should one security measure be proven weak or flawed, several other layers of you defensive strategy should still offer protection to your network. The overall goal is to ensure that no single failure can cause a collapse of all your defenses. Enterprise level wireless networks require complex and painstaking research and evaluation. Due to the number of points of difference between any two enterprise networks, few ready made “one size fits all” solutions exist today. However many wireless vendors tend to market their solutions in this manner. If you are familiar with securing home WLAN installations you will discover some of the security mechanisms you are accustomed to in small scale wireless networks do not scale effectively to Enterprise level deployment. The following document can not outline all possible design and deployment considerations for the deployment of Enterprise Wireless Networks in detail. That would require a document the size of one or more of the books listed in the references. For that level of detail I refer you to those references. This document will however attempt to provide you a reference to what are essential considerations for design and deployment of an Enterprise WLAN.

Checklist No. Control

1 Policy – Before you start doing network designs or start evaluating authentication mechanisms, create your corporate policy on Wireless use and deployment. You will want to address many things in your policy such as:

• Acceptable use of wireless – Outline appropriate and inappropriate uses of the WLAN environment and possible consequences for non- compliance. Have an end-user agreement document that the user must sign showing they know and understand the policy for wireless use. Spell out in your documentation what services and uses are permitted on the WLAN. Have a policy on Hot Spot use for internet access and for remote connectivity (VPN).

• Sources of Authorized WLAN installations – It is a good idea to clearly state what part of the organization is the only source authorized to provide WLAN services. This can help prevent users or groups from feeling that since WLANs are approved for use they can provide their own access if it is not available where they would like it. It is a good idea to have a statement dealing with how user installed (rouge) WLAN devices will be dealt with. If the policy states these devices will be confiscated then the user should understand the consequences of enabling such a device.

• Allowed hardware – If you are requiring certain specific hardware for your WLAN define it in policy. It is advisable to prohibit the use of personally owned equipment.

• Wireless IDS – Document a requirement for deploying Wireless IDS to monitor your WLAN environment.

Even if you do not have a WLAN deployment, you ought to have a policy governing the deployment of WLANs to ensure that users do not decide to provide their own, the policy should also give you official backing when removing unauthorized access points.

2 WLAN Architecture – Have an overall architecture for Enterprise WLAN deployments. This creates standardization of hardware and configuration for multi site WLAN deployments and allows for reuse of components of the WLAN back end such as authentication servers. Determine appropriate placement of WLAN networks in response to the needs of the organization. Should they be placed on the internal network backbone, in a DMZ, only in non-sensitive areas, should an Enterprise Wireless Gateway be used to perform VPN functions over 802.11? These are all issues for the overall corporate architecture to consider since the answers will be different for every company or organization based on their risk tolerance, regulatory requirements, budget, and support capabilities.

• The architecture should also take into account the Authentication and Encryption schemes to be used. Again these are going to be driven based on local requirements but having them documented should allow for the possible reuse of some of these components across multiple WLAN installations, especially the backend authentication servers.

• Physical security of the Access Points and related infrastructure should

also be considered as part of the infrastructure. Determine appropriate controls to physically secure the hardware such as installation in secured wiring closets or mounting access points in lock boxes.

• Consider architecting the WLAN is such a way that the wireless

network is separated from the LAN through the use of segmentation devices. This can provide additional security and a choke point between the WLAN and the Enterprise LAN backbone.

• Will the clients use a VPN on top of the Wireless LAN? If the

additional security is needed or desired determine how this will be implemented, through the use of a VPN concentrator or an Enterprise Encryption Gateway.

3 Configuration Management- Ensure a system for configuration management is in place and is used for all changes in Access Point configuration. Document, test and record all changes so a history is kept for fault isolation. Periodically audit the AP configuration against the configuration recorded in the configuration management system to detect unauthorized modifications.

4 Ensure a proper Site Survey is preformed prior to WLAN Deployment- A Site Survey is needed in order to determine proper placement of Access Points to give the required connectivity and throughput, however it is also an ideal time to take plan for some security concerns.

1) Placement of Access Points to provide adequate data rates to associated clients may also cause a lot of signal to spread beyond the boundary of the building itself. Look for opportunities to shape the RF footprint of the network by careful use of power levels and directional antennas to minimize the RF in areas outside of your physical control.

