Securing corporate wireless networks is an increasingly complex challenge as the number of threats emanating from the internet continues to grow. New ways to target networks and steal data continue to be discovered by hackers. It is very difficult to manage these risks.
Dealing with corporate wireless network security means securing multiply related and connected systems, hosts, and devices. Today, almost all corporate systems operate wireless networks, and wireless access points are always vulnerable to leakage, putting their security at risk.
See Also: PCI DSS Rogue Wireless Access Point Protection
Hackers have various techniques such as packet sniffing, creating rogue access points, stealing passwords and other network access information, target phishing, and man-in-the-middle attacks. Each of these has the ability to compromise and even crash the entire network with sensitive data.
Wireless network broadcasts are broadcast to serve guest users and corporate employees in corporate environments. In this article, some security rules that are recommended to be applied for wireless network access components from an information security perspective will be listed.
What Are the Components in the Wireless Network Environment?
There are wired and wireless network options for institution personnel who want to connect to the corporate environment and the internet in many institutions. For guest users, it is generally only used to access the internet over the wireless network. Components in wireless network communication can be listed as follows.
- Guest Clients: These are devices that the institution does not manage are not included in the institution’s domain and generally belong to guest users who need to access the internet from the institution’s campus. These devices can be phones, tablets, or computers.
- Corporate Clients: These are generally managed by the institution Active Directory and used by the institution staff.
Several components are used by clients when accessing the internal network or the internet and managed by the corporate personnel. The most important of these components can be listed as follows.
- Access Points (AP): These are devices that enable clients to connect to the broadcast.
- Wireless Controller: Devices to which access points are connected and managed.
- Wireless Network Management Interface: It is the interface where Wireless Controller devices are managed. While more than one Wireless Controller can be controlled over one interface, each Wireless Controller can also have its management interface.
- Captive Portal Interface: It is a web application that guest clients connect to and enables guest users to access the internet using their authentication information.
What Are Wireless Network Broadcasts, How Are They Classified?
SSID (Service Set IDentifier) is the name that identifies the wireless network broadcast. More than one broadcast can be made from an access point. By providing the same broadcast from more than one access point, mobility is provided.
Thus, personnel using the wireless network broadcast in the agency’s Chicago office can continue their access over the same broadcast when they come to the New York office.
The main points to be considered regarding wireless network broadcasts can be listed as follows.
- Unnecessary wireless network broadcasting should not be made over access points.
- It may be necessary to open wireless network broadcasts for some tests in institutions. If broadcasts are temporarily opened over access points, they must be turned off at the end of this period.
- If broadcasts are opened over access points for a specific campus, they should only be made from the relevant access points. For example, a broadcast opened for work in the Houston office is prevented from staff or guests’ access in the Philadelphia office.
- The naming of the corporate wireless network broadcast must be set to hidden. Even if hidden SSID and encrypted protocols are used, SSID hiding cannot be said to be a useful measure, as the SSID goes as clear text in association massages. However, SSID hiding will still provide some level of protection for unauthenticated users.
- WEP and WPA should not be used as wireless network security protocols; WPA2 (WPA2-PSK or WPA2-Enterprise) should be preferred.
Network broadcasts that provide the institution personnel’s connection to the institutional environment may be one or more. For example, network broadcasts to which senior management, IT personnel, and other personnel are connected or to which personnel in New York, Los Angeles, and Chicago may have different names. The main points to be considered regarding corporate network broadcasts can be listed as follows.
- WPA2-Enterprise (802.1x) should be used for corporate personnel access when connecting to the corporate wireless network.
- While connecting to the corporate wireless network, the corporate computer and the connecting user must be authenticated.
Client devices used by the staff of the institution when connecting to the corporate wireless network broadcast are generally managed centrally over the domain structure. The main points to be considered regarding the security of these clients can be listed as follows.
- Settings should be made on the corporate computers to prevent access to both wired and wireless networks (bridge mode) at the same time.
- When connected to a network with corporate computers, the wireless network settings of corporate computers should be configured so that they are not allowed to be used in the ad-hoc mode to not communicate with other clients on that network.
- Settings on corporate computers should be made with Group Policy and cannot be changed by an authorized local user.
Network broadcasting can be made for guest users on the institutional campus to use. The reason for this need may be customer satisfaction, increasing the efficiency of consultants’ work. Broadcasts in different offices or on different floors of the same office may differ from each other.
To enter the guest networks, the user must first be provided with a WPA2-PSK password, and then the user must be included in an approval process via Captive Portal.
