Designing a Secure Network--tutorial.jcwcn.com

There is no denying it: Security represents a cost of doing business. Some of your business is contingent upon secure applications and data. For example, e-business revenue streams may depend on proper security. Security is akin to insurance costs; that is, you pay now to save later. Insurance, after all, is applied risk management. It is reminiscent of the old Fram car filter commercial where the mechanic comments when asked about the price of the filter: “You can pay me now, or you can pay me later.” Obviously, the cost of an oil filter is a lot less than the cost of a new engine, but the implementation of some controls now can save you money later.

There is the loss of assets to worry about, but that is not the only concern. Legal actions may result if you fail to meet a general duty of care exhibited as minimum-security standards. Your organization might also have to worry about compliance with specific legislation. In the United States, this could mean.

Gramm-Leach-Bliley Act (GLBA):
Protects the privacy of customer information at financial institutions

Health Information Portability and Accountability Act (HIPAA):
Defines standards and procedures for gathering, retaining, and sharing customer information in the healthcare sector

Sarbanes-Oxley Act (SOX):
Affects publicly traded companies governed by the SEC

You might know about other legislation affecting your industry or business. Other countries have or are developing similar legislation. You will need to know the legal obligations of your particular jurisdiction.

Current resistance to security expenditure will shrink as the information age matures; after all, nobody questions the cost of building security anymore. When we first started in computing, people could not understand the need for passwords, but today, passwords are an accepted control for any system.

In this tutorial, we show you how to design a secure network to mitigate the vulnerabilities and security risks introduced by wireless technologies and the infrastructure installed to support them.

Although obvious differences exist between wired and wireless networks, the security principles remain the same. By analyzing the security needs of your organization, you can protect it by implementing the right security controls correctly, at the right time. Working in this manner, you can ensure a successful outcome. Developing a security architecture is more important to the security of your organization than any software or hardware you may purchase. Security is not a point product, such as a firewall; rather, it is a process.

Building a secure wireless network is akin to building a house. When you start to build your house, you have to decide whether you will build a ranch, a split-level, a bungalow, a Tudor, a mansard, a neo-classical revival, or what have you. This is your security stance and strategy. Well, the first step in creating a secure wireless network is to determine your stance and establish an enterprise-wide strategy for deployment and usage. Are you a security-conscious organization? Is your industry security-conscious? Do your customers and clients expect secure applications? Do you process or maintain personal information? These are all questions to help you derive your security stance. At the highest level, your strategy should address the requirements of the following:

Confidentiality:
The means for keeping transmitted data secret until it reaches its destination.

Integrity:
The means by which the recipient of the data transfer can know that the data is intact and that no one has tampered with it.

Authentication:
Ensures that network access is granted to only approved persons or devices.

Availability:
The quality of being at hand when needed.

Accountability:
The responsibility to someone or for some activity.

These are high-level goals of your security program. Your strategy should address the following areas as well:

Determine business needs
What are the business drivers and needs of your organization? Identify objectives clearly, and make sure that the benefits outweigh the risks.

Integrate wireless policies into existing IT policies
Remember that wireless solutions are an extension of the wired network.

Clearly define wireless network ownership
This ensures control as well as response when you identify security threats. Also, defining network ownership should nip backdoor or rogue access points in the bud.

Protect the existing infrastructure
This is what it really is about. Do not place wireless devices directly on the internal network. Instead, provide a separate network or demilitarized zone to control access to the wired network.

Educate users about wireless policies
This includes providing awareness sessions for employees.

Your policy should consider the assets you intend to protect: sensitive data and network services. You cannot develop policy statements without considering the threats you are trying to prevent: equipment damage or theft, denial of service, unauthorized access, fraud, data theft, personal information exposure, data insertion, and legal liabilities.

To build a house, you need a blueprint or architectural plan. The blueprint lays out what is expected. You want to know how many washrooms or other services you will have. Likewise, your security architecture should have a plan or blueprint. A good security plan includes the following network services:

Authentication:
One entity (that is, simply a person or system) proves to the other its identity.

Access control:
You allow or deny an entity access to the network.

