Securing the Airwaves
Wireless analyzers and other tools safeguard Wi-Fi traffic.
The Colorado Department of Human Services (CDHS) embraced wireless LAN technology because it had to. "We'd have users who wanted to work on the lawn on a sunny day, and they'd set up their own access points," said Demetrius Stavropoulos, telecommunications professional with CDHS.
Rogue access points (APs) not only present a serious security risk, but also undermine HIPAA compliance, which requires agencies like CDHS to safeguard individuals' confidential health information.
To get a handle on rogue APs, Stavropoulos and his IT staff first tried the open-source NetStumbler. While NetStumbler detected available APs, it was far from enterprise-class. CDHS next turned to AirMagnet and its enterprise monitoring solution.
AirMagnet easily discovers rogue APs, but it also includes performance tools that map how signals propagate in various spaces, pinpointing sources of interference and spots where signals will degrade. For CDHS this meant that AirMagnet could guide the fundamental design of their new enterprise- class WLAN.
Today, with the new network up and running, AirMagnet continues to monitor for rogue APs and unapproved client devices, defends against more than 100 other types of threats, traces the sources of attacks and provides IT with forensics information on each attack.
CDHS can also view a physical map of the environment, locating the exact position of any threat or performance problem. "We have to be careful setting our security policies," Stavropoulos says. "We share our air space with other agencies. If an off-network AP is from the judicial building, for instance, we don't want to do a denial of service. Instead, we'll identify it as a legitimate neighbor, not a rogue."
Opt for 802.11n
802.11n is the wild card for agencies that have not yet deployed WLANs. The Institute of Electrical and Electronics Engineers (IEEE) still hasn't ratified the protocol, but draft five was passed in July and future changes should be minor. Nearly all pre-standard hardware shipping today will be upgradeable through drivers or firmware.
"If you're starting from scratch, there's no reason not to choose 802.11n equipment," says Craig Mathias, a principal at Farpoint Group, a wireless advisory firm in Ashland, Mass.
Not everyone is starting from scratch, though, and while 802.11n offers backward compatibility, it might be best to reorganize your network to use the legacy gear for, say, guest access, while employees enjoy the higher throughput of the 802.11n gear.
Separating access securely requires network monitoring, though. "Install a separate monitoring network and leave it running," Mathias recommends. While some WLAN controllers include monitoring features, it's important to remember that auditors often require the networking and monitoring to be from two different manufacturers.
Call on Wireless Controllers
ABI Research projects most 802.11n deployment to occur between 2009 and 2010 when sufficient numbers of users have notebooks with 802.11n capabilities.
If you lack the budget for separate monitoring, Mathias recommends choosing a wireless equipment manufacturer that provides advanced monitoring features within its control infrastructure.
The Wyoming Judicial Branch followed this deployment path. Because Wyoming has a small, dispersed population, judges and lawyers often travel from court to court, and they need computing resources at each stop. Wireless technology offers the easiest way to access those resources.
"We want wireless to be as secure or more secure than our wired network," says Sergio Gonzalez, network and systems manager. The Wyoming Judicial Branch deployed wireless gear from Meru Networks to achieve this goal.
Meru provides a number of security features, including authentication, monitoring for rogue APs and advanced encryption algorithms. Meru also enables administrators to apply policies based on user roles and locations.
An added benefit is that Meru mitigates many of the interference problems and channel conflicts associated with WLANs. Traditional WLANs tether clients tightly to the AP of first association, do a poor job of managing congestion, suffer from co-channel interference and lose throughput when legacy 802.11b clients are present.
Meru's "virtual cell" technology offers a more controlled way to handle how clients move into and around wireless cells. Each client sees only a single AP Media Access Control (MAC) address to connect to, and the Meru controller decides how clients associate with APs, when handoffs occur and the quality of service each client receives.
The Wyoming Judicial Branch also has more latitude in placing APs because the controller will handle interference problems. This doesn't provide the fine-grained optimization of radio frequency mapping, but it delivers enough service quality that spectrum analysis can be a lower priority for the Judicial's already overworked IT staff.
Treat Wireless as an Extension of the Wired Net
Agents of the South Carolina Department of Probation, Parole and Pardon Services spend a lot of time in the field. When they check on offenders, they use Wi-Fi- enabled tablet computers to collect information and consult records.
The department is creating a shared wireless environment based on Juniper Network's security equipment and wireless access points. Other agencies can use the network to provide complementary services to offenders. But control can be tricky.
"We can't let outsiders onto our network natively. The idea is to pass them through our security infrastructure, make sure the device posture is OK, and then let them share resources, but in a cordoned off, controlled way," says David O'Berry, director of information technology systems and services.
Connecting clients must have Juniper's Odyssey 802.1x supplicant on board, which will manage authentication, while Juniper's Unified Access Control NAC product will enforce policies, no matter where users are on the network, wired or wireless.
"UAC does a number of verification checks on client devices," O'Berry says. "A simple example is if you have antivirus turned off. UAC will move you to a specific VLAN, where we plan to offer remediation."
O'Berry offers this advice to other agencies grappling with wireless security: "First, you need to understand business drivers, and you then have to map your network all the way from the core to the clients. How is the network laid out? What capabilities do you have?"
He also recommends finding a way to have distributed visibility into network traffic. His agency relies on sFlow packet sampling technology for its mixed infrastructure.
"My final piece of advice is to rely on technologies that are standards-based," O'Berry notes. "Threats will change and business drivers will evolve, but with a standards-based infrastructure, you'll be able to adapt quickly."
