Module B 4.6 Wireless LAN (PDF)

Layer Network __________________________________________________________________________________________ B 4.6

B 4.6 Wireless LAN Description

Wireless LANs (WLANs) offer the ability to build a new wireless local network or expand an existing wire-bound network at low cost and with minimal effort. WLAN in this case refers to wireless networks based on the group of standards referred to as IEEE 802.11 specified by the Institute of Electrical and Electronics Engineers (IEEE).

Due to their simple installation, WLANs are also used to install temporary networks, for example network at trade fairs or small events. Furthermore, it is also possible to offer network access in public spaces such as airports or train stations through hotspots. This enables the mobile users to connect to the Internet or to their company network. Communication generally takes place between a central point of access, the access point, and the WLAN component of the mobile end device (i.e. over a WLAN USB stick or a corresponding WLAN network card).

Most of the WLAN components currently available on the market are based on the 802.11g extension passed in 2003 by the IEEE which defines a transmission rate of up to 54 Mbit/s. Furthermore, some systems only support the IEEE 802.11b extension and can only achieve rates up to 11 Mbit/s. Both extensions operated in the unlicensed 2.4 GHz frequency band.

The security mechanisms are defined in the IEEE 802.11 standard and in the IEEE 802.11i amendment. In the original 802.11 standard, Wired Equivalent Privacy (WEP) is defined as the security mechanism, but WEP cannot be considered adequately secure any more due to several weaknesses. For this reason, the WiFi Alliance, an alliance of manufacturers, developed the Wi-Fi Protected Access (WPA) security mechanism. WPA introduced dynamic key management using TKIP in addition to extending the static key, referred to as pre-shared keys. These mechanisms were integrated for the most part in the official IEEE 802.11i extension released in 2004, although 802.11i, like WPA2 as well, uses the Advanced Encryption Standard (AES) for encryption instead of RC4 as in WEP and WPA. Furthermore, the Counter Mode with CBC-MAC Protocol (CCMP) is defined in IEEE 802.11i as the implementation method for AES for the purpose of encryption and to check integrity. The use of this method is acceptable over the long term, but requires new hardware, in contrast to the TKIP version. The 802.11i extension defines the Extensible Authentication Protocol (EAP) according to the IEEE 802.1X standard as the authentication method. Additional technical information on the secure use of WLANs can be found in the Secure WLAN technical guideline from the BSI.

This module illustrates a systematic method for creating a concept for WLAN usage in an organisation and how its implementation and integration can be ensured.

Threat Scenarios

The following typical threats to the IT-Grundschutz of WLAN usage are assumed to exist:

Force majeure: - T 1.17 Failure or malfunction of a wireless network

Organisational shortcomings: - T 2.1 Lack of, or insufficient, rules - T 2.2 Insufficient knowledge of rules and procedures - T 2.4 Insufficient monitoring of IT security safeguards - T 2.117 Lack of, or inadequate, planning of the use of WLAN

__________________________________________________________________________________________ IT-Grundschutz Catalogues: New 1

Layer Network __________________________________________________________________________________________ B 4.6

- T 2.118 Inadequate regulations for the use of WLAN - T 2.119 Inappropriate selection of WLAN authentication methods - T 2.120 Inappropriate siting of security relevant IT-systems - T 2.121 Inadequate monitoring of WLANs

Human error: - T 3.3 Non-compliance with IT security safeguards - T 3.9 Improper IT system administration - T 3.38 Errors in configuration and operation - T 3.43 Inappropriate handling of passwords - T 3.84 Incorrect configuration of WLAN infrastructure

Technical failure: - T 4.60 Uncontrolled radiowave propagation - T 4.61 Unreliable or missing WLAN security mechanisms

Deliberate acts: - T 5.71 Loss of confidentiality of classified information - T 5.137 Analysis of connection data relating to wireless communication - T 5.138 Attacks on WLAN components - T 5.139 Tapping of WLAN communication

Recommended safeguards

To secure the IT systems examined, other modules in addition to these modules will need to be implemented. These modules are selected based on the results of the IT-Grundschutz modelling process.

A series of security safeguards must be implemented when using WLAN, starting in the conception phase and continuing through the purchasing phase to the operation phase. The steps to take to accomplish this as well as the safeguards to consider in each of the steps are listed in the following.

Planning and design

The securing of a WLAN begins already in the planning phase. A foundation for a secure WLAN can only be created through a well thought out strategy (see S 2.381 Determining a strategy for the use of WLAN) and the selection of the correct WLAN standards, and therefore of the corresponding cryptographic method (see S 2.383 Selection of a suitable WLAN standard and S 2.384 Selection of suitable crypto-methods for WLAN). The safeguard S 3.58 Introduction to WLAN basics will help you become familiar with the terminology used when describing how to secure a WLAN.

All decisions made relating to security settings, the WLAN standards selected, as well as the rules for the use and administration of the WLAN are to be written down in a WLAN security policy (see S 2.382 Drawing up a security policy for the use of WLAN).

Procurement

When selecting the WLAN components, safeguard S 2.385 Selection of suitable WLAN components must be applied. The standards, protocols, and security mechanisms used in WLANs are subject to rapid development, which is why WLANs are often in the middle of a migration.

Safeguard S 2.386 Careful planning of necessary WLAN migration steps must be taken into account for the migration phases of individual WLAN components or entire sections of the WLAN.


