Enterprise Wireless Networks

ENTERPRISE WIRELESS NETWORKS 12

EnterpriseWireless Networks

Outline

Introduction 3

Basics of a Wireless Enterprise Network 4

Methods of Security Violation 6

Password violations for SSID devices 6

Identity Based User Access 7

Intrusion Detection Systems (IDS) 8

Rogue Detection 8

Security Event Management (SEM) 9

Device Physical Theft 9

Secure Management Access SMA 10

Employee/ User Education 10

Conclusion 10

References 11

EnterpriseWireless Networks

Introduction

Themodern company, organization or other business enterprise is morelikely to use wireless networking for its Local Area Network (LAN)systems or Wide LANs than the older, traditional enterprises.Technological advancement in the IT sector in general and thecomputer networking area in particular are such that it is much moreefficient and easier to install wireless networks than wired ones.Thus, the future of networking in the corporate sector is wireless(Ulrich, 2012). Today, most large institutions in developed nationsincluding universities, colleges, hospitals, research facilities,and other large public and private entities have a hotspot configuredinformation sharing system for their users. With such aconfiguration, it becomes easier for employees, students or workersto access information and shares it without physical confinement,which helps boost their productivity and efficiency.

Besidesthis, physical space today is becoming very limited for most largemetropolis, forcing universities for instance, to offer onlineclasses to students located without the confines of the physicalinstitution (AerohiveNetworks, Inc., 2011).Wireless networking is therefore a vital component of the moderninformation world, and will soon become an integral part of basiclife (Ulrich, 2012). Wireless networks are, however, prone tomultiple security risks, as no physical contact is needed between anintruder and the physical infrastructure for a violation to occur(Chapple, 2012). Thus, securing wireless networks, especially largerones where numerous users are expected and where authentication maybemuch more complicated than in small networks is a key component ofmodern networking. This paper will explore the essentials of securinga modern wireless enterprise network.

Basicsof a Wireless Enterprise Network

Inorder to understand what can go wrong and how security violations canhappen, it is essential to provide a basic infrastructural layout ofa large wireless network showing the various key elements and theirfunctional importance (AerohiveNetworks, Inc., 2011).Only then can the various attack procedures that can be instituted oneach network component or layer be explored. Different networkdesigns exist depending on the particular application, the componentsmanufacturer, and functional priorities. However, the basiccomponents of a wireless network remain the same. These includerouters, switches, access points, controllers, and servers (AerohiveNetworks, Inc., 2011).

Thecomponents can be arranged in various layers depending on thedesigner. The diagram below is a Huawei concept of a wide LANinfrastructure dedicated for energy management. The network is modelfor use in a campus setting, but its components and bandwidth demandsmaybe comparable to those of a large enterprise with multiple devicetypes simultaneously coupled to the network resources at once. Thenetwork features an internet edge, a data center, various EgressRouters, a firewall, network controllers and the end user devicesacross the access layer. Such end user devices include smart phones,PDAs, Tablets, Laptops, printers and other wirelessly configureddevices.

(HuaweiTechnologies Co., 2011)

Thedevices are arranged in a multi-layer platform that includes theaccess layer, the aggregation layer, and the core layer. The accesslayer is the most vulnerable point of security violation for thenetwork, as most basic attacks are carried on this layers by devicesthat attempt to access the network using the available channels whileavoid detection by either bypassing securitization procedures, orcompromising them altogether. The aggregation layer is mainlycomposed on network controllers which link the various access points,as well as administer authentication and securitization routines toavoid intrusion of the network by unauthorized users (Chapple, 2012).

Theegress router connects the network with the internet. This device iskey as it contains the entire traffic passing between the LAN networkand the internet. All internet originated security attacks areinstituted through the egress router. Thus, a firewall, or multiplefirewalls are installed at the point of network exit or entry, whichis the point of connection to the external environment. A wide areanetwork may connect this enterprise with others under the sameumbrella. The network may typically employ many access pointsdepending on traffic volume and the signal strength (HuaweiTechnologies Co., 2011). The core layer may incorporate theadministrative and security management elements, as well as aswitching center for ultra wide networks. It may also contain thedata center where multiple access regulations are to be set beforethe different classes of users can be allowed access to internaldata.

