Link to the home page.
Print from PDF version
Wireless Security Practices PDF Document
Support Prevention Detection and Recovery
 

Security Disciplines for Objective 2: Prevention

2-5. Firewalls, VPNs, and Other Network Safeguards

Description

Wireless networks are susceptible to all of the same vulnerabilities that exist in conventional wired networks. In addition, users may gain access to a network through wireless access points. Depending upon the configuration of the network, this may allow malicious users to bypass any protections in place that protect the wired network from external intruders. Furthermore, users (both authorized and nonauthorized) may deploy unauthorized equipment that enables access to the wired network that bypasses perimeter protections.

Purpose

Technologies such as firewalls, virtual private networks (VPN), and virus protection systems are already widely deployed in wired private networks that need to access public networks. These are also needed in a wireless environment, and a judicious implementation of these technologies can help mitigate the risks of deploying a wireless network.

Principles

The principles underlying firewalls, VPNs, and virus protection systems in the wireless environment are basically the same as for the wired environment. The only significant change is that best practices suggest that because of their vulnerabilities, wireless access points should be considered untrusted devices.

Policies

A comprehensive set of security policies should be developed and maintained through periodic review and updates, regardless of the type of network employed. These policies should include comprehensive coverage of wireless devices of all types.

Best Practices

Virtual Private Networks (VPNs)—Clearly, in any wireless technology, additional security precautions should be deployed beyond relying on the basic defaults. VPN and other similar technologies (e.g., Secure Shell [SSH] protocol and Secure Socket Layers [SSL] protocol) provide a means for enhancing security.

Most VPN technologies operate independently of the communications link. The same VPN technology that works for dial-up connections, cable, and Integrated Services Digital Network (ISDN) will also work for Personal Communications Services (PCS) wireless data connections (e.g., GPRS/EDGE, 1xRTT, and Wi-Fi [802.11]). This, however, does not mean that VPN technology should not be augmented with certain capabilities to make the wireless experience as secure and robust as the wire-line experience .

Considerations for VPNs in the Wireless Environment—The benefits of VPNs have long been established. Almost all VPNs can work both in the wire-line and wireless environment, but it does not mean that they all provide the same level of service or functionality. In short, they are not all created equal.

Most VPNs have been designed for stationary users and point-to-point networks. They were built without consideration for mobility. Therefore, they do not support roaming from one network type to another (e.g., going from GPRS to Wi-Fi) nor are they very robust in handling network disconnects and network time-outs. They do not support automatic security enablement. Finally, VPNs, as a rule, do not automatically select the best transmission means when more than one wireless option is available.

When examining VPNs for use within a wireless environment, the following items should be considered:

  • Seamless roaming between networks and technology.
  • Application persistence during roaming.
  • Connection management and prioritization based on bandwidth.
  • Type of compression offered.
  • Comprehensive and automatic security (e.g., end-to-end encryption using current industry standards such as Advanced Encryption Standards (AES) and 3DES).
  • Authentication capabilities (e.g., RADIUS, Microsoft Active Directory).
  • Existence of integrated firewall.

Connecting the Wireless Network and the Wired Criminal Justice Network—Once the networking on the mobile side is finalized, security between the wireless operator’s network and the criminal justice network needs to be considered. If the criminal justice network currently allows for access via VPN, using the public infrastructure with the VPN may be enough. However, if more security is required with a more reliable network connection, consider dedicated facilities (e.g., frame-relay circuit) or a dedicated server-to-server VPN connection between the wireless carrier and the criminal justice intranet.

Many VPN devices today have integrated firewalls. These firewalls can help to restrict traffic to certain locations within the larger wired enterprise network, thus providing an additional layer of protection. Use of an integrated VPN/firewall device can reduce costs and administrative burden.

Firewalls—Firewalls are a security system to protect a network containing servers, client computers, and intelligent communication devices from intentional or accidental damage or unauthorized access implemented by either hardware or software. The function of a firewall is the same, whether deployed in a wired environment, a wireless environment, or a mixed environment. A firewall should be considered a fundamental piece of any wireless network infrastructure.