The main points to be considered regarding WPA2-PSK password protection can be listed as follows.
- WPA2-PSK passwords used for logging into guest networks must be set as complex.
- WPA2-PSK passwords used for logging into guest networks should be updated periodically.
- WPA2-PSK passwords used for logging into guest networks should only be shared with institution personnel in a reliable method.
The main points to be considered regarding Captive Portal protection, used to identify the guest’s identity after WPA2-PSK password protection, can be listed as follows.
- Guest user information can be obtained on the Captive Portal login screen. This information can be id, name, surname, room number, phone number, e-mail address of the sponsoring employee.
- For the user to connect to the guest network, the employee of the sponsoring institution must comply. To this end, it should be ensured that a message is sent to the employee of the sponsor institution by e-mail at the confirmation connection or by phone.
- The sponsored employee may connect to the guest network for a maximum of 2 weeks, for example.
As an additional layer of protection, the MAC addresses of the devices connected to the guest network should be manually registered in the system, and these MAC addresses should be reviewed periodically. MAC addresses are transmitted over the network in clear text and can be read by anyone.
By spoofing these MAC addresses obtained by attackers, MAC checks can be bypassed. However, saving the MAC address will provide a level of protection for unqualified users.
How to Design a Wireless Network Topology?
When designing a wireless network topology, manufacturers’ recommendations should be considered. Also, attention should be paid to the best practices in the industry. The main points to be thought about network topology can be listed as follows.
- The guest network should not access the corporate network, and the necessary access rules should be written on both the Wireless Collector devices and the corporate firewall.
- Access to the guest network to the internet should be done through a network and devices separate from the corporate network.
- Access to the internet from the guest network must be done through the DMZ after the wireless gateway.
- Each broadcast made on access points must be on a separate VLAN, and necessary access controls must be made.
- Necessary precautions should be taken to avoid circumvent security checks, especially with techniques such as tunneling in the guest network.
Components used in wireless network management should be managed by personnel associated with the organization’s network management. The main points to be considered regarding wireless network management can be listed as follows.
- Access points and Wireless Controller devices should be managed centrally.
- Separate network interfaces (management interfaces) should be used to manage components used in wireless network management.
- The management of all wireless network management components should be carried out by connecting to management interfaces over the wired network with the necessary security measures.
How should wireless network access be made?
Your team can connect to their mobile devices or computers using your business wireless network anywhere in your building. Unfortunately, your wireless networks can be vulnerable to hackers who want to steal your business data or customer information without proper security measures.
By using some wireless network security best practices, you can keep your system and business information safe.
The accesses between the institution’s network management personnel and the components used in wireless network management can be listed as follows.
- Access of guest clients with Captive Portal
- Access between Captive Portal devices
- Access between access points and Wireless Controller devices
- Access of Wireless Controller devices with each other
- Access between Captive Portal devices
The main points to be considered regarding these accesses can be listed as follows.
Access to all wireless network management components should be available only to the relevant device administrators over the network.
In the case of using protocols (such as Telnet, FTP, HTTP, LDAP) that generate clear text traffic in network traffic interceptable (MITM) environments, transactions such as authentication or management work in wireless network management can be monitored or changed.
Also, in systems where clear text network traffic is stored or whose records are monitored, the written credentials can be read, or the transactions made can be seen. For this reason, access to all components used in wireless network management should be done with encrypted and reliable methods (such as SSH, FTPS, SFTP, HTTPS, LDAPS, SNMPv3, S2S VPN).
Although encrypted traffic is used, access to wireless network management components is provided by IP, or self-signed certificates are used. In such a case, an attacker who can intervene provides his / her certificate to the management personnel and ensures that the administrative personnel, institution personnel, or guest user trust this certificate, and the attacker can read or change the encrypted traffic.
For this reason, certificates signed by trusted certificate authorities should be used for access to all components used in wireless network management.
Reliable hash algorithms (such as SH256, SHA512), encryption algorithms (such as AES 128, RSA 2048), and protocols (such as TLS1.1, TLS 1.2) should be used in all encrypted traffic.
Accesses between the organization’s network management personnel and components used in wireless network management:
- Access of guest clients with Captive Portal
- Access between Captive Portal devices
- Access between access points and Wireless Controller devices
- Access of Wireless Controller devices with each other
- Access between Captive Portal devices
How Should Wireless Network Authentication and User Management Be?
The necessity and convenience of a corporate Wi-Fi network make it an essential service for most organizations these days. Unfortunately, many small and medium businesses don’t have the resources and cyber skills to secure their networks properly.
