 |
|
| Security Channel Tips: |
|
|
|
NETWORK SECURITY
Best practices for AP placement
Lisa Phifer
12.03.2006
Rating: --- (out of 5)
|
Offer your customers informed network topology and physical positioning recommendations for access point deployment, and learn to configure incoming and outgoing policies to meet business needs. This tip was originally part of the Wireless Security Lunchtime Learning series on SearchSecurity.com.
Many installers make the mistake of treating 802.11 WLANs just like Ethernet, placing access points (APs) in locations that facilitate outsider access to corporate networks. But, from a security perspective, WLANs should be treated like the Internet -- a network composed of trusted and untrusted users. This tip offers network topology and physical positioning recommendations for safer AP deployment.
Position matters
APs with factory-default omni antennas cover an area that's roughly circular, impacted by RF obstacles like walls. It is therefore common to place APs in central locations, or divide an office into quadrants, deploying one AP per cell.
This approach is straight-forward, but may not optimize cost, performance or security. Desired coverage areas are rarely circular. To fill resulting gaps, you may end up purchasing more APs than your customer really needs and "leaking" quite a bit of signal. Site modeling and/or directional antennas can help avoid this.
Physical placement, and associated steps like transmit power adjustment, can make it harder for intruders to stay connected to your customer's APs. But you should never count on physical placement alone to stop attackers.
Physical or logical LAN segmentation
Next, prevent wireless LAN traffic from mixing with "other" LAN traffic. Stations connected to your Ethernet LAN form a trusted workgroup. They exchange broadcast/multicast traffic and depend on shared resources like Layer 2 hubs or switches, DHCP servers, DNS servers, and Layer 3 switches or routers. Toss untrusted devices onto that LAN and you're putting everyone at risk. Bad actors can cause broadca
To continue reading for free, register below or login
To read more you must become a member of SearchSecurityChannel.com
st storms, poison ARP caches, chew up IP address pools, etc. This risk can be reduced by physically or logically segregating the APs.
Note that segmenting LANs can impact both security and performance. For example, Quality of Service measures can be applied to physical or virtual LANs to give employee traffic priority over guests.
Creating network barriers
At some point, WLAN traffic will encounter a network layer device, where it may be forwarded to the public Internet or other internal subnets. This is where many employee-installed APs wreak havoc. Connecting an untrusted device to a trusted subnet creates an unsecured "back door." Security measures enforced at the trusted subnet's "front door" -- firewall rules, VPN tunnels, network antivirus -- are circumvented by stations connected to misplaced APs.
For this reason, wireless APs should always be separated from trusted subnets using some type of network layer policy enforcement device, like:
For example, your customer's APs could be connected directly to an access router, configured to relay wireless traffic towards the Internet and not their company's network. Or the APs could be connected to a VPN gateway that authenticates VPN clients and blocks all other traffic. Or the APs might be placed on a firewall DMZ, allowing wireless access to a few DMZ-protected servers, but preventing passage through the firewall into trusted networks.
When creating a network barrier, consider functions that device must perform. To enforce security policies, you may need access controls (based on MAC, VLAN, IP, port or application traffic inspection), station or user authentication, VPN tunneling (with or without subnet roaming), session accounting, virus scanning, content filtering, intrusion detection/prevention and bandwidth limits. A general-purpose firewall can do much of this, but a wireless gateway or Layer 3 switch may fill this role AND provide 802.11-specific functions like AP discovery, provisioning and RF management. Different barriers may be appropriate for different users -- for example, a Web-based access controller for guests and a VPN gateway for employees.
Finally, no matter which device you choose, configure incoming and outgoing policies to meet business needs and deny everything else. For example, there's probably no reason that SNMP requests, routing messages or DNS zone updates should originate from your customer's WLAN. Granular policies may require more effort to maintain, but can reduce the risk of core network compromise by wireless-borne attacks.
About the author
Lisa Phifer owns Core Competence, Inc., a consulting firm specializing in network security and management technology. Core Competence produces The Internet Security Conference (TISC), an annual symposium for network security professionals. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years.
This tip originally appeared on SearchSecurity.com.
|
|
|
|
|
|
|
|
|
| TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of . |
|
| |
All Rights Reserved, , TechTarget |
|
|
|
|
|