Layer Network __________________________________________________________________________________________ B 4.6

Implementation

Once all components have been purchased and it is time to set up the WLAN, the locations where the access points will be installed (see S 1.63 Appropriate location of access points) and how the WLAN will connect to any cable-bound infrastructure already existing (see S 5.139 Secure WLAN-LAN connection, S 5.140 Setting up a distribution system) become important. However, configuration of the various WLAN components such as the access points (see S 4.294 Secure configuration of access points) and WLAN clients (see S 4.295 Secure configuration of WLAN clients) during installation must always be performed according to the security policy and the specified strategy.

In all cases, the users and administrators of the WLAN must receive adequate training to minimize the number of security incidents and to point out and sensitise them to the possible threats of improper WLAN usage (see S 3.59 Training on the secure use of WLAN).

If the WLAN will be installed, configured, or supported by an external service provider, then safeguard S 2.387 Installation, configuration, and support service for a WLAN by third party must be applied in all cases.

Operation

If the WLAN is put into operation and all WLAN users have received adequate training, then audits must be performed regularly (see S 4.298 Regular audits of WLAN components) to ensure that all security settings made are still useful. Regular security checks must also be performed (see S 5.141 Regular security checks of WLANs) to ensure these settings are also having the desired affect. Furthermore, the secure operation of all WLAN components must be guaranteed (see S 4.297 Secure operation of WLAN components).

It is essential to use key management to handle the cryptographic keys used in the WLAN to secure communications (see S 2.388 Appropriate key management for WLAN). A WLAN management solution can simplify the administration of the keys and allow the WLAN to be administered centrally (see S 4.296 Use of a suitable management solution for WLAN).

Disposal

When WLAN components are taken out of operation, the corresponding configuration settings such as the network name or SSID must be reset back to their default values, and any access information or information stored on the WLAN component to secure the network traffic on the WLAN must be deleted (see S 2.390 Withdrawal from operation of WLAN components).

Contingency planning

If attacks on a WLAN are detected, then both the users as well as the administrators of the WLAN must know how to respond in such situations (see S 6.102 Procedures in the event of WLAN security incidents). This results in the need for a contingency plan containing the necessary steps to take and a list of which persons to inform when a security incident occurs. Furthermore, it may be necessary to set up a redundant WLAN to provide a fast replacement for important communication links. When a redundant WLAN is used, it must always be ensured that the redundant WLAN meets the same security requirements as the normal WLAN. For this reason, all safeguards in these modules must also be applied to the redundant WLAN since it must be viewed as a separate WLAN. General information on redundant communication links can be found in safeguard S 6.75 Redundant communication links.

In order to be able to use a WLAN securely, the clients linked to it must be configured securely and maintained and administered regularly. Suitable IT security recommendations for clients are described in the corresponding modules of the IT-Grundschutz Catalogues.

In the following, the bundle of security safeguards for WLAN usage are presented.


Layer Network __________________________________________________________________________________________


B 4.6

Planning and design - S 2.381 (A) Determining a strategy for the use of WLAN - S 2.382 (A) Drawing up a security policy for the use of WLAN - S 2.383 (A) Selection of a suitable WLAN standard - S 2.384 (A) Selection of suitable crypto-methods for WLAN - S 3.58 (A) Introduction to WLAN basics - S 4.293 (A) Secure operation of hotspots - S 5.138 (A) Usage of RADIUS servers

Procurement - S 2.385 (A) Selection of suitable WLAN components - S 2.386 (A) Careful planning of necessary WLAN migration steps

Implementation - S 1.63 (B) Appropriate location of access points - S 2.387 (A) Installation, configuration, and support service for a WLAN by third party - S 3.59 (C) Training on the secure use of WLAN - S 4.294 (A) Secure configuration of access points - S 4.295 (A) Secure configuration of WLAN clients - S 5.139 (A) Secure WLAN-LAN connection - S 5.140 (C) Setting up a distribution system

Operation - S 2.388 (B) Appropriate key management for WLAN - S 2.389 (A) Secure use of hotspots - S 4.296 (C) Use of a suitable management solution for WLAN - S 4.297 (A) Secure operation of WLAN components - S 4.298 (B) Regular audits of WLAN components - S 5.141 (B) Regular security checks of WLANs

Disposal - S 2.390 (C) Withdrawal from operation of WLAN components

Contingency planning - S 6.75 (A) Redundant communication links - S 6.102 (A) Procedures in the event of WLAN security incidents

Threats Catalogue Force majeure Comments ____________________________________________________________________ .......................................... T 1.17

T 1.17 Failure or malfunction of a wireless network In wireless networks, information is transmitted using electromagnetic radio waves. If there are other electromagnetic sources radiating energy in the same frequency spectrum, these emissions could disrupt wireless communication and, in extreme cases, prevent the operation of the WLAN. This can occur unintentionally due to other technical systems (e.g. Bluetooth devices, other WLANs, microwave ovens, medical equipment, wireless security cameras, etc.), or deliberately by operating a source of interference (jammer) in a denial-of-service (DoS) attack. Furthermore, denial-of-service attacks can also be carried out, for example, by repeatedly sending certain control and management signals, which can then lead to the loss of availability of the wireless network.

Examples:

- Due to the selection of an unsuitable installation location for an outside antenna and poorly planned lightening and weather protection, a WLAN could fail as the result of lightening or weathering.

- In WLAN systems operating according to the IEEE 802.11b and IEEE 802.11g standards in the ISM band at 2.4 GHz, interference can be generated by a number of other wireless systems permitted to operate in this frequency band, e.g. Bluetooth devices, microwave ovens, or other WLAN networks.