Considerations for Firewalls in Wireless Environments—Cellular carriers will most likely provide firewall protection within their networks. While this provides a level of protection during transmission that does not exist with Wi-Fi-based systems, it is still not a totally secure solution. Users are well advised to deploy their own firewalls as supplements. Systems relying on cellular carrier-based technologies may need to work with the carrier to ensure that existing enterprise firewalls and the carrier’s system will work well together. Carriers may work with you to configure your existing enterprise firewalls to work with the wireless system. Some carriers may also offer to set rules within the carrier-based firewalls that will provide additional protection to your network (for example, limiting access to specified devices). Be sure to investigate these options and their costs when considering any cellular-based system.

As mentioned earlier, a key principle guiding the deployment and use of firewalls is that any wireless access point should be considered to be an untrusted device. This should be viewed as particularly true for Wi-Fi-based access points, given the current weaknesses in Wi-Fi security. The ability to tailor the firewall rules to the specific users and environment is an important consideration in selecting a firewall for the wireless environment.

Connecting the wireless network and the wired criminal justice network—Best practices in security encourage the use of subnets within the wired environment. For example, many enterprise networks utilize internal firewalls to restrict access to internal networks that perform sensitive functions, such as accounting, human resources, or other competition-sensitive material or functions.

In the wireless environment, establishing subnets for wireless access points is clearly a best practice. This means that wireless access points should be installed on a separate network(s) dedicated to wireless users, with a firewall between the wireless network(s) and the enterprise-wired network. All traffic that travels from a wireless network to the wired network must go through a firewall. The firewall will control what internal resources are available to wireless users. These resources may vary by user and may be different from that same user’s access rights if they connect through the wired environment.

Simply separating the wired and wireless networks by a firewall may not be sufficient if the wired network contains particularly sensitive data. For greater security, a VPN connection in combination with the firewall may be used between the wired network and the wireless subnet. Virtual Local Area Network (VLAN) implementations have been shown to be susceptible to VLAN hopping, particularly in the trunking between switches. Therefore, the recommendation is that network designers should consider that separate physical switches be used for the wired and wireless networks when practical and not cost-prohibitive.

Firewalls and Wireless Clients—In a wired network, the need to use a personal (or client-based) firewall depends largely upon the data present on the device. As a best practice, personal firewall software should be installed on all wireless clients. Personal firewalls help to protect client devices against wireless network attacks, particularly when used in public or shared Wi-Fi access areas, where files on an unprotected device may be available to all other users of that wireless access point.

Antivirus Software—A computer virus is a malicious set of programming instructions that are disguised and incorporated into files. Operating at times outside of the secured wired environment, mobile devices may be more likely to be exposed to viruses than devices that are permanently attached to the wired network. Just as every desktop computer in a wired environment should be protected, so should every mobile device have an antivirus software application installed on it. Ensuring that the antivirus applications are regularly updated should be enforced as well.

Wireless Network Interface Card (NIC) configuration—Due to the ease with which an attacker may counterfeit a trusted access point, it is recommended that Wireless NICs are configured to not permit auto association with access points not employing mutual authentication. Wireless NICs typically connect to any available access point or ad hoc peer. This default configuration provides a connection to the user system that may allow for intrusion.

Other Network Safeguards—Another line of defense against intrusion through the wireless network is to install services that ensure that the client meets all established security policies before granting the user access to the network. These requirements could include having up-to-date and running virus-scanning software, running personal firewall and/or VPN software, and any other administrator-defined parameters. This type of service requires both a client-based application and a network-based service. Users that pass all the checks are allowed appropriate access to the network, while those who do not meet the access criteria can be directed to a different location to get the required updates.

Intrusion Detection System/Intrusion Prevention System (IDS/IPS)—The IDS/IPS monitors events occurring on a network or in a computer for evidence of intrusions, which can be unusual usage patterns or attempts to bypass security to compromise the integrity, availability, or confidentiality of a network or computer. An IDS is just one of the many safeguards required to protect an organization’s information technology resources. The original Applying Security Practices references IDS in Section 3-1: Intrusion Detection System (IDS).

An IDS can be compared to a home alarm security system because they both provide an alert when an abnormal or predefined event occurs. IDS technology has evolved over the past 20 years, and IDSs that are currently available can identify the type of event that has taken place, when the event occurred and, in some cases, the sources of the intrusion. The IPSs provide the capability to program automated responses and deterrents to some alerts.

An IDS/IPS is recommended and is almost mandatory in the wireless environment. Data classification and impact assessment (FIPS 199) are helpful resources in determining which security architecture is required to safeguard the network.