Replay prevention:
An entity can determine a previously sent message.

Message integrity:
An entity can verify that no one has changed thevcontent of a message in transit.

Message privacy:
Sensitive information is encrypted when transmitted between two wireless entities to prevent interception and disclosure or to prevent a third party from tracking communications between two other entities.

Non-repudiation:
An entity can verify the origin or the receipt of a specific message.

Accountability:
An entity can trace the actions of an entity uniquely to that entity.

Key protection:
The system can protect the confidentiality of a key used by an entity.

When building a home, you want to ensure that you begin with a strong foundation. You pour some concrete and form the basement or foundation. The foundation or baseline of any security architecture is the security policy

Again, using the house analogy, before you put the shovel in the ground, a surveyor comes to the property and maps its dimensions. Well, before you start your site survey policy, you need to map your organization’s security policy. Develop a security policy that addresses the use of wireless technology, including 802.11, 802.15, 802.16, and 802.20. A security policy is the foundation on which you rationalize and implement other countermeasures the operational and technical ones. A documented security policy allows your organization to define acceptable architecture, implementation, and uses for wireless technologies. It answers the big questions. Do you allow ad hoc mode? Do you allow departments or units to install access points? Do you allow WPAN, WLAN, or WWAN technology? There are many formal statements that you need to make in your policy.

Keep in mind that policies are mandated specifications or operations. They deal with the assessment of risk within your organization. You cannot write effective policy until you understand the risks to your organization and how you intend organizationally to deal with those risks. These policies provide the basis for operations and consequently, the basis of compliance reviews.

Policies are not stagnant; you don’t write them in stone. Your internal and external environments are constantly changing as a result, so are the threats and the attendant risks. You should periodically review and update your policy to address technology improvements that may provide practical application for your organization without introducing additional security risks and vulnerabilities. Determine what works and why it works. Determine what doesn’t work and why it does not. Make sure that your policy is current by rewriting any dysfunctional or archaic policies. This is a constant and cyclic process as your organization moves forward.

It is important to remember the intended audience when you draft security policy. Don’t make the policy too difficult to read or comprehend. It is important to create formal policy to minimize potential confusion and to clear up any ambiguity. Sometimes your policy only formalizes the status quo. Make sure that your policies are relevant. If people don’t understand what the policy means to them, they will disregard it. Make your policy succinct but precise.

Every organization has or should have a format or template for policy, so we won’t tell you how to write your policy. However, you should consider the following topics:

Purpose:
Tell the audience that the policy applies to wireless networks.

Scope:
The policy may apply only to WLANs, but it may also apply to all wireless technology, so you need to specify the scope. People can read the scope and decide whether their network is in or out of scope and whether the policy applies to them.

Policy:
State the policy very clearly. A good policy document is usually a maximum of three pages long. Generally, you specify the clients’ rights and responsibilities and expected actions or behaviors. Many organizations include standards and procedures in their policy, which you should not do. If you are not sure of the difference, you can refer to ISO 17799 (www.iso17799.net), which tells you about the many tiers of documentation.

Enforcement:
You should state what someone can expect in the way of sanctions should they not comply with your policy. Your legal counsel should review this section carefully (well, actually, the whole document).

Exceptions:
Circumstances may arise in which, for one reason or another, someone cannot comply with the policy. You should have a mechanism in place to handle the reporting and approval of any exceptions.

Definitions:
You cannot (and should not) expect every reader of your document to understand all the technical jargon. You should write the policy so the average layperson can understand it. Where jargon is unavoidable, you may need to define some terms.

Document history:
Whether you put it at the beginning or the end is inconsequential, you must include a document history. The reader should have the trail of revisions for the document.

After the powers that be approve the policy, make sure that everyone gets a copy. If need be, make sure that everyone understands the policy. We often see gaps in security programs in which people who have the necessary skills want to do the right thing but don’t understand how. Tell them. After you tell them, get them to sign a document saying they read and understood the policy. It is also a worthwhile idea to reaffirm annually that they understand the policy.