Methodsof Security ViolationPasswordviolations for SSID devices

Mostaccess points in enterprise networks broadcast their identities bydefault. Their original passwords are also set as default, so thatmost hackers with basic knowledge of their generic properties mayaccess them. The easy yet efficient procedure of handling this is toensure that these systems default settings are changed beforeinstallation. Such broadcast names as Linksys are common and suggestto intruders the ease of violation. In addition, settings regardingwhether a network’s access points should publicly broadcastavailability should be considered, and public broadcast enabled onlywhere necessary. If a limited number of users access the network, thebroadcast should be unchecked once all authorized users have beenpaired with the system (Huawei Technologies Co., 2011).

Theother important factor is the form of password and data encryptionused to limit intruder access. Routers and access points by defaultare weakly secured. This is the most usual channel of violation, asmost hackers are familiar with the system elements in their defaultstate (AerohiveNetworks, Inc., 2011).Thus, any new network element that has security settings should besecured using the most secure procedures available. For modernnetworks, designers should use either an IEEE 802 (or WPA) encryptionor better the WPA 2 procedure. More recent securitization hasdeveloped using the AES authentication procedure, and the TKIP methodfor data encryption. For networks adopting fast roaming, the AESprocedure is not applicable as it does not support fast roaming(Ulrich, 2012).

Theother important violation point is the network firewall. Animproperly configured wall, or a weak one, may fail to filter outinsecure, unnecessary or unwarranted information from entering thenetwork (AerohiveNetworks, Inc., 2011).The most common point of incidence is the internet. A firewall shouldbe strong enough and so configured as to segment the type ofinformation entering the network, control traffic, and enableincidence reporting. A good firewall should be programmable to workwith the most recent security protocols, and installable in allpoints of network exit. Once the network passwords are secure, thenext important factor is ensuring that only the intended users log onto the network.

IdentityBased User Access

Thissystem involves giving access only to a pre-determined user. Thisusually is achieved through use of user accounts. The user ispresented with a username, and typically uses a rated password toaccess the network (AerohiveNetworks, Inc., 2011).The most common type of violation using this avenue is when usersleave their terminals online and intruders use the terminals toaccess the network. Another method is the use of adhoc computer tocomputer procedure where the authorized user connects with a thirdparty adhoc, and the third party uses the ad hoc connection to attackthe network. The most efficient method of dealing with securityviolations through identity based user access is putting limitationson the level of allowable user password strengths, as well as theformulation of a strong information access policy that will safeguardthe enterprise’s data access (AerohiveNetworks, Inc., 2011).Normally, such policies include stringent actions taken against userswho either recklessly allow third party network access using theircredentials, or fail to use the laid out security routines, or openlycollaborate with third parties who then access enterprise informationor compromise the systems (Ulrich, 2012).

IntrusionDetection Systems (IDS)

Theseare systems designed to detect whenever a third user not authorizedaccesses the system. In wired networks, this usually is a technicianwho walks within the network and picks out any foreign switch ordevice installed within the network (AerohiveNetworks, Inc., 2011).In a wireless network, the detection system is usually just asoftware that analyses the flow of data within the system to pick outan anomaly in terms of authentic data volumes passing through variousnodes, or one filtering the packet data to pick out addresses notwithin the authenticated DNS register. In most networks,administrators may also have a pre-set table of allowable addressesincluding servers and internet gateways, against which anyinformation passing through the network is compared. Intelligentscanners can also compare exiting data volumes against data volumesof all incorporated network elements, where any excesses may suggesta tertiary traffic source (Airtight Networks, 2006).

RogueDetection

Roguesin the network include malicious terminals, Denial of Service users,and other intruders whose intent is malicious (Chapple, 2012). Atypical wired network detection system works by looking at chokepoints in the application layer such as between subnets, servers orat internet gateways. Instead, a wireless Intrusion Detection System(IDS) works by observing the wireless messages traversing it fromusers within range, such as between access points and end users, evenwhen the users are not connected in the enterprise network, therebypossibly picking out any rogue APs (Chapple, 2012). Rogues are anyuser whose profile is out-of –compliance with the networks securityprotocols, whether inside or external (AerohiveNetworks, Inc., 2011).Ad-hoc clients are also high vulnerability users and are usuallyprofiled as rogue APs. Denial of Service DoS episodes involve chokingthe network at a particular AP or APs, whose vulnerability maypresent a window for network access by attackers (Airtight Networks,2006). Good systems have a quick way of isolating AP under DoS attackand mitigating the attack before reconnecting the AP.

