With wireless connectivity becoming ubiquitous, attacks that make use of poorly configured wireless equipment have increased. Securing the wireless infrastructure is an important element for securing enterprise data. With most device manufacturers adopting, secure out of the box postures, a majority of new devices ship with essential security features in place. It is not uncommon to find wireless access points, routers, and gateways that are configured with their default network name (SSID), and credentials for administrative console of the wireless LAN controller (username and password).
This blog serves as guide to configure secure wireless networks and is divided mainly into two sections:
- Securing the perimeter of the Wireless LAN infrastructure: vis-à-vis CIS Boundary Defense – CSC 12
- Securing the configuration and access of the Wireless LAN controllers: vis-à-vis CIS Wireless Access Control – CSC 15
The blog also covers a summary of the protection against KRACK vulnerability which is mentioned in the later part.
Securing the Perimeter of the Wireless LAN Infrastructure (CSC 12)
1. Wireless infrastructure monitoring
One of the common methods used by the attackers to compromise the wireless infrastructure is by setting up “Rogue Access Point”/“Ad-Hoc Networks” and forcing the users to join the access point/network created by attackers. To avoid such scenarios to happen, monitoring of the wireless infrastructure is important to detect the rogue access points created by the attacker.
2. Wireless infrastructure security assessment
It is critical to perform security assessment of the wireless infrastructure to identify the vulnerabilities, if any and fix them. This activity ensures the security issues are identified and closed regularly.
3. BYOD policy
There are many occasions where in, individuals associated with the organizations or any client/vendor/third party individual visiting the organization’s premises bring their own devices such as mobiles, laptops, tablets etc. The organization does not have control over such situations. In such scenarios, it is necessary to have an appropriate “Bring Your Own Device (BYOD)” policy in order to implement security measures to protect the wireless infrastructure.
4. Network devices
Wireless infrastructure should consist of the firewall and Wireless Intrusion Prevention System (WIPS) to make the perimeter security of the infrastructure more robust and introduce defense in depth. Appropriate rules should be configured on the firewall to control the inbound /outbound traffic. Accessibility of the wireless controller via network should be restricted with the help of a firewall. WIPS helps in protecting the network from being attacked by blocking the unwanted traffic and allowing the required traffic to pass through.
5. Centralized monitoring
All the inbound/outbound traffic should be monitored with the help of SIEM tool to detect the malicious activity from random sources. If any malicious activity is detected, IP blacklisting should be done to avoid any further attacks from the same source.
All the critical events should be logged on to the centralized log server. This will be useful while performing the root cause analysis in case of any incident that has happened.
Securing the Configuration and Access of Wireless LAN Controllers (CSC 15)
A checklist has been created to serve as a guide for configuring your Wi-Fi equipment and infrastructure with the essential set of security controls. Depending on the equipment or the network, there may be additional controls that could be setup and configured which is out of scope of this checklist. Below section provides high level pointers while configuring the wireless LAN controller.
1. Choose strong authentication and encryption methods - WPA2 EAP-TLS or EAP-PEAP
The exact authentication which wireless network can support will depend on the make and model of access point and wireless cards. Every router offers WPA2-Enterprise authentication mechanism. Following are the things to look for:
- Ensure that the router offers WPA2 (Personal/Enterprise) exclusively. If the only option is a combination of WPA and WPA2, then it is not as secure as only WPA2.
- Generally, for SOHO (Single Office Home Office) kind of setup/organization authentication mechanism used is WPA2-Personal. However, this method is not recommended for bigger organizations and corporates since the number of users are more in number. Also, the authorization is done with the help of pre-shared key (passphrase).
- On the contrary, the authentication mechanism that can be used for the large organizations/corporates is WPA2-Enterprise mechanism which offers methods such as:
WPA2 – PEAP
WPA2 – EAP TLS
- The advantage of using WPA2 Enterprise model is that it can be integrated with the Active Directory (AD) and AD credentials are used to get authenticated with wireless infrastructure.
2. Use AES-CCMP for encryption. Do not use TKIP
Along with WPA2 protocol, use AES based CCMP encryption algorithms. Do not use TKIP as it is an insecure encryption algorithm. Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES) are two different types of encryption. TKIP is a lower end and older encryption protocol (WEP2). AES (WPA2/802.11i) is a stronger and commonly used encryption protocol.
3. Use complex passwords (for WPA2/ Personal & WPA2 Enterprise - PEAP)
Commonly used passwords/weak passwords can be easily retrieved by dictionary based password cracking tools. It is always recommended to use a complex passphrase which should be combination of lowercase, uppercase, special characters and numbers. Use longer passwords for better resilience to various attacks.