Every organization is different, but some typical security policy topics are:

Use of default SSIDs, encryption keys, and passwords.
Trust level of base station, bridges, and clients.
Access control method(s): MAC ACLs, 802.1x, and SSL.
Method for configuration changes: console ports, TFTP, Telnet, HTTP, and HTTPS.
Access policies for authorized APs, stations, groups, users, and guests.
Authentication credentials.
Authentication method(s): none, shared key, EAP, VPN, and SSL login.
Encryption technology: 802.11, WEP, WPA, AES, network, transport, and application.
Required software and settings for AP, authentication servers, and clients (including firewall and antivirus).
Filtering: MAC, protocol, and watch lists

As stated earlier, many organizations include standards and procedures in their policy. You should not. Even so, you need to set some measures. Some wireless security standards that you may develop include:

Standard support:
Do you support 802.11a, b, or g?

Equipment:
Do you support equipment from any vendor?

Hours of operation:
Do you allow off-hours connections?

Naming standard:
How do you name access points and bridges?

Channel support:
What channels do you use?

Data rates:
What data rates do you support?

Performance:
What are traffic thresholds, and how many stations do you allow an access point to support?

Encryption algorithm:
What algorithm does your organization support?

Key lengths:
What is the minimum key length?

Extensible Authentication Protocol:
What flavor of the many types of EAP do you support?

Password:
What is the password length, and how often do you change it?

Upgrades:
When do you apply upgrades or patches?

Tunneling protocol and algorithms:
What layer and what algorithm?

Key distribution and refresh procedures:
How do you disseminate keys?

These are just some of the topics to cover in your standards. Think of the definition of standard. It is the required degree or level of requirement, excellence, or attainment. The standard is the ideal. Your management and internal and external auditors will measure you on how well you meet the established standards.

You do need to develop policies, standards, and practices for your organization, but you may find it useful to base these on best practices. We state earlier that best practices demonstrate prudence. There is no agreement yet on the required set of standards for secure wireless access points, but you can find agreement on best practices. To protect a WLAN from attack, enterprises need to be up-to-date with their security best practices. These should include the best practices covered in the following sections.

General best practices

Designate an individual to track the progress of 802.11, 802.15, and 802.16 security products and standards (IETF, IEEE, etc.) and the threats and vulnerabilities with the technology.
Keep your computers and Wi-Fi devices powered up at all times, but power-down your broadband modem afterhours.
Ensure that wireless networks are not used until they comply with the security policy.
Complete a site survey to measure and establish the AP coverage for the agency.
Ensure that the ad hoc mode for 802.11 has been disabled unless the environment is such that the risk is tolerable.
Enable all security features of the WLAN product.

Access point best practices

Maintain a complete inventory of all APs and wireless devices.
Control the broadcast area through cell sizing. Many wireless access points let you adjust the signal strength.
Place your access points as far away as possible from exterior walls and windows. Place them in the interior of the building where appropriate.
Place APs in secured areas to prevent unauthorized physical access and user manipulation.
Mount your access points out of reach and out of plain view. Bolt them down or secure them in locked steel enclosures.
Test the signal strength.
Make sure that you use the reset function on APs only when needed and that it can be invoked only by someone in an authorized group of people.
Restore the APs to the latest security settings when someone uses the reset function.
For 802.11b and g devices, ensure that AP channels are at least five channels apart from any other nearby wireless networks to prevent interference. Use 802.11a when you need more co-located APs.
Understand and make sure that all default parameters are changed.
Disable all nonsecure and nonessential management protocols on the APs. If you have Cisco devices, disable Cisco Discovery Protocol (CDP) when not needed.
When disposing of access points that will no longer be used by the organization, clear access point configuration to prevent disclosure of network configuration, keys, passwords, and so on.
If the access point supports logging, turn it on and review the logs on a regular basis.

Password best practices

Be sure to change the default password on all access points.
Use a strong password to protect each access point.
Ensure that all passwords are changed regularly.

SSID best practices

Use SSID (Service Set Identifier) wisely. Don’t use the default and don’t use the name of your company as the SSID.
Buy access points that let you disable SSID broadcasting. This prevents access points from broadcasting the network name and associating with clients that are not configured with your SSID.
Immediately change an access point’s default SSID. (And while you are at it, change the default username and administrator password, too.)