Lack of sufficient resources and knowledge can be a big problem because an unsecured network leaves the business vulnerable to attacks by hackers who want to steal valuable company data or customer information. Complicating the situation, even more, hackers are increasingly targeting small businesses.
At this point, the wireless LAN system should support secure, authenticated management access. One technique by which a malicious hacker can reach the corporate network is to reconfigure the access point via the management port.
Wireless LAN systems must provide SNMPv3, SSH, and SSL (secure Telnet) interfaces. The system should also be configurable so that management is not possible over the air, and ideally, only stations on a given VLAN can change WLAN network settings.
The main points to be considered regarding the user authentication processes during wireless network management and use can be listed as follows.
- Access between the organization’s network management personnel and components used in wireless network management
- Access of guest clients with Captive Portal
The issues to be considered during wireless authentication processes can be listed as follows.
- Default credentials (such as passwords, cryptographic keys) should be changed when accessing all components used in wireless network management.
- Passwords used to log in to all components used in wireless network management should be determined as complex and changed periodically according to the corporate password policy.
- When logging in on all components used in wireless network management, when a few incorrect credentials are entered, a control such as CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) should be used.
- Common/generic accounts (such as admin/root/administrator/manager) that come by default that can log on to all components used in wireless network management should not be used, and private users should be logged in.
- The credentials of privileged users who can log on to all components used in wireless network management should be stored in a central password storage/vault and accessible by specific individuals in a reliable manner.
- Privileged users who can log on to all wireless network management components should only be used for emergencies. The password information should be changed after the necessary work is done and stored in a central password store, and emergency operations should be reported.
- For accessing all wireless network management components, only the relevant device administrators should be allowed to log on.
- User accounts created for the relevant device administrators who can log on to all wireless network management components must be authenticated through a central system (such as Microsoft Active Directory). Platforms such as RADIUS, TACACS + can be used for this purpose.
- The second factor (such as OTP) should also be used and the user name and password to log in to all components used in wireless network management.
What is Wireless Network Security Controls?
Corporate wireless networks are an essential component of modern network architecture. They need to support mobile devices and provide connectivity to various devices where wired connections are not practical or cost-prohibitive.
However, incomplete physical control of the environment requires additional measures to control access to wireless networks. For wireless networks, the 802.11 standard provides encryption and authentication methods such as WPA. However, in an enterprise environment, these controls need to be implemented in a scalable and manageable way.
The main points to be considered regarding security controls can be listed as follows.
- Security measures (802.1x, NAC, network access authorizations) applied in the corporate wired network should also be implemented in the corporate wireless network.
- Network devices such as switches, firewalls, antivirus, IPS to provide protection mechanisms such as DHCP Snooping and Dynamic ARP Inspection in wireless networks, especially attacks such as disconnection (de-authentication), sniffing, IP spoofing, and security products should be positioned.
- External broadcasts in the places where access points are located should be monitored, and in case of a broadcast with the same name, an alarm should be generated, and necessary actions should be taken.
- Wireless IPS should be used in environments where a wireless network prevents traffic from going outside the institution.
The main points to be considered regarding the wireless network patch and vulnerability management can be listed.
- The operating system and web applications of all components used in wireless network management should be updated periodically.
- Operating system and web application vulnerability scans of all wireless network management components should be performed periodically.
- The discovery (wardriving) of wireless network broadcasts within the institution and certain proximity should be made periodically.
- Penetration tests for wireless networks within the institution should be performed periodically.
Wireless networks must remain in service as long as expected. The fundamental issues to be considered regarding the accessibility of wireless networks can be listed as follows.
- All components used in wireless network management must be redundant.
- Wireless Controller devices in locations close to each other should be managed in the same cluster structure and within the same mobility domain.
- Necessary configuration settings in all wireless network management components must be periodically backed up to an external location, and their integrity must be guaranteed.
Other fundamental issues to be considered with the use and management of wireless networks can be listed.
- Physical access to all components used in wireless network management should be provided securely.
- Users who can log on to all wireless network management components should be authorized according to their roles and responsibilities.
- Records of operations performed on all components used in wireless network management (administrator activities and network traffic logs) should be transferred to the central recording system. Their integrity should be guaranteed.
- If the stolen institution personnel’s device is included in the network, an alarm should occur, and necessary measures should be taken.
- For all wireless network management components, issues such as access controls, user management, and authorization should be periodically audited.
You can view CISA recommendations on wireless network security here.