This article is also available as a PDF download.
Plenty of articles and books are
available that explain how to create a secure wireless network. But there isn’t
a lot of information available on how to secure your network from wireless devices. Let’s look at 10
things you can do to protect your key corporate network assets from both
managed and unmanaged wireless devices.
anonymous access WAPs on perimeter networks
An anonymous access WAP (wireless access point) is one that
users can connect to without requiring user or computer authentication. Many
companies provide anonymous access WAPs as a convenience to customers and
consultants. Although anonymous access WAPs are a great convenience to your
customers, they can create a significant security threat to the corporate
network because hosts connecting to them are not managed clients, and there’s a
chance that these hosts are compromised by worms, viruses, and Trojans.
The solution is to deploy the anonymous access WAP on a
perimeter network segment that does not have access to the corporate network.
This allows you to provide Internet access to your guest users without
incurring the administrative overhead of assigning users WEP and WPA keys and
walling off the corporate network from these unmanaged clients. For example,
you can create a wireless DMZ on a multihomed ISA firewall as discussed in the
Internet access while securing your network using a wireless DMZ.”
(Note: You’ll need a TechProGuild subscription to access this content.)
#2: Require VPN connections for links between
anonymous access WAPs and corporate network segments
Corporate network WAPs do not allow anonymous connections.
You will require user or computer authentication for a highly secure corporate
wireless deployment. For example, we use EAP user and computer certificate
authentication when deploying corporate wireless deployments. Certificate
authentication means that only managed machines and users can connect to the corporate
network via the corporate WAP.
However, the convenience provided by the anonymous access
WAP to guests can also be useful for employees, such as executives who bring in
unmanaged, personal laptops from home. These machines aren’t provisioned to use
the corporate WAPs, so they have to use the anonymous access WAP. You can
provide these users access from the anonymous access wireless DMZ segment by
having them use VPN connections to the corporate network. The VPN link secures
the connection and prevents intruders from intercepting the communications with
resources on the corporate network. For details on this configuration, check
out the TechProGuild article “Allowing
VPN access to your network from a wireless DMZ.”
#3: Force client health checking for all
hosts connecting from anonymous access WAP segments
VPN client connections from hosts on the anonymous access
wireless DMZ segment provides a quick and dirty way to allow authorized users
access to corporate resources from the untrusted network segment. Although this
solves the immediate problem of allowing authorized users “just in time” access
to corporate resources from an unmanaged client, it exposes us to problems
related to the unmanaged client computer itself. The unmanaged client has a
high probability of harboring viruses, worms, and Trojans that can put the
corporate production network at risk.
One way to handle this problem is to use a VPN client
hygiene solution, which will analyze the software environment on the VPN client
and compare it with your corporate security requirements. A number of VPN
server solutions provide this capability, including ISA Server 2004’s VPN
Quarantine controls. Most VPN client hygiene solutions also enable to you
provide remediation services so that VPN clients that do not meet corporate
security requirements can automatically update themselves to a state where they
meet security requirements.
#4: Limit anonymous access perimeter segments
to unencrypted protocols
Although you want to provide guest users with the
convenience of an anonymous access wireless segment, you don’t want hosts on
that segment to use your Internet connection to download dangerous software or
launch attacks against other networks over the Internet. Unmanaged clients
combined with unfettered Internet access can be a recipe for disaster.
For this reason, you should configure your firewalls to
allow hosts on the anonymous access wireless segment access only to unencrypted
protocols so that your stateful packet and application layer inspection
firewalls can inspect and block suspect and dangerous communications.
Communications moving over network layer VPN connections (L2TP/IPSec, PPTP,
IPSec tunnel mode) and over SSL sessions can’t be analyzed at the application
layer. If the application layer firewall can’t inspect the communication, it
can’t block virus, worm, and Trojan attacks and can’t record user activity for
future forensic reporting.
#5: Enforce strong bandwidth control on anonymous
access WAP segments
Anonymous connections to any network, whether it be wired or
wireless, from unmanaged machines is a setup for bandwidth abuse. You likely
have strong network use policies that corporate network users adhere to, which
throttles employee bandwidth abuse, but these same constraints don’t exist for
users on your anonymous access wireless segment.