____________________________________________________________________ .......................................... IT-Grundschutz Catalogues: New 5

Threats Catalogue Organisational shortcomings Comments ____________________________________________________________________ .......................................... T 2.1

T 2.1 Lack of, or insufficient, rules The application of universal organisational rules and specifications for IT security objectives become more and more important as the scale of information processing and the protection requirements for the information to be processed increase.

The scope of the rules can be very wide, ranging from questions of areas of responsibility to the distribution of control functions. The consequences of insufficient or non-existent rules are described in T 2.2 ff.

It is often the case that the existing rules are not modified accordingly after technical, organisational or personnel changes having a significant impact on IT security have been made. Outdated rules can impede smooth IT operations. Problems can also arise from rules that are formulated incomprehensibly or without any context, resulting in misunderstood rules.

The following examples clearly illustrate the potentially damaging effects of insufficient rules:

- Poor resource management can seriously impair the scheduled flow of operations in a computer centre, for example simply because an order for printer paper was forgotten.

- Hand-held fire extinguishers need to be maintained regularly after purchase so that they are ready for use in case of fire.

- After a flood on one floor, water damage was detected in the Server room one floor below as well. Due to inadequate key management, the damage caused by the water in the Server room could not be repaired immediately because no one knew where the key to the Server room was at the time. This resulted in significantly more water damage.



T 2.2 Insufficient knowledge of rules and procedures The specification of rules alone is not enough to ensure trouble-free IT operations. All employees, especially the office managers, must be familiar with the applicable rules. The damage that can result from inadequate knowledge of the existing rules cannot be excused simply by saying "I didn’t know I was responsible for that." or "I didn’t know what to do."

Examples:

- If the employees are not informed of the procedures for handling the data media and e-mails received, then there is a danger that a computer virus could spread throughout the entire company or government agency.

- In a federal agency, different colour waste paper bins were used with one colour bin intended for the disposal of the documents to be destroyed. Most of the employees were not informed of this colour scheme.

- In a federal agency, there were a number of rules for performing data backups which were agreed to verbally over time by the IT Security Officer and the IT department. Upon enquiry, it turned out that the affected IT users knew nothing about the "agreements" and had no one to contact in case of questions. The rules regarding data backups were not documented either. As a result, many users made backups of the local data on their workstation computers even though continuous data backups were only supposed to performed centrally on the servers.

- In a computer centre, a new rule was introduced stating that in the event of problems with the burglar detection or fire alarm systems, the gatehouse should be manned at night as well. The security guard service was not informed of this new rule by the security officer responsible for this. As a result, the computer centre was insufficiently protected at night for several weeks.



T 2.4 Insufficient monitoring of IT security safeguards After safeguards are introduced to help achieve IT security (e.g. data backups, access control, rules regarding conduct during emergencies), these safeguards also must be implemented consistently. If the IT security safeguards are not monitored or monitoring is inadequate, then it is impossible to determine if the security safeguards are being followed or are proving effective. This impedes the ability to respond quickly and appropriately to the situation.

In addition, there are some security safeguards whose effectiveness can only unfold when appropriate controls are implemented. These include, for example, logging functions whose security properties only become apparent when the log data is analysed.

Examples:

- When preparing to commit a crime, the lock cylinders in the outside doors and gates are often replaced by unauthorized persons. Access routes that are seldom used or are only intended for use as emergency exits are often only checked to ensure that they open freely. The function of the lock cylinder is often not tested.

- In a government office, some of the UNIX servers are used for external data communications. Due to the primary importance of these IT systems, the IT security policy specifies that the integrity of all UNIX servers must be checked weekly. Since these checks were not performed regularly, it only became apparent during the investigation of a security incident that the IT department was not performing the integrity checks. The reason provided for not performing the checks was insufficient personnel in the department.

- In one company, the z/OS Security Auditor position was not filled and left unoccupied. As a result, the RACF configuration settings gradually stopped meeting the security requirements of the company over time. Only after a production failure did the company notice that some users had more permissions than required for their job. One of these users accidentally stopped an application that was important to production.



T 2.117 Lack of, or inadequate, planning of the use of WLAN

A WLAN must be carefully planned and installed so that any existing security gaps cannot adversely affect every IT system connected to the WLAN. When care is not taken, the result could even be the compromising of the government agency or company network connected to the inadequately secured WLAN. Security gaps can also result when the security mechanisms between the LAN and WLAN are not properly configured, for example due to inadequate planning when separating the users into user groups.

A number of problems can arise from a lack of, or inadequate, planning of WLAN usage, for example the following:

- It may be possible for third parties to read sensitive data if no or only inadequate security safeguards are implemented in the WLAN.

- The performance of a wireless network could be reduced by other WLAN installations or wireless systems not taken into account when the signals they emit extend into the useable range of the wireless network.

- If, when planning a WLAN, the blocking of the signals by the building itself or by absorbent construction materials (for example steel cabinets, plumbing units, supply lines, steel-reinforced concrete constructions) are not taken into account, then the performance of the WLAN may also be reduced in this case as well.

- Common-channel interference from a neighbouring wireless cell of the WLAN can also often cause interference in the WLAN. As a result of this, the signals from two users of neighbouring cells may interfere with each other since their radio waves will become superimposed in the room and cause interference.

- The performance of a WLAN can be severely affected by dead zones. When inadequately planned, the transmission power of the WLAN transmitter is usually simply increased to prevent dead zones. This may mean that the WLAN emits signals into areas in which it is not needed and in which they can be intercepted under certain circumstances.

