At Redspin we are often asked to perform wireless security assessments for organizations that have recently deployed or upgraded their wireless infrastructure with top-of-the-line access points (APs), controllers and wireless intrusion detection systems (WIDS). Many deployments are to support inter-office mobility – a need that has gone from a rising tide to a tsunami in parallel with the mass adoption of mobile devices such as smart phones and Apple iPads. Virtually every CIO and CSO that I meet these days are grappling with the question of how to support employee requests for connectivity – often times by senior executives. These devices themselves are inherently risky due to their highly mobile nature, ability to store and access sensitive data, and immature enterprise security management support. For today, let’s focus on the corporate wireless infrastructure itself. The problem is less about the capabilities of wireless security technology and more about the lack of a thoughtful deployment of these systems. Wireless networks need to implement security controls that are at least as good as the existing controls on the data they are trying to protect.
The most consistent problem is that wireless networks are deployed with less than optimum security controls. For example, using WPA2 in personal mode rather than enterprise mode. The upside of personal mode – in which clients, such as laptops and iPhones, authenticate to the networks with a pre-shared key (PSK) – is that it’s easy to manage and configure. The downside of this approach that it is vulnerable to a password guessing attack, cached client credentials, system-wide risk in the event of a compromised key and rogue access points. This risk may be acceptable for access to a wireless network whose only purpose is to provide Internet access for guests or mobile devices. However, many wireless networks begin with this simple purpose in mind only to evolve into much more access into the internal network.
Wireless network signals travel well beyond your corporate office space. In a downtown office environment, dozens or even hundreds of other businesses or public areas are able to “see” these signals. It’s as if you are grabbing a hand full of network cables that are connected to your internal switch and lobbing them out into the street for everyone to use. This greatly extends the attack surface area for wireless networks, so it’s imperative that they are configured with security settings that are appropriate to the data they need to protect.
With wireless networks, there are a great many security configurations available to support a variety of business cases. It’s critical to ensure that usage scenarios are carefully evaluated before a network is deployed to ensure that appropriate security controls are implemented. Once deployed, wireless networks should be tested to verify that the controls are actually working effectively.