For many enterprise users, there exists a large amount of legacy WLAN equipment that does not have the capability to utilize one of the previous methods of design to secure WLANs. In this case, the network designer needs to do a detailed threat analysis of the legacy WLAN environment and secure these networks with supplementary technology to the WLAN device, such as firewalls and network intrusion detection.
The primary legacy technologies to integrate are WPA upgradeable, WEP only, and what is termed "pre-WEP" 802.11 devices. The WEP-only devices are WEP capable, but they do not have the capability to be upgraded to either WPA or 802.11i. As previously noted, WEP can be used as a deterrent against a low class of attacker. However, against a medium and higher grade of attacker, a designer must assume that WEP offers no security whatsoever. Additionally, there are devices that can support WEP with TKIP that will defeat a low- and mid-level attacker, but they do not provide assurance against a patient high-level attacker. Finally, devices exist that do not have the capability to support WEP but do have the capability to interoperate in the 802.11 radios. In this instance, a low-grade attacker can gain access to the WLAN. Network designers must make a business risk decision on what applications are acceptable to run in this environment. The following section attempts to assist the network designer in this decision.
In many instances, legacy devices might be based on Frequency Hopping Spread Spectrum (FHSS) WLAN technology operating in the 2.4-GHz range. Sometimes these types of deployments are recommended to customers for apparent security reasons. The capability to obtain these types of radios and put them into a promiscuous mode is harder than with standards-based 802.11 scenarios. However, it is not impossible and should not be relied on for any degree of security. Designers who rely on this fact are relying on "security through obscurity," which is not a recommended practice. The notion of security through obscurity should never be relied on to adequately secure a WLAN. In many instances, these radios do not have an inherent equivalent security scheme comparable to WPA and 802.11i. If an FHSS scheme is selected for RF engineering reasons, it is recommended that the designer investigate using a VPN overlay solution as outlined in the "VPN Overlays" section earlier in this chapter. Alternatively, a designer can look to the vendor to provide a vendor-specific solution.
There are three options for integrating WLANs that have different security schemes. The first option is to dedicate differing WLANs to the differing security domains. For instance, legacy pre-WEP or WEP 802.11b clients would use a dedicated 802.11b WLAN infrastructure, whereas the rest of the corporation would use WPA/802.11i security on a separate 802.11b or 802.11a infrastructure to gain access to the corporation. However, this is not widely done due to the engineering cost in mapping out overlapping WLAN environments with similar 802.11 media, in addition to the high cost of operations for maintaining separate networks.
The second way to integrate legacy clients that support 802.11 WEP is to use WPA's migration mode. WPA migration mode was designed specifically to migrate WEP clients to WPA without having to change the networking infrastructure significantly. However, WPA migration mode still keeps the lowest common denominator as the security measurement for the entire WLAN, namely WEP, so if any WEP is enabled on the WLAN, a mid-level attacker could access the WLAN. For this reason, the Cisco solution for integrating legacy clients is the third option.
The third option utilizes the VLAN capability of the AP to assign clients to the appropriate VLAN, where you can apply the appropriate security technologies for the clients. In this fashion, you can have a VLAN with no WEP and apply additional security checks, such as network IDS and firewalling, to secure the applications on that VLAN. On the same AP, you can have a VLAN that utilizes 802.1x/EAP and TKIP to secure the WLAN. Figure 10-4 depicts the network topology and security mechanisms to accommodate these mixed security schemes.
In Figure 10-4, the devices in the upper-right portion of the drawing represent the newer devices. These newer devices utilize the WPA/802.11 security framework to gain the security benefits outlined in the "Embedded Security Solutions" section earlier in this chapter. The legacy pre-WEP/WEP devices are depicted in the lower-right portion of the figure. The access point utilizes two SSIDs to allow the legacy clients to connect to SSID10, which is mapped to VLAN 10 on the Ethernet side of the AP, and SSID20, which is mapped to VLAN 20 on the Ethernet side of the AP. The trunk from the AP is connected to an Ethernet switch. VLAN 20 is connected directly to the internal network in a manner similar to the embedded security design shown previously in this chapter. VLAN 10 is connected to additional security devices that inspect the traffic for proper behavior and authorization.
Multiple layers of security techniques should be considered for use to secure the pre-WEP/WEP WLAN and application servers. For instance, multiple layers of filtering are considered in securing the WLAN. This filtering can include any of the following techniques:
A network designer might want to consider using MAC authentication and MAC filtering with the pre-WEP/WEP devices. Although MAC authentication and filtering can be bypassed with spoofing by an attacker, it still should be considered for the same reasons that WEP should be utilized when there is no other alternative. MAC authentication and filtering mitigate an attack from a low-level attacker. The network designer should note that administering MAC addresses in a large environment might not be worth the effort given the limited benefit. This is a business risk decision that the network designer must make.
Security features should be enabled on the network infrastructure to detect and protect against certain types of attack. For instance, dynamic ARP inspection can assist in detecting and preventing ARP attacks against the default gateway of the pre-WEP/WEP WLAN, and DHCP snooping can detect some attacks against the DHCP server that serves the WLAN.