2) At the same time you are placing your access points, identify the

locations for placing Wireless IDS sensors. Even if you are not planning to deploy a Wireless IDS now, you can save time and money later by doing some of the planning now.

5 End User Training - Ensure the end users are properly trained in the use of all security features of the Enterprise WLAN. Train the users about the proper and improper uses of the wireless access they are being provided. Reinforce the corporate policies on use of Hot Spots and personal wireless networks in the course of the training as well.

6 Ensure the Security of all WLAN clients – All workstations that are to be WLAN clients should be properly secured. Some things to ensure:

• Proper patch level is maintained • An Anti-Virus client is installed, running, and regularly updated • Ensure a personal firewall is installed and active on the wireless

connection. • Ensure appropriate system security settings are in place • Ensure that the supplicant does not have the setting “Validate server

certificate” disabled. If this is disabled you can loose all of the security of the connection as any certificate presented can be trusted.

7 Ensure Strong Authentication and Encryption is required on the WLAN –

Encryption is the topic that has garnered the most attention in relationship to wireless technology. The choice of encryption and authentication schemes is one of the most important decisions you will need to make when planning your wireless network. This checklist cannot cover all the issues involved in

selection of an appropriate mechanism for your enterprise since every enterprise has unique requirements, but we will attempt to raise some of the issues you need to consider in your selection.

• Use the strongest encryption practical, 128 bits should be considered the minimum acceptable level.

• Use AES encryption with WPA2 if possible • Select a mechanism that uses centralized authentication • Select a mechanism that supports PKI certificates if you have the

infrastructure to support it. • If you are using EAP look to your vendors to comply with RFC3748

which obsoletes RFC2284. RFC3748 calls for binding the inner and outer authentication protocols to help mitigate Man-in-the-middle attacks.

• Use a scheme that allows for mutual authentication if possible • Assume that WEP provides no real protection, and only use it as a last

resort • Avoid using authentication protocols that have been broken

8 Change default passwords- All Access Points on the market come preconfigured with a default password. The default passwords are well known to the hacking community and allow for easy exploitation of your network. Change them immediately.

9 Change default configuration settings – All Access Points on the market come preconfigured with some form of default settings for the SSID and the administrative passwords. These are well known to the hacking community. Change them before connecting any APs to your production network.

10 Configure devices on an non-production network if possible – Because of the issues with the well known defaults settings it is a good practice to establish your initial configuration of WLAN components on an isolated “configuration LAN” . This reduces the possibility of someone attacking your device by trying to exploit its default configuration, and if the did succeed they would have access to nothing critical.

11 Disable all unused management interfaces- All enterprise class Access Points come with multiple management interfaces, disable any that are not actively being used to manage the device since it can become an avenue of attack.

12 Manage the APs Out-of-band if possible – If possible use an out-of-band network or separate VLAN to handle the management of the Access Points. This further protects the management interfaces from attack.

13 SSID Construction – Do not use the name of the company, the address, phone number in the SSID. Stick to things that will not give away excess information about whose WLAN the SSID is from. “Room 212” is a reasonable SSID as it does not give away too much information, “Accounting Department” is not a good choice as it tells anyone in range exactly what that network connects to. Avoid using the names of individuals as this information is just an invitation to social engineering attempts. Security measures like not broadcasting the SSID are not a foolproof measure, the SSID can still be obtained by an attacker, so keep the SSID something you do not mind them knowing.

14 Do not broadcast the SSID – While not a foolproof measure, it does cut down on the availability of information. It is a good idea to not broadcast your SSID information and simply configure you corporate clients with the correct information in their profile.

15 Logging & Monitoring – Most enterprise level networks already have a mechanism in place for both remote logging and for monitoring of network devices. These may be the same tool, as with a SNMP manager or it may be separate solutions for logging to a syslog server and monitoring health with a SNMP manager. In either way having some sort of answer for both requirements is important for your WLAN. Real time monitoring of health can alert you to problems that are happening on the WLAN, but being able to refer to logs of past events is often needed to diagnose issues such as persistent authentication failures.

16 Wireless IDS/IPS – Few Enterprise networks are without an IDS/IPS solution for security monitoring. In the same vein, most any enterprise class WLAN deployment should have some form of Wireless IDS (WIDS) or IPS (WIPS) solution to ensure the safety of the RF environment. WIDS solutions normally come in two deployment modes:

1) The overlay network – dedicated WIDS sensors are deployed that are separate from the wireless LAN. These sensors send alerts back to a central manager for event de-duplication and alerting.