SecurityEvent Management (SEM)

Thisis a system of automatic logging of all incidents crossing thesecurity threshold. A good network should incorporate an SEM whichmonitors network usage intelligently to pick out potential attackareas (AerohiveNetworks, Inc., 2011).Such logs should include user data such as usernames and passwords,client behavior such as associations and association times, datatraffic, rogue APs and clients among others, and firewall logs.Usually, it is possible to associate rogue APs with firewallintrusion data signatures, which helps administrators to proactivelymanage malicious APs and clients (Ulrich, 2012).

DevicePhysical Theft

Thismay seem less of a network security issue, but its consequence isjust as grave as an online intrusion. A stolen server, whether thedata contained therein is accessible or not, may present as much aproblem as a hacked server to the enterprise network. In addition,Access Points in the modern world have configurations that enablethem to store network passwords, which if accessed maybe used tocompromise a wired or wireless network. To ensure safey, APs shouldbe installed in secure places such as inside ceilings, or in areaswith security coverage. It is important to note that device theft canconstitute a Denial of Service DoS event. In addition, portabledevices such as laptops and tablets used outside the physicalconfines of the network area should be protected using a firewall ora Virtual Private Network (VPN). To ensure that any loss ofcompromise on part of the devices does not affect the enterprisenetwork largely, segmentation and tunneling of user traffic toisolate non vital information from the vital one should be done(AerohiveNetworks, Inc., 2011).Virtual Private Networks are a widespread security installation forremote network users.

SecureManagement Access SMA

Thisprocedure ensures that any network management is secure andauthenticated. This avenue is usually the first thing a hacker willuse to compromise a wireless network (AerohiveNetworks, Inc., 2011).A hacker can reconfigure a network once they attain administrativerights so as to deny the authenticated users any further access toit. WLANs should have SNMPv3 or better securitization for managementpurposes (Airtight Networks, 2006).

Employee/User Education

Regardlessof the complexity and level of security of a networks software andphysical infrastructure, users are the most important part of anetwork’s security. User education on acceptable network usageshould be done periodically to ensure all users are conversant withcurrent network security violation techniques, and understand theimportance of the role every individual plays in ensuring theintegrity of the network is not compromised (AerohiveNetworks, Inc., 2011).In most cases acceptable usage is included in human resourceinformation policy and users are required to sign the document,binding themselves against security violations arising due to theircommission or omission of policy strategies (Ulrich, 2012).

Conclusion

Wirelessnetworks are getting more popular in the modern networking platform.With the increase in the number of wireless enterprise networks aswell as the number of users and volume of traffic in each, theinstances of security violations, as well as the complexity ofattacker strategies, has also increased many fold. However, themodern security techniques developed by modern IT firms aresufficient to detect and deter most attack strategies if appliedproperly and in a timely manner. Securing a wireless network has todo with securing the authentication of users, encryption of all data,securing all physical network components, classifying information andsegmenting access privileges’, and most importantly, empowering themost important security component- the users.

References

AerohiveNetworks, Inc.(2011). BuildingSecure Wireless LAN.Availableat

http://www.aerohive.com/pdfs/Aerohive-Whitepaper-Building_Secure_Wireless_LANs.pdf

AirtightNetworks (2006). BestPractices for Securing Your Enterprise Wireless Network.Available at

http://www.airtightnetworks.com/fileadmin/pdf/whitepaper/Best_Practices_for_Securing_Your_Enterprise_Wireless_LAN.pdf

Chapple,M. (2012). How to Build a Secure Wireless Network. Biztech.Available at

http://www.biztechmagazine.com/article/2012/05/how-build-secure-wireless-network

HuaweiTechnologies Co. (2011). High-Density10GE Infrastructure Network Solution.Available at

http://www.huawei.com/minisite/gigabit_en/green.html

Ulrich,T. (2012). WirelessNetwork Design and Wireless Security. Making Mobility, Easy.Available at

http://www.securedgenetworks.com/secure-edge-networks-blog/bid/84448/7-Guidelines-for-Wireless-Network-Design