- One effect of poor planning may be, for example, inadequate transmission capacity, which may then limit or even prevent the use of high-bandwidth applications.

An additional threat to the LAN is posed when there is only one inadequately protected connection between the access points or distribution system and the cable-bound infrastructure. If there is no physical or logical protection at the level of the distribution system, then the entire broadcast domain in which an access point is located can be listened in on after compromising the protection of the wireless interface or security settings of the access point. The information obtained could then be used in an attack on the entire LAN.


Threats Catalogue Organisational shortcomings Comments ____________________________________________________________________ ..........................................


T 2.117

Example:

If the filter rules are too loosely specified for the security gateway on the transfer point located between the distribution system and the LAN, then an attacker could tunnel into this transfer point using a man-in-the-middle attack by cleverly manipulating the communication data and therefore gain access to the internal LAN infrastructure. A prerequisite for this type of attack is that either the security mechanisms on the wireless interface are compromised or direct access to the distribution system is available. In addition, vulnerabilities at the operating system level can also be used for tunnelling purposes when the systems of the transfer point were not adequately hardened.


T 2.118 Inadequate regulations for the use of WLAN In general, no security mechanisms are enabled in the default settings of access points. When WLAN components which are insecure due to a lack of specifications are put into operation in a production environment, they pose a serious threat to the WLAN and the IT systems connected to them. This type of threat is comparable to the threat posed by an insecure Internet connection. When an employee connects an unauthorised or insecure access point to an internal network of an organisation due to a lack of rules regulating WLAN usage, the employee practically undermines all security safeguards implemented in the LAN used to protect against unauthorised external access from the Internet, for example the firewall.

Unclear responsibilities

If the responsibilities are not clearly stated, the result may be faulty configuration of the WLAN components due to a lack of rules regulating the administration of the WLAN infrastructure, for example. When there are no specifications for configuration management, then it only takes one access point or one WLAN client not configured according to the specified default profile to compromise the entire network of the organisation.

When the various responsibilities are not adequately coordinated in an organisation or with external service providers, problems will always result in actual practice. In terms of the WLAN, threats are posed in particular when different groups are responsible for supporting the physical (passive) infrastructure, the active network technology, and the security systems; these groups are located far away from each other organisationally; and these groups are only coordinated by a correspondingly higher management level.

Problems can also arise when there are no uniform rules defined for documenting system changes, for example when exchanging WLAN components, changing configurations, or replacing the WLAN key information.

No rules regulating monitoring

If there are no specifications available for the monitoring of the WLAN infrastructure and the corresponding financial and personnel resources are not provided, then attacks on the WLAN may not be detected in time. The following could be the result, for example:

- Without regular checks, the connection of external access points (including private access points) to the distribution system or directly to the LAN may go unnoticed.

- If the WLAN logs are not analysed regularly, security incidents will not be detected in time. For example, a sudden increase in the number of unsuccessful login attempts on the access point may indicate an attempt to attack the WLAN.

If urgently needed updates of the virus protection software or security-related patches are not installed in time, then WLAN components may become compromised. WLAN components with direct access to the Internet or which are used in public WLANs are especially at risk. Depending on the type of




T 2.118

malware, the next connection to the home WLAN could lead to the compromising of the entire WLAN infrastructure and beyond.

A lack of rules regulating reactions to security incidents in the WLAN

If no consideration is given to how to react in an emergency to security incidents when operating a WLAN, then it may take a long time until security problems are detected and eliminated. In the meantime, though, there may have been attacks by worms, or data may have even been stolen. Even when an attack is noticed, the appropriate countermeasures may not be implemented in time (within minutes) when there are no safeguard catalogues (which must be prepared accordingly), controlled procedures, or authorisations necessary for intervention available.

Example:

- One company published the information for accessing an internal WLAN in the Internet to simplify access for mobile employees when on the road. Anybody knowing this information is therefore able to provide authentication when logging in to the WLAN and could eventually gain access to data requiring protection. Although the WLAN itself only contained information with a low protection requirement, access to the production systems could be obtained by connecting to a LAN. The data available here, for example secret design drawings of a prototype, were made public in part in the Internet. Other data was passed on to a competitor. The competitor therefore could have been able to determine what new developments were in planning and react quickly with its own, corresponding development. Luckily, the competitor informed the police of the matter.


T 2.119 Inappropriate selection of WLAN authentication methods

The selection of the authentication methods to be used must be based on the protection requirements of the data to be transported in the WLAN. Note that WEP must be considered insecure and offers a number of possibilities for attack, for example the ability to extract the keys from the data packets. These could then be used to successfully gain access to the WLAN.

If the key material used for authentication or encryption in the WLAN is not distributed with care or stored securely enough, then any methods based on these keys which is used to attain a certain security level may eventually be completely worthless. Passwords which are too simple and inadequately protected certificates can provide any attacker with valid access to a WLAN. In a WLAN secured using WPA, the pre-shared keys represent a security vulnerability if they are selected inappropriately, i.e. when they are not complicated enough.

There are also EAP methods, though, that pose a threat due to a number of vulnerabilities. For example, CHAP, which requires both sides to know the unencrypted password, among other items, is used as the authentication method in EAP-MD5. Furthermore, EAP-MD5 does not support the generation of keys and therefore cannot be used directly in conjunction with IEEE 802.11i.

The problem with EAP-PEAP from a cryptographic point of view is that PEAP only checks the identity of the server but not of the client to secure the outside tunnel.