Authentication best practices

Implement user authentication. Require access point users to authenticate.
Upgrade access points to use implementations of the WPA and 802.11i standards. Also, as you implement user authentication on the access points, reuse any existing servers that provide authentication for your other network services, such as RADIUS.
Use MAC (Media Access Control) address authentication where practical. When you have a manageable number of wireless users and just a few access points, MAC addressing lets you restrict connections to your access points by specifying the unique hardware address of each authorized device in an access control list and allowing only those specific devices to connect to the wireless network.
Enable user authentication mechanisms for the management interfaces of the AP.

Encryption best practices

Secure the WLAN with IPSec VPN technology or clientless VPN technology.
Turn on the highest level of security your hardware supports. Even if you have older equipment that supports only WEP, ensure that you enable it. Whenever possible, use at least 128-bit WEP.
Ensure that encryption key sizes are as long as possible.
Make sure that default shared keys are periodically replaced by more secure unique keys.

Client best practices

Deploy personal firewalls and virus protection on all mobile devices.
Ensure that the client wireless adapter and AP support firmware upgrades so that security patches may be deployed as they become available.
Ensure that users on the network are fully trained in security awareness and the risks associated with wireless technology.
Regularly scan for rogue access points on the network by using a wireless scanner or a packet analyzer.
Use antivirus software on all wireless clients.
Use personal firewall software on all wireless clients.
Use a secure transport for wireless communications: for example, IPSec, SSL, or SH.
Disable WNIC when not used.
Update and enable client security software and patch OS.
Take regular backups.

Network best practices

Deploy enterprise-class protection technologies. This includes employing a firewall on the demilitarized zone and client firewalls on every desktop; VPN services that encrypt all traffic to and from wireless devices; wireless and network intrusion detection systems; antivirus software for the network, server, and desktop; regular vulnerability assessments of the WLAN; and policy compliance tools.
Install a properly configured firewall between the wired infrastructure and the wireless network.
Use bridges, switches and gateways to segment the network.
Use Layer 2 switches in lieu of hubs for AP connectivity.
Do not connect wireless access points to hubs.
Disable DHCP.
Ensure that management traffic destined for APs is on a dedicated wired subnet.
Configure SNMP settings on APs for least privilege (that is, read only).
Disable SNMP if it is not used. SNMPv1 and SNMPv2 are not recommended. Use SNMPv3 and/or SSL/TLS for Web-based management of APs.
Use a local serial port interface for AP configuration to minimize the exposure of sensitive management information.
Deploy intrusion detection agents on the wireless part of the network to detect suspicious behavior or unauthorized access and activity.
Use static IP addressing on the network.
Perform comprehensive security assessments at regular and random intervals (including validating that rogue APs do not exist in the 802.11 WLAN) to fully understand the wireless network security posture.
Turn off communication ports during periods of inactivity when possible.

Ensure that all users on the network are fully trained in computer security awareness and the risks associated with wireless technology. A security awareness program helps users establish good security practices to prevent inadvertent or malicious intrusions into an organization’s information systems

These products can help you manage your policy. You can set a trap for unencrypted traffic should you have a policy that requires encrypted wireless traffic. Or you can look for rogue or unauthorized access points. Other products that can help you manage your wireless policy include:

AirDefense (www.airdefense.net/products/features/policy.html):
Monitor and enforce configuration policies, WLAN device and roaming policies, performance policies, channel policies, and vendor policies.

AirWave Management Platform (www.airwave.com):
Automatic configuration, policy push, and compliance auditing.

Chantry BeaconWorks (www.chantrynetworks.com):
Allows central management of APs.

Cirond Winc Manager (www.cirond.com):
WEP key distribution, location-based access control, provisioning system, and real-time mapping.

Computer Associates Unicenter Wireless Site Management (www.ca.com):
Key management, wireless rogue AP detection, provisioning, network discovery and mapping, and WAP configuration and administration.

Enterasys Secure Networks (www.enterasys.com/solutions):
Provisioning and security solutions.

Sygate (www.sygate.com/products/enterprise_policy_management.htm):
Definition of policies based on client behavior.