4. Update the wireless router access point with latest firmware and security patches
Similar to other IT systems, router patches must be a scheduled and controlled activity. Track and update router firmware on regular basis. Ensure that the firmware is downloaded from the manufacturer recommended official sources. Prior to patching, ensure backups of current firmware and router configuration are available for rollback. It is recommended that organizations upgrade networking equipment when manufacturer support for the device ceases. Outdated equipment are often attractive targets due to presence of known vulnerabilities.
5. Disable unnecessary services on the wireless router / access point
Many routers come out of the box with a list of services enabled which are considered appropriate for a vast majority of networks. Some of these services may not be needed and must be disabled. Disabling these unnecessary services may prevent security exploits and risks associated with it.
6. Enable MAC address filtering
MAC address filtering feature can be used to whitelist the devices that can connect based on their hardware address i.e. MAC address which is unique for each device.
MAC address filtering is recommended only if the organization has implemented automated network registration using a centralized server. Otherwise, manual registration of MAC addresses is not a feasible method.
7. Enable logging on the wireless router and collect logs centrally
Important event logs on the wireless devices should be enabled and collected on a centralized log server. Keeping logs on a centralized server will make the logs safe in case the wireless device gets compromised and it is easier to manage it centrally. Further triggering actions for network and security administrators can be configured to notify them for any relevant incident; as without logging, any malicious activity may get unnoticed. Logging will also help in forensic investigations, if there is any adverse incident.
8. Consider enabling built-in firewall feature on the wireless router
Many wireless routers have built-in firewall feature. It is recommended to enable the built-in firewall feature for an additional level of packet filtering protection.
9. Disable management web interface access from internet
Most wireless routers offer a “remote access” feature that allows access to the router configuration web interface from the internet. This feature should be restricted only to the internal network or interface.
10. Disable UPnP
Universal Plug and Play can be used to open ports on router without knowing/informing it. It was designed to be used internally on a LAN where it allows devices to open a specific port on a firewall. It was never meant to be used on the internet, but the routers exposed to the internet can mistakenly enable it over the internet.
UPnP doesn’t require any authentication hence rogue applications can abuse UPnP by requesting the router to forward a port over UPnP.
11. Disable WPS feature
Wi-Fi Protected Setup (WPS) is the feature by which devices can be easily paired by anyone with physical access to router by pressing the WPS button without knowing the credentials. It is recommended to disable this feature.
12. Disable WAN ping
Disable ‘WAN ping’ feature to hide the public presence on internet. If WAN ping feature is enabled, then attackers scanning the range of IP addresses over the internet may spot the device and target it.
13. Disable bridging and use NAT (Network Address Translation)
NAT feature can be used to publish as a single IP address for the entire internal network to the outside world by hiding all the internal machines / devices behind it. This would also save public IP addresses required by the organization to place machines on the internet.
14. Change the default administrative login / passwords
All the Wi-Fi access points and routers available in the market come preconfigured with a default username and passwords e.g., admin/admin. These defaults credentials can easily fall prey to attacks. These default credentials can be found at www.routerpasswords.com It is very crucial to change the default administrative login/passwords.
15. Change the factory default ESSID
The service set identifier (SSID) is the identifier that's broadcast from the Wi-Fi router to its potential users to help them in identifying the network. Publishing a default SSID makes it easier for others to identify the router type. It is advisable to change the default settings and if it is not changed, then the access point or router will be easy to compromise.
16. Disable DMZ (demilitarized zone), if not required
A DMZ is a sub-network protected behind the router's firewall feature but that is also accessible to the public. A misconfigured DMZ feature may expose the internal machines to outside world hence it is recommended to disable this feature, if not in use.
17. Limit the strength of the wireless signal to control its range for designated area only
An attacker can gather information about wireless access points by war driving and this information can be used for future attacks on them. Wi-Fi networks with excessive signal strength can reach beyond the required perimeter and fall prey to attacks like war driving. In war driving, attackers scan for the wireless signals while driving in moving vehicles using portable computers or devices like smartphones. Hence limiting the strength will prevent the attacker from accessing the Wi-Fi networks from outside the perimeter.
KRACK (Key Reinstallation Attack) is a recent disclosure of a vulnerability in the wireless network protocol. An attacker wouldn’t be able to steal Wi-Fi passwords using this attack; instead it helps in getting the keychain (a shared secret) which is used in encrypting the block of data. Information transferred between wireless router and the connected device may be snooped upon and modified using this attack.
It attacks the weakness in the Wi-Fi standard itself, and not in vendor implementations. Hence even correct implementations of WPA2 may be vulnerable to this attack. To perform the attack, an attacker needs to be in range of Wi-Fi signal.
Following precautions are recommended:
- Keep device firmware up to date and always check for updates
- Use wired connection, if patch against this attack is not available for the wireless access point or router which you are using
- Enforce AES-CCMP encryption on the router
- Use Virtual Private Network (VPN) feature to shield network traffic
- Always visit sites which are implemented over SSL/TLS
- Avoid non-trusted Wi-Fi networks