Some implementations of the EAP method also contain vulnerabilities. For example, the proprietary EAP-LEAP from Cisco is susceptible to dictionary attacks, and there are already tools available that utilise precisely this vulnerability and even make strong passwords ineffective.

Likewise, another disadvantage of EAP-LEAP is that it must be supported explicitly by all WLAN components and that there is no interoperability between EAP-LEAP and other EAP methods available, contrary to the requirements in IEEE 802.1X.



T 2.120 Inappropriate siting of security relevant IT-systems

If security-related IT systems on which authentication data is stored are installed in easily accessible locations, the result can be a severe threat to the overall security of a network. Security-related IT systems include, for example, security gateways, directory servers providing a directory service for user identification data, and IT systems on which authentication data is stored. Unsuitable locations for their installation include, for example, public meeting rooms, hallways, and normal offices. Even small network switching elements which are relevant to security in spite of their size such as routers, switches, and access points must not be placed in insecure, open spaces. Access points, for example, should not be installed unprotected directly under the ceiling since this would enable easy physical access, which could then very easily be used to read the access information for the corresponding WLAN. When direct access to security-related IT systems is possible, the result may be that other security mechanisms have also been disabled as well.

Example:

An access point was installed in a public meeting room to enable wireless access to the Internet. Access points are worth some money and may be tempting to a thief. During a meeting, it was noticed that this access point was not available any more, and it turned out that it had been stolen several weeks earlier. Since an access point generally contains important information for accessing the WLAN, a thief would be able to obtain information for further compromising of the network without being noticed or detected. Additional information, for example important certificates for authentication on the WLAN, was also stolen together with the access point. The network was susceptible to attack until it was blocked and changed.

Unfavourable environmental conditions (e.g. vibrations, inadequate climatic conditions, or large amounts of dust) can cause damage to security-related IT systems as well.



T 2.121 Inadequate monitoring of WLANs A WLAN is a potential target of attacks, either to use the network without authorisation or to disrupt its availability (DoS attacks). This could lead to the compromising the infrastructure connected to the WLAN. If the WLAN is not monitored adequately, then most attacks will not be detected at all or, when detected, then too late.

Incorrectly configured intrusion detection systems

If the communication patterns in the WLAN are not taken into account when planning an intrusion detection system, then this leads either to the inability of the intrusion detection system to detect attacks or to the triggering of an alarm by authorised communication.

An acute threat can also arise when logging IDS-relevant events:

- If too much information is logged or the information is stored too long, then there is a danger that the databases of the intrusion detection system will overflow.

- If not enough or the wrong data is recorded when logging, then an attack may not be detected, and no reasonable post-mortem analysis can be performed.

Unauthorised use of the WLANs

If authentication mechanisms are implemented to access a WLAN which are not strong enough, then an attacker could access the Internet, for example, over a WLAN installation. This would reduce the available bandwidth and lengthen the response times for authorised WLAN users. Likewise, the Internet access obtained in this manner could be used for the following:

- Attack other systems in the Internet

- Distribute spam e-mails

- Download illegal content from the Internet

- Use peer-to-peer exchange services on the Internet

No evaluation of the log files

When attackers attempt to log in to a WLAN, they must first overcome the authentication procedure. If they use dictionary or brute-force methods in an attack, then error messages will be produced by the authentication components, which they then record in their log files. If these log files are not evaluated regularly, then such attacks cannot be detected and corresponding countermeasures cannot be taken. If, in addition, successful logins are not checked for validity, then attackers could use the WLAN unnoticed using valid access information obtained through eavesdropping, possibly even when the employees are not there.




T 2.121

Example:

The employee Mr. Miller is on holiday for three weeks. During this time, his access information for the WLAN is successfully decrypted by an attacker. The attacker can now connect successfully and without being noticed to the WLAN of the organisation with this information and gain access to all areas which the employee is authorised to access. As a result of this, even sensitive data could be obtained without permission. If the log files of the authentication server had been analysed regularly, the administrators would have noticed that Mr. Miller is not even present, and therefore cannot connect to the WLAN. Furthermore, blocking the WLAN account of Mr. Miller during his holiday could have prevented this attack.

Threats Catalogue Human failure Comments ____________________________________________________________________ .......................................... T 3.3

T 3.3 Non-compliance with IT security safeguards It is a relatively common occurrence that, due to negligence and insufficient checks, people fail to implement the IT security safeguards, either completely or in part, that have been recommended to them or that they are required to implement. This can cause damage which otherwise could have been prevented or minimised at the least. Depending on the function of the person in question and the importance of the safeguard ignored, the resulting damage could even be very serious.

IT security safeguards are frequently disregarded due to the lack of security awareness. A typical sign of this is the ignoring of recurring error messages after a certain period after the users become accustomed to the error messages.

Examples:

- Storing diskettes or other information media in a locked desk does not adequately protect them against unauthorised access when the key is kept in the same office, e.g. on top of a cupboard or inside a card index.

- Passwords are written on a piece of paper and stored near a terminal or a PC.

- Although it is widely known that the purpose of data backups is to minimise potential damage, it is still common for damage to be caused by the unintended deletion of data that subsequently could not be restored due to inadequate backups. This is indicated in particular by the cases of damage caused, for example, by computer viruses reported to the BSI.

- Entry to a computer centre is only supposed to be possible through a door protected by an access control system (e.g. using a magnetic strip card reader, chip card reader, or biometric procedures). However, the emergency exit door is used as an additional entrance and exit even though it is only supposed to be opened in an emergency.