Make sure you have deployed either hardware or software
solutions that place a hard-coded limit on the percentage of Internet bandwidth
and bandwidth quotas on anonymous wireless users. Failure to do so could lead
to employees being unable to access resources required to get their work done
and could even add to your monthly bandwidth charges.
#6: Require certificate authentication for
WAPs connected to corporate network segments
You want to make sure that anonymous users can’t connect to
corporate WAPs. This means you need to require machine and/or user
authentication before allowing users to connect to the corporate network. All
corporate-level WAPs support authenticated access before allowing connections
to the corporate network.
For many networks, machine certificate authentication will
be considered secure enough. For high security networks, consider using
solutions that require both machine certificates and user certificates (either “soft” certificates or
smartcards) before allowing access to the corporate network. This ensures that
only managed devices are allowed to connect to corporate resources through the
#7: Enlist “secret agents” to find rogue WAPs
Rogue WAPs are a constant threat to the corporate network. This
problem is probably not as widespread at is was when companies didn’t maintain
strong network use policies, but rogue WAPs still represent a major security issue
that allows anonymous wireless client systems access to resources on corporate
Many commercial grade WAPs include a feature that will
detect rogue WAPs and try to shut them down. However, the technology is not
foolproof and doesn’t help you when there are areas in the company where there
is wired access but no wireless access. One way you can get around this problem
is with the help of secret agents. Hand out small WAP detectors to the mail
staff and users in each department and reward them a bounty for each rogue WAP
they find. You’ll be amazed how many rogue WAPs you find once you properly
“incentive-ize” key employees.
#8: Use IPSec-based domain isolation to
protect domain members
No matter what you do, there is always a chance that an
employee or even a malicious intruder will connect a WAP to the corporate
network, which can be used to compromise network servers. You can protect
yourself from this by carrying out a good defense-in-depth strategy: Harden your
servers, fine-tune permissions for all network servers and services, and use
perimeter firewalls to wall off security zones from one another.
One exceptionally effective method you can use to secure
your network from unauthorized wireless users is IPSec-based domain isolation.
IPSec domain isolation is a technique that isolates domain servers or all
domain member computers from untrusted machines. IPSec domain isolation is one
of the most effective methods available for Windows networks today to protect
your critical servers from not only rogue wireless clients but from all
untrusted computers on the corporate network.
You can get more information on IPSec-based domain isolation
from the TechNet article “Server and Domain Isolation Using IPSec and Group
#9: Block Internet access for wireless
devices from corporate network segments
Unfortunately, it’s difficult to manage all the wireless
devices users want to bring into the corporate network. Pocket PCs, Smart
Phones, and other wireless-enabled handheld devices are often used to connect
to the Internet. In fact, it’s the desire to use these devices that leads many
users to set up rogue WAPs. Handheld devices can be used to connect to the
Internet and download dangerous software, worms, viruses, and Trojans to the
corporate network. They can even take part in malicious actions aimed against
other networks over the Internet.
You can use your firewall’s application layer access
controls to block these devices from connecting to the Internet. For example,
you can configure the ISA firewall to require user authentication before
enabling outbound access from the corporate network to the Internet. For Web
protocols, you can configure an application layer inspection firewall to block
the user-agent headers sent by handheld devices or force integrated
authentication with the firewall before allowing outbound access. Since
handheld devices cannot be domain members, any attempt to connect to the
Internet will be blocked.
#10: Prevent VPN connections from wireless
You want to block both anonymous and corporate wireless
clients from using encrypted protocols through your corporate firewall.
Encrypted communications can’t be application layer-inspected by your stateful
packet and application layer inspection firewall and thus the VPN link can be
used to import all forms of network exploits from Internet servers to your
network. Many wireless handheld devices can be configured to establish VPN
connections to untrusted servers. You can stop this by configuring your
firewall to allow outbound VPN connections only from highly trusted users and