2) The Integrated solution – The integrated solution uses the AP’s themselves as sensors, this saves the cost of a separate sensor network deployment and generally uses the same management interface as the WLAN management application to monitor security.

Within these deployment options there are a whole range of variable features. These include IPS capabilities, Policy based station/AP suppression, Performance monitoring, and security monitoring. Each deployment mode has its own strengths and weaknesses, all of which

need to be given careful consideration as part of the evaluation process to ensure the system you select most fully meets your needs.

17 Institute a session timeout – To help mitigate the risk of abandoned authenticated sessions being hijacked, be sure to set a reasonable session timeout.

18 Wireless client isolation – Unless there is a compelling business reason to allow wireless stations to communicate directly with one another, enable wireless client isolation.

19 Radius Server security – If your authentication infrastructure includes a radius server there are some security concerns to keep in mind:

• Use a strong Radius shared secret at least 16 characters long • Do not use the same Radius shared secret for all devices on the

network, either set the shared secrets per device or at minimum per group of devices.

• Ensure only the authentication type(s) being used is enabled on the Radius server to help mitigate Man-in-the-middle attacks.

20 Perform regular security assessments of your WLAN – Perform regular

audits of the configurations and security mechanisms of your WLAN. Keep up on developments in WLAN authentication and authorization schemes, replace schemes that become broken.

Last Updated: March 13th, 2019

Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location

SANS Secure Canberra 2019 Canberra, AU Mar 18, 2019 - Mar 29, 2019 Live Event

ICS Security Summit & Training 2019 Orlando, FLUS Mar 18, 2019 - Mar 25, 2019 Live Event

SANS SEC504 Paris March 2019 (in French) Paris, FR Mar 18, 2019 - Mar 23, 2019 Live Event

SANS Munich March 2019 Munich, DE Mar 18, 2019 - Mar 23, 2019 Live Event

SANS Jeddah March 2019 Jeddah, SA Mar 23, 2019 - Mar 28, 2019 Live Event

SANS Doha March 2019 Doha, QA Mar 23, 2019 - Mar 28, 2019 Live Event

SANS SEC560 Paris March 2019 (in French) Paris, FR Mar 25, 2019 - Mar 30, 2019 Live Event

SANS Madrid March 2019 Madrid, ES Mar 25, 2019 - Mar 30, 2019 Live Event

SANS 2019 Orlando, FLUS Apr 01, 2019 - Apr 08, 2019 Live Event

SANS Cyber Security Middle East Summit Abu Dhabi, AE Apr 04, 2019 - Apr 11, 2019 Live Event

SANS London April 2019 London, GB Apr 08, 2019 - Apr 13, 2019 Live Event

Blue Team Summit & Training 2019 Louisville, KYUS Apr 11, 2019 - Apr 18, 2019 Live Event

SANS Riyadh April 2019 Riyadh, SA Apr 13, 2019 - Apr 18, 2019 Live Event

SANS Seattle Spring 2019 Seattle, WAUS Apr 14, 2019 - Apr 19, 2019 Live Event

SANS Boston Spring 2019 Boston, MAUS Apr 14, 2019 - Apr 19, 2019 Live Event

FOR498 Battlefield Forensics Beta 1 Arlington, VAUS Apr 15, 2019 - Apr 20, 2019 Live Event

SANS FOR585 Madrid April 2019 (in Spanish) Madrid, ES Apr 22, 2019 - Apr 27, 2019 Live Event

SANS Northern Virginia- Alexandria 2019 Alexandria, VAUS Apr 23, 2019 - Apr 28, 2019 Live Event

SANS Muscat April 2019 Muscat, OM Apr 27, 2019 - May 02, 2019 Live Event

Cloud Security Summit & Training 2019 San Jose, CAUS Apr 29, 2019 - May 06, 2019 Live Event