- In a z/OS system, batch jobs were run on a daily basis to back up the RACF database. The correct execution of these procedures was required to be checked daily by the responsible administrators. However, since the backups ran for several months without any problems, no one checked the backup procedure any more. Only after the RACF databases of the production system malfunctioned and they wanted to restore the databases using the backups was it established that these batch jobs had not run for several days. The result was that there were no up-to-date backups available and the changes made during the last few days had to be entered subsequently by hand. In addition to the considerable extra administrative expense, this incident also introduced an uncertainty factor, as it was not possible for all definitions to be reconstructed verifiably.



T 3.9 Improper IT system administration Improper IT system administration can jeopardise the security of the system if it results in disregard or circumvention of IT security safeguards.

An example of improper administration is enabling or failing to disable net-work access points which are not necessary for the regular operation of the IT system or which constitute a particularly serious threat due to their error-proneness.

Insecure network access

One common problem is that user accounts are used when working on the system which have more access rights than are required for the job. This needlessly increases the risk of damage from viruses and Trojan horses. All user accounts which are no longer needed must be deactivated.

Unnecessary access rights

Standard installations of operating systems or system software very rarely offer all the features of a secure installation. A lack of adaptation to specific security requirements can pose a substantial risk here. There is a heightened risk of configuration errors in complex security systems, such as RACF under z/OS. Many system functions interact with each other.

Poor installation

Particular care is called for with systems which, if incorrectly administrated, could affect the protection of other systems (e.g. firewalls).

Any modification of security settings and extension of access rights constitute a potential threat to overall security.

Examples:

- In addition to the dangers outlined in T 3.8 Improper use of the IT system , the system administrator can create threats through the incorrect installation of new or existing software. Examples of incorrect administration include the non-use of logging facilities or failure to analyse the available log files, granting access rights too widely and then failing to review them at certain intervals, issuing log-in names or UIDs more than once, and not using security tools where these are available, e.g. not using a shadow file for the passwords under Unix.

Inadequate logging

- The older a password is, the less effective it becomes. This is because of the perpetually increasing probability of a successful attack.

Ageing of passwords

- The administration of a firewall system requires particular attention as the protection of many other systems depends on it.

- In a z/OS system the user files were protected by RACF profiles via universal access in such a way that nobody had unregulated access to them (UACC = NONE). Due to carelessness on the part of the administrator, an entry in the conditional access list of the profile allowed READ access to all IDs (* entry). As a result, despite the definition UACC=NONE, every user in the system could look at the files via the conditional access list.



T 3.38 Errors in configuration and operation Configuration errors arise when parameters and options with which a program is started are set incorrectly or incompletely. This includes access rights which are specified incorrectly. Operational errors are not only incorrect for individual settings, but IT systems or applications are handled incorrectly. An example of this is starting programs which are not necessary for the purpose of the computer but could be misused by a perpetrator.

Examples of current configuration or operation errors are storing passwords on a PC on which software from the internet is run without being checked (such software was used in the spring of 98, for example, to spy out T-Online passwords), or loading and implementing defective ActiveX controls. These programs, one of whose purposes is to make web sites more attractive through dynamic contents, are run with the same permissions that the user has, and can therefore delete, alter or send data at will.

Untested software

Many programs which were intended to relay data in an open environment without restrictions can, with the wrong configuration settings, provide potential perpetrators with data that they can misuse. In this way, for example, the finger service can inform them how long a user has already been sitting at a computer. Web browsers also transmit a series of information to the web server (e.g. the version of the browser and the operating system in use, the name and the internet address of the PC) whenever a query is made. Cookies should also be mentioned in this context. These are files in which the operators of web servers store data concerning the web user in the users computer. This data can be called up when the server is next visited and be used by the operator of the server to analyse the web pages on the server that the user has already visited.

Disclosure of information

The use of a Domain Name System (DNS), which is responsible for transcribing an internet name such as computer1.university.edu into the corresponding numeric address, is a further source of danger. On the one hand, an incorrectly-configured DNS enables you to query a large quantity of information regarding a local network. On the other hand, perpetrators can send forged IP numbers by taking over the server, enabling them to control all the data traffic.

Executable contents in e-mails or HTML pages is another serious threat. This is referred to as a content security problem. Files that are downloaded from the internet can contain a code which is executed without consulting the user when they are just "viewing". This is the case, for example, for macros in WinWord files and was exploited to produce what are known as macro viruses. Even new programming languages and programming interfaces, such as ActiveX, JavaScript or Java, which were developed for applications on the internet, also have the potential to cause damage if the control function is used incorrectly.

Active content


Threats Catalogue Human failure Comments ____________________________________________________________________ ..........................................


T 3.38

In z/OS operating systems, the availability of the RACF security system is of central importance to the availability of the entire system. This could be restricted through improper use of z/OS utilities during the backup of the RACF database or incorrect use of the RACF commands.

Defective RACF databases


T 3.43 Inappropriate handling of passwords Even the use of well-though-out authentication methods does not help much when the users do not handle the necessary access resources carefully. It does not matter if passwords, PINs, or authentication tokens are used; such items are disclosed to others or stored insecurely again and again.

Users often give their passwords to other users for reasons of convenience. Passwords are often shared by the members of work groups to make accessing the shared files to be processed by the employees easier. Requiring the use of passwords is often considered to be a hassle, with the result that the passwords are never changed or that all employees use the same password.

Disclosure of passwords or tokens

If a token-based procedure is used for user authentication (e.g. chip cards or one-time password generators), then there is a danger when the token is lost that the token will be used without authorisation. An unauthorised user may be able under certain circumstances to successfully establish a remote access connection using this token.

