After answering the preceding fundamental questions, the network designer can move on to build the general security baseline. The following sections discuss general security recommendations for the security baseline. All of the following areas are related, and a requirement in one area drives requirements and network design decisions in other areas. For example, assume that a particular application drives the WLAN deployment and that this application has a low tolerance for packet loss to the application server and requires that the client device not change IP addresses during an application session. The application must also cover a large area, which requires multiple APs for sufficient coverage. This requirement drives the need for fast roaming among APs and can preclude one security solution or another. How the security solutions align with the previous fundamentals will determine how the network designer implements the security mechanisms for the WLAN.
The following sections discuss recommendations for the general security requirements for all WLAN designs.
The network designer should consider the following recommendations when securing the APs in the WLAN:
Use central user authentication and authorization for the administration of the APs. By centralizing these functions, the network designer reduces the overhead to administer user authentication and provides scalability and high availability of authentication and authorization services.
Use encrypted management protocols whenever possible. For instance, use SSH as a replacement for Telnet to gain command-line access to the AP.
If encrypted management protocols cannot be utilized, make sure that best practices as defined for other infrastructure security devices are used for unencrypted management protocols. For instance, if SNMPv1 is the only SNMP protocol supported, make sure that the SNMP community strings are randomly generated and changed often or, if possible, restrict unencrypted protocols to read-only solutions. Again, if SNMPv1 is required, allow only read-only access to the AP via SNMPv1 if possible. Also, use access control lists (ACLs) to secure the unencrypted management protocols by limiting the IP addresses that can send packets to the AP. You can find best practices for these unencrypted protocols on the Cisco website.
Remove all unnecessary services on the AP to limit the avenues of exploitation to the device.
Limit management connectivity so that only the WLAN management platform can connect to the AP. You can accomplish this in a variety of methods. For instance, if it is feasible in the network architecture, the management interface of the AP can be isolated to a particular VLAN in the network. Then ACLs can be applied to the VLAN interface on the APs' default gateway to limit access to the APs to just the WLAN management server.
The network designer should also make sure that the client has sufficient endpoint security controls because the risk of a mobile device, such as a laptop, being used in an attack or carrying a worm is generally quite high. These controls include the following:
Disable ad-hoc networking mode on all devices to prevent attackers from exploiting this capability. Operating system policy enforcement and compliance tools on the client device are one way to assist in making sure that an attacker does not enable this mode.
Implement host security measures such as antivirus program and Cisco Security Agent (host intrusion prevention) to protect the device against worms and viruses that can propagate through a public or private WLAN. Host intrusion-prevention products, such as CSA, include personal firewall functionality that limits the capability of other WLAN clients to connect to the WLAN client that CSA is protecting.
These recommendations refer to Catalyst switch features that are helpful in securing the wired side of the WLAN from common threats. This, in turn, improves the overall security posture of the corporation's network when the WLAN is added. Apply these features on the ports that service the WLAN APs:
Depending on the capabilities of the Catalyst switch, implement RFC 2827 filtering on the access layer or distribution layer switches to prevent spoofed IP addresses from being used on the WLAN. For instance, the 3750 is an L2/L3 switch that can implement this filtering at Layer 3 with standard router ACLs or at Layer 2 with VLAN ACLs (VACLs).
Describing the details of these wired LAN security features is outside the scope of this book. Descriptions and configuration examples of these features can be found in the product documentation section of the Cisco website at www.cisco.com.
Implement Catalyst Layer 2 security features where applicable. These Layer 2 security features include the following:
- DHCP snooping to protect against rogue DHCP servers or DHCP starvation attacks
- Dynamic Address Resolution Protocol (ARP) inspection to protect against ARP poisoning attacks
In the following sections, you might notice that there are no mitigation techniques for some of the DoS threats identified in Chapter 6, "Wireless Vulnerabilities". Currently, there are no open and interoperable solutions to these threats. It is an inherent risk of the WLAN that you might be subject to a DoS attack. When using unlicensed frequencies, a certain level of SLA/quality of service (QoS) cannot be guaranteed. However, the inherent risk of the WLAN is offset by the productivity gains that are made possible with the WLAN, so the risk is acceptable.