The set of controls and conditions IT auditors look for during assessments of Wireless Access Points (WAPs) tends to vary auditor to auditor.
In some cases, the IT auditor may make great suggestions for controls I have not seen many organizations put into place while in other cases, the auditor might point out the absence of seemingly weak controls that leaves the Information Security team rolling their eyes and seriously doubting the capabilities of the person completing the assessment.
This article is focused on collecting both the good and bad controls, with the goal of not only helping management, information security professionals and auditors alike to effectively secure enterprise WAPs, but also to understand why some control suggestions might be better left unsaid.
Effective Wireless Access Point Best Practices, Controls and Procedures
1. Develop policies and procedures to establish firm guidelines for securing WAPs and include these within the enterprise Information Security or similar policy.
2. Strategically locate WAPs to avoid easy tampering. Ensure the level of physical security meets the risks inherent to the work environment.
Many organizations place access points in office settings on the ceiling out of reach without a step ladder, while others opt to place them above suspended ceiling tiles or within security enclosures when placed in work environments with little or no physical security or high levels of foot traffic by the public.
3. Change the default administrator username and password for all WAPs and network devices.
This seems obvious, but I have seen some organizations argue that this is not necessary due to the use of RADIUS or TACACS to handle administrator authentication to their network devices. My rebuttal is, if the RADIUS/TACACS service fails (either via a malicious DOS attack or otherwise), most network devices will probably revert to relying on local authentication.
4. For guest wireless networks, employ WPA2 encryption protocol and authenticate guests using a Captive Portal.
To date, there have been no known vulnerabilities in the WPA2 protocol. WPA and WEP have both been compromised. Captive Portals are useful for communicating company policies to guest users, requiring guests to enter a guest username and password, and tracking sessions.
5. For enterprise wireless networks, utilize WPA2-enterprise encryption protocol and manage authentication of users with 802.1X to leverage the corporate infrastructure for authentication.
WPA2-enterprise supports 802.1X authentication which integrates with RADIUS, TACACS, digital certificates, token servers and other two-factor systems. This gives the added benefit of connecting wireless authentication to the organization’s central identity management systems (e.g. Active Directory or other authentication server).
6. Guest wireless networks should be completely segregated from the enterprise wireless network through use of firewalls or hardware segregation.
7. Proper network segmentation should segregate enterprise wireless networks from wired enterprise networks, especially those containing sensitive/confidential data and systems.
The use of WPA2-enterprise with RADIUS or TACACS should allow for easily segmenting wirelessly connected users into VLANS. Highly sensitive systems and data should also be properly segmented within the enterprise LAN regardless of whether or not wireless access is allowed.
8. Implement Intrusion Detection Systems to monitor all wireless traffic for suspicious activity. Treat all wireless networks as an entry point for attackers.
Weak Wireless Access Controls
9. At a minimum, implement WEP or WPA wireless encryption protocols. Some encryption is better than no encryption.
I would argue, if you can’t encrypt an enterprise hosted network with WPA2 (or the next best thing when it comes along), don’t provide wireless access at all. You are providing a false sense of security.
10. Implement MAC address filtering for enterprise users, to restrict the leasing of IP addresses to only pre-approved systems.
MAC address filtering is essentially a useless solution due to MAC addresses being easily spoofed on virtually all systems. Legitimate MAC addresses can be easily identified using a network sniffing tool (e.g. Wireshark).
11. Disable SSID broadcasts for internal networks.
Anyone using a network sniffer can easily identify SSIDs, still many IT audits request this precaution to be in place. Security by obscurity is not necessarily a good strategy.
12. No enterprise hosted SSIDs should contain a reference to the organization.
Requiring the organization not be identified in the guest network adds little security value and like disabling SSID broadcasts, only offers security by obscurity. Despite this fact, many bank IT auditors tend to include it in their audit plan.
Please share any and all comments, criticisms, additions and corrections!