Loss of an authentication token

Due to the large number of different passwords and PINs, users are often unable to remember them all. For this reason, passwords are constantly being forgotten, which sometimes results in a lot of effort to enable the user to resume working with the system. Authentication tokens can also become lost. Even in very secure IT systems, the loss of a password or token can lead to the loss of all user data.

Too many different passwords

Passwords are often written down so they are not forgotten. This is not a problem as long as they are stored carefully and protected against unauthorised access. Unfortunately, this is not always the case. A classic example is storing the password on a note under the keyboard or on a label stuck to the screen. You will also often find authentication tokens under the keyboard.

Passwords stored under the keyboard

Another trick used so that passwords are not forgotten is to select a "suitable" password. If users are permitted to select the same password and are not adequately sensitised to the problems with this, then trivial passwords such as "Bob" or the names of friends are selected in many cases.

Passwords that are too simple

Examples:

- In one company, it was discovered while performing random checks that many passwords were poorly selected or are changed too infrequently. The users were then forced technically to change their passwords monthly, and the passwords were also required to contain numbers or special characters. It turned out that one administrator selected his passwords as follows:

January98, February98, March98, ...

- In a government agency, it was discovered that users whose offices faced the street often used the same password: the name of the hotel across the street, whose large, illuminated letters dominated the view from these offices.



T 3.84 Incorrect configuration of WLAN infrastructure Access points and other WLAN components offer a number of configuration settings that also affect the use of security functions in particular. If the wrong settings are specified on such components, then it may be impossible to communicate over the access point, or communication may be carried out without sufficient protection even though the user assumes protection has been provided. The faulty configuration of WLAN components can cause various security problems, for example:

- If an access point is not adequately protected against unauthorised access, then someone may be able to make changes to its configuration, which then open additional security gaps.

- Availability problems or security gaps can arise due to non-uniform configuration of the WLAN security mechanisms on the access points.

- If the Internet can be accessed over a WLAN, then anyone who can connect to the WLAN can also use the Internet without using any additional filter mechanisms.

- Granting permissions for shared directories or other system resources too generously on a WLAN client can permit an attacker to access the client without being noticed.

- If the personal firewall of a WLAN client is not correctly configured or has been disabled by the user, then the client may be subject to attacks at the operating system level under certain circumstances. This is especially a problem in outside environments and hotspots.

Remote support accesses to WLANs always cause security problems when these accesses are not adequately secured and are used over insecure networks. If the configuration is incorrect in this case, then this can lead to the compromising of a WLAN client, for example, and an attacker could then gain information on how to access the WLAN. This information can then be used to attack the entire WLAN and eventually any LAN connected to the WLAN.


Threats Catalogue Technical failure Comments ____________________________________________________________________ .......................................... T 4.60

T 4.60 Uncontrolled radiowave propagation Wireless networks and the radio waves emitted often radiate beyond the limits of the rooms the networks are used in so that it is possible for data to be transmitted to areas which cannot be controlled and secured by the users or the organisation. It is therefore possible to record the data with minimal effort, and this type of eavesdropping is only detected in a small fraction of all cases. The goal of such attacks may be to obtain or manipulate sensitive information. Due to the inadequate protection of many wireless networks, it is often enough just to record and analyse the wireless communications over a period of time even if the data is transmitted in encrypted form because the cryptographic key can be calculated afterwards using the data collected, and the transmitted data can then be decoded. Furthermore, directional antennas can be used to receive and capture data from the wireless network outside the limits of the network’s specified range.

Example:

A laptop with a WLAN card, together with a few freely available WLAN applications, is all that is required to search for poorly secured WLANs. When wardriving, for example, people drive around a certain region, a city district, or a typical office environment with a WLAN client and record where and which WLANs are broadcasting and how poorly secured they are. In this case, the data can also be linked directly with GPS data to determine the geographic location of the WLANs found. Afterwards, poorly secured WLANs are attacked specifically to gain free access to the Internet.


Threats Catalogue Technical failure Comments ____________________________________________________________________ .......................................... T 4.61

T 4.61 Unreliable or missing WLAN security mechanisms

In their delivered configurations, WLAN components are often configured so that only a few security mechanisms are activated, or possibly none at all. Some of these mechanisms are also unreliable and do not offer adequate protection. Even today, there are various WLAN components in use and available as new devices on the market that only support inadequate security mechanisms such as WEP. In some cases, these devices cannot even be updated to obtain stronger security mechanisms.

If no or only weak mechanisms are available to adequately secure the wireless interface and the services used over the WLAN, then secure communication is impossible in the WLAN. This poses additional threats to all components linked together in the network, including, for example, all data also stored on a WLAN client or in a LAN, which can adversely affect the entire IT infrastructure of a government agency or company. In the following, examples of possible security problems are listed.

WEP

If the wireless communication in the WLAN is not protected at all or only protected with WEP, then an attacker can easily listen in on all WLAN communication and often gain possession of confidential information. When using some devices such as WLAN-enabled printers, users are often unaware that a WLAN connection is established in this case, and the network is therefore inadequately secured. An attacker, though, may not only be able to listen in on the printed data, but may also be able to access components in the background system through the WLAN components.

SSID Broadcast

When transmitting data between two neighbouring wireless cells, the SSID (Service Set Identifier or network name) is used to find the next access point. Some access points offer capabilities for suppressing the transmission of the SSID in the broadcast mode to hide the WLAN from unauthorised persons (referred to as a "closed system"). However, WLAN analysers can be used in this case as well to determine the SSID using other management and control signals.