SANS Pen Test Austin 2019 Austin, TXUS Apr 29, 2019 - May 04, 2019 Live Event

SANS Bucharest May 2019 Bucharest, RO May 06, 2019 - May 11, 2019 Live Event

SANS Security West 2019 San Diego, CAUS May 09, 2019 - May 16, 2019 Live Event

SANS Milan May 2019 Milan, IT May 13, 2019 - May 18, 2019 Live Event

SANS Dublin May 2019 Dublin, IE May 13, 2019 - May 18, 2019 Live Event

SANS Stockholm May 2019 Stockholm, SE May 13, 2019 - May 18, 2019 Live Event

SANS Perth 2019 Perth, AU May 13, 2019 - May 18, 2019 Live Event

SANS Northern VA Spring- Reston 2019 Reston, VAUS May 19, 2019 - May 24, 2019 Live Event

SANS New Orleans 2019 New Orleans, LAUS May 19, 2019 - May 24, 2019 Live Event

SANS Amsterdam May 2019 Amsterdam, NL May 20, 2019 - May 25, 2019 Live Event

SANS Hong Kong 2019 Hong Kong, HK May 20, 2019 - May 25, 2019 Live Event

SANS Autumn Sydney 2019 Sydney, AU May 20, 2019 - May 25, 2019 Live Event

SANS Norfolk 2019 OnlineVAUS Mar 18, 2019 - Mar 23, 2019 Live Event

SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced

http://www.sans.org/info/36919

http://www.sans.org/link.php?id=54465

http://www.sans.org/secure-canberra-2019

http://www.sans.org/link.php?id=54495

http://www.sans.org/ics-security-summit-2019

http://www.sans.org/link.php?id=57475

http://www.sans.org/paris-march-2019

http://www.sans.org/link.php?id=55075

http://www.sans.org/munich-march-2019

http://www.sans.org/link.php?id=56030

http://www.sans.org/jeddah-march-2019

http://www.sans.org/link.php?id=55255

http://www.sans.org/doha-march-2019

http://www.sans.org/link.php?id=57540

http://www.sans.org/paris-march2-2019

http://www.sans.org/link.php?id=55725

http://www.sans.org/madrid-march-2019

http://www.sans.org/link.php?id=54470

http://www.sans.org/sans-2019

http://www.sans.org/link.php?id=55945

http://www.sans.org/Cyber-Security-Middle-East-Summit-2019

http://www.sans.org/link.php?id=56035

http://www.sans.org/london-april-2019

http://www.sans.org/link.php?id=55355

http://www.sans.org/blue-team-summit-2019

http://www.sans.org/link.php?id=56040

http://www.sans.org/riyadh-april-2019

http://www.sans.org/link.php?id=55740

http://www.sans.org/seattle-spring-2019

http://www.sans.org/link.php?id=55735

http://www.sans.org/boston-spring-2019

http://www.sans.org/link.php?id=58405

http://www.sans.org/for498-battlefield-forensics-beta1

http://www.sans.org/link.php?id=56840

http://www.sans.org/madrid-april-2019

http://www.sans.org/link.php?id=55745

http://www.sans.org/northern-virginia-alexandria-2019

http://www.sans.org/link.php?id=56045

http://www.sans.org/muscat-april-2019

http://www.sans.org/link.php?id=55350

http://www.sans.org/cloud-security-summit-2019

http://www.sans.org/link.php?id=54910

http://www.sans.org/pen-test-austin-2019

http://www.sans.org/link.php?id=57000

http://www.sans.org/bucharest-may-2019

http://www.sans.org/link.php?id=54675

http://www.sans.org/security-west-2019

http://www.sans.org/link.php?id=56050

http://www.sans.org/milan-may-2019

http://www.sans.org/link.php?id=56055

http://www.sans.org/dublin-may-2019

http://www.sans.org/link.php?id=56065

http://www.sans.org/stockholm-may-2019

http://www.sans.org/link.php?id=58065

http://www.sans.org/perth-2019

http://www.sans.org/link.php?id=54915

http://www.sans.org/northern-va-spring-reston-2019

http://www.sans.org/link.php?id=55010

http://www.sans.org/new-orleans-2019

http://www.sans.org/link.php?id=56060

http://www.sans.org/amsterdam-may-2019

http://www.sans.org/link.php?id=54555

http://www.sans.org/hong-kong-2019

http://www.sans.org/link.php?id=54550

http://www.sans.org/autumn-sydney-2019

http://www.sans.org/link.php?id=54460

http://www.sans.org/norfolk-2019

http://www.sans.org/link.php?id=1032

http://www.sans.org/ondemand/about.php