Vernier System 6500 (www.verniernetworks.com/products/control.htm):

Wavelink Mobile Manager (www.wavelink.com):
WEP key management, enterprise ACLs, and policy push.
When you design a secure network, remember to design a system in depth. At the center of the “security onion” is the data that you intend to protect. Your security design should consider personnel, administrative, operational, software, and hardware security measures. It starts with hiring trustworthy individuals. Using multiple layers of security, such as WPA, 802.1X, and IPSec provides high levels of security but introduces complexity and increases costs. So do your homework, and implement only the necessary and sufficient control mix.
Unless you are the owner, CEO, or head of your organization, one day someone will probably say to you, “I need some solid evidence that your security programs are contributing to the organization’s productivity, its competitiveness, and ultimately its bottom line.” When you are asked these questions, you better know the following:
How vulnerable is the organization to known attacks?

When was the analysis last done?

What percentage of company software, people, and supplies has been reviewed for security issues?

What percentage of critical data is strongly protected?

What percentage of downtime results from security problems?

What percentage of nodes in the network does IT manage?
You should perform a risk assessment to understand the value of the assets that need protection in your organization. Your management wants to know the threats and risks associated with today’s networks and the method for controlling them. Security and controls improve quality and performance, which are the keys to success in any organization. So, you should agree that you should have security and controls. Saying this another way, you should manage risks. But what does manage risks mean? Risk management is the optimized allocation of limited resources to
Mitigate risks

Transfer risks

Recover from risk events
Your organization will perform better when you manage risks, which means more effective use of resources, more responsiveness to clients, and compliance with laws. So what is the problem? Why not just find and fix all your risks? Because perfect security is infinitely expensive! No organization - not even the government (or especially the government) - has unlimited resources.
You must measure risk. You can use High, Medium, and Low, but this is a difficult sell when you go to the boss and say, “Hey, boss, I need high dollars to manage this high risk!” What is the likely response? “I need better data than that!” Therefore, you must measure your risks and not merely express your opinions. You can calculate expected loss, which is the stream of risk losses expressed quantitatively, that you could reasonably expect to experience in the future. Some organizations do this by measuring the return on investment (ROI). Typically, ROI is a measure of an organization’s performance. It is finite: total capital divided into income. Normally, ROI is defined by the business as an incremental gain on an action. There are three ways to maximize ROI:
Minimize costs

Maximize returns

Accelerate the timing of returns
Alternatively, you could calculate the Return on Security Investment (ROSI), which is normally defined as the value of loss deference or reduction to dollars invested on security controls. It is indefinite: It has no exact limits. Some security investments have specific ROI, such as provisioning users or corporate insurance, but most don’t. ROSI is an incremental gain on an action.
There are four ways to maximize ROSI:
Minimize/eliminate operational losses

Minimize investment

Maximize positive returns (where ROI applies)

Accelerate the timing of returns
Your goal is to implement cost-effective security, in which the expected cost of a control is less than the expected loss. Such controls generate a positive ROSI; that is, you can expect to save money over time. Ideally, you want to deploy the most cost-effective controls - those that maximize ROSI. Your challenge is to measure ROSI for given security controls. You should try to base measurements on empirical data and mathematical analysis, rather than opinions. You should evaluate all proposals, techniques, products, and services in terms of ROSI. You should establish best practices based on ROSI. Unfortunately, most companies currently base security decisions on expert opinion and conventional wisdom, not on empirical data and mathematical analysis.
Perform a risk assessment to understand the value of the assets in your organization that need protection. Understanding the value of organizational assets and the level of protection required is likely to enable more costeffective wireless solutions that provide an appropriate level of security. You don’t want to spend money to protect data that has no value. We doubt that you will find any case in which the data has no value, but you don’t want to spend more on security measures than the value of the data.
Several companies sell risk management software, including Methodware Enterprise Risk Assessor (www.methodware.com) and Risk Services & Technology RiskTrak (www.risktrak.com).

discuss this topic to forum

[Print][Close][Bookmark:digg+,reddit+,del.icio.us+,dzone+]