The firewall is configured to allow the pre-WEP/WEP-only clients to connect to the application servers needed for the WLAN clients to perform their designated functions. In addition, the firewall might perform application layer inspection to allow only proper application commands to pass through the firewall. Also, the firewall as depicted in Figure 10-4 can filter the conversations that the application servers can initiate into the enterprise network, so that if the application server is compromised, there is still another layer of filtering behind it to protect the enterprise network.
A network intrusion-detection device can inspect all traffic destined to and through the firewall and alert on traffic that matches attack signatures. This alerts the network administrator to potential threats on the pre-WEP/WEP WLAN.
You can also use Layer 3 and Layer 4 filtering on the access point or the Layer 2 switch to limit what application ports the WLAN can communicate with. The network designer might want to filter these devices if any of the other filtering devices are not available to the WLAN infrastructure.
It is highly recommended that host intrusion-prevention software, such as the Cisco Security Agent (CSA), be utilized to protect the servers (application, DNS, and DHCP) that are required to serve the legacy WLAN. The primary purpose of the host security software is to attempt to keep the servers from being exploited and used as stepping stones to gain access to the enterprise network. This is the final layer of defense against exploitation that could derive its source from the pre-WEP/WEP WLAN.
When properly implemented, the security mechanisms in Figure 10-4 allow the network designer to mitigate some of the threats identified in Chapter 5 for pre-WEP and WEP-only WLANs. The following sections discuss the threats that must be considered in this design.
Although the attacker can discover the WLAN network topology, he should be able to determine only a limited subset of the topology behind the firewall device by looking at the characteristics of the traffic for the applications permitted through the firewall. The MAC authentication and filtering will give some protection against this threat for low-level attackers. To further mitigate against an active probing, the network intrusion-detection system should detect some reconnaissance activity and alert the network administrator of this activity. Finally, the attacker will have access to any clear-text information that the end host devices transmit. With this in mind, it is recommended that the number of applications used on the pre-WEP/ WEP WLAN be kept to a minimum to limit the amount of information that the attacker can glean about the target network.
This attack is partially mitigated for data on the interior of the firewall by the filtering being done by the firewall. However, on the exterior side of the firewall, the attacker will have the capability to read the WLAN traffic. As previously noted, for this reason, the network administrator must make a business risk decision that the data being transmitted on this WLAN can be read by an attacker with minimal effort.
This attack is partially mitigated for the data on the interior of the firewall by the filtering done by the infrastructure. As previously noted, depending on the type of filtering being done, there are varying degrees of effectiveness. If the network administrator has chosen to implement MAC-based authentication and filtering for the pre-WEP/WEP WLAN, some level of attackers will be mitigated from gaining write access to the network. In addition, as noted with the application layer inspection provided by the security devices (firewall and network intrusion detection), there is some write protection for the applications that transverse the firewall. However, not all data can be inspected by the firewall, so it is feasible that some application data could be altered outside of the firewall and entered into the application in use on the pre-WEP/ WEP WLAN. Finally, the host security software is intended to mitigate the possibility that the attacker will exploit the write capability to attack the application server and gain access to the host through the application server.
The integration of legacy environments creates some interesting items of note with regard to the design fundamentals for the WLAN. These issues are outlined in the following sections.
The WLAN security policy is the core component that the network designer uses to determine if he can secure the legacy WLAN sufficiently to allow its deployment alongside other, more advanced WLAN security frameworks.
Device support is what drives network designers to consider all the alternatives in securing and supporting a legacy WLAN environment. Additionally, it is important to understand that many legacy devices that are pre-WEP or WEP-only cannot support more advanced WLAN features, such as Layer 2 fast secure roaming. The network designer must consider this before adding more application support that requires these new types of features while still trying to maintain the use of the legacy device.
As discussed, MAC-based authentication is the primary means that is available to determine the identity of a pre-WEP or WEP WLAN device. In addition to the WLAN authentication, the network designer should consider advanced rotating password schemes for the application. Even with a rotating password scheme, an attacker can eventually determine the password for an application. However, in determining the password, the attacker might provide information that a network administrator can use to detect the intrusion attempt. For instance, the network administrator can use failed application authentication attempts to determine that someone is trying to use an old password and alert the person of an attempted intrusion.
In the legacy environment, the WLAN clients still might need to access DHCP or DNS resources on the wired enterprise network, so the additional security devices need to either provide these services or allow the WLAN to connect to the services that exist on the wired network. Many firewalls perform DHCP relay or have DHCP server capabilities.
The AP should not accept any connection on the VLAN that corresponds to the legacy WLAN subnet because the legacy WLAN subnet is considered insecure, and no communication should be possible to the AP from this subnet. The AP should be managed from a dedicated VLAN on the wired side of the network or through the VLAN that corresponds to the WLAN that uses a more advanced security framework.
In many instances, network designers should limit the transmission power of their radios to make it more difficult for attackers to find their WLANs. An attacker can thwart this mitigation technique by using high-gain antennas. However, it is something to consider because it eliminates a low-level attacker even though it is not a deterrent against a mid-level to high-level attacker.
Multigroup access is achieved with the use of multiple SSIDs mapped to wired network VLANs, as previously described in this chapter.