Ability to manipulate MAC addresses

Every network card has its own, unique hardware address referred to as the MAC address (Media Access Control address). The MAC addresses of the WLAN clients can be easily intercepted and manipulated, meaning the MAC address filters often built into the access points for the purpose of access protection can be easily overcome.

No key management

Cryptographic keys must be distributed manually in many WLANs, i.e. in the same static key must be entered in every WLAN client and access point. This requires physical access to the components. This type of key management often leads to the following situation in actual practice:


Threats Catalogue Technical failure Comments ____________________________________________________________________ ..........................................


T 4.61

the cryptographic keys are very seldom changed or not changed at all. If a WLAN key is disclosed, then the entire WLAN is compromised in this case.

Vulnerabilities during administrative accesses to access points

Many access points offer different interfaces and protocols for administration purposes and permit their use over the LAN interface as well as over the wireless interface. When administration is performed over the wireless interface using plain text protocols such as Telnet, HTTP, or SNMP, the administration passwords transmitted over the WLAN can be intercepted. Attackers could use this information to reconfigure the access point.

Encrypted versions of the access protocols mentioned are often not supported or their use is not forced on the access points.

Threats Catalogue Deliberate acts Comments ____________________________________________________________________ .......................................... T 5.71

T 5.71 Loss of confidentiality of classified information In the case of classified information (such as passwords, person-related data, certain business-related and official information, research & development data) there is an inherent danger of the confidentiality of this information being impaired inadvertently or intentionally. Classified information can be tapped from various sources, including

- Internal storage media (hard disks)

- External storage media (floppy disks, magnetic tapes)

- Printed paper (hardcopies, files) and

- data communications lines.

There are various ways of actually obtaining the confidential information:

- Reading out data

- Copying data

- Reading of data backups

- Theft of data media for the purpose of evaluation

- Monitoring data transmission lines

- Viewing data on a screen.

The more classified a piece of information, the higher the incentive for third parties to obtain and misuse it.



T 5.137 Analysis of connection data relating to wireless communication

When using wireless communication, the signals transmitted over the transmission route cannot be shielded physically against unauthorised eavesdropping or recording. For this reasons, an attacker could execute his attack without the access problems common to line-based communication. In wireless networks using several base stations to support communication in a large area, for example cellular mobile communication networks, it is also common to determine the approximate location of the mobile end devices to ensure they can be accessed quickly. If the devices establish a connection themselves, then they also provide information on their location in the course of establishing the connection. This location information can be used by the network operator or service operator - but also by third parties - to form movement profiles.

Examples:

- In WLANs based on IEEE 802.11, the hardware address of a WLAN card, also known as the MAC address, is sent every time data is transmitted. This means that a clear relationship can be established between the MAC address of the wireless client and the time and location of the data transmission.

In this manner, movement profiles can be created for mobile users, for example when and where the users log in to public hotspots. Since these MAC address are transmitted in unencrypted form, it is not only possible for the operators of the hotspots to create movement profiles. In principle, anyone who installs a wireless LAN component in a suitable public place can intercept the MAC addresses of other users.

- The wireless communication of Bluetooth connections can be received passively and recorded with the help of Bluetooth protocol analysers. With knowledge of the device addresses, synchronisation with the frequency hopping sequence can even be performed when the devices are in the "non-discoverable" mode. All layers of the Bluetooth protocol stack can be viewed and analysed offline. It is also possible to extract and intercept the transmitted user data (payload) when encryption is not used. Through the use of a directional antenna and suitable electronics to amplify the Bluetooth signal received, this type of eavesdropping can also be performed at an even greater distance than the normal functional range. A transmission output power control is optional and is not supported by every Bluetooth device.

The use of the frequency hopping method alone therefore does not represent a serious obstacle for a well-informed attacker even though it is often written that this makes it significantly more difficult to log in without authorisation or receive and listen in on Bluetooth connections. The reason for using a frequency hopping method is to keep the number of transmission errors due to interference from the operation of other devices (e.g. WLANs) using the same frequency band small, and therefore to ensure a high level of availability.


Threats Catalogue Deliberate acts Comments ____________________________________________________________________ ..........................................


T 5.137

- The unique Bluetooth device addresses can be misused to trace the individual devices. By tracing the devices, it is possible to create movement profiles of the users. The device address is not only used to establish a connection, and each data packet contains part of the device address of the master (24 of the 48 bits).


T 5.138 Attacks on WLAN components Security deficiencies in the wireless communication, in individual WLAN clients, in access points, or in the distribution system can lead to attacks being successful. In this case, internal data can be read or changed, but WLAN components can also be manipulated so that they in turn can be used as points of entry for attacks on other network and network components.

Intentionally interfering with the wireless network

A WLAN can be deliberately disrupted by operating sources of interference, also referred to as jammers. This can lead to the complete failure of a WLAN and therefore represents a denial-of-service attack at the physical level. The source of interference, when it has sufficient transmitting power, can also be located outside of the area in which the WLAN is used.

Simulating a valid authentication

An attacker could record, analyse, and then resend certain control and management signals to simulate a valid authentication of a WLAN component in the WLAN, and therefore obtain unauthorised access to the WLAN.

Simulating a valid access point

A man-in-the-middle attack can be performed by smuggling access points into a WLAN from the outside (also referred to as "cloning" or an "evil twin"). To accomplish this, an additional access point can be installed near a client. If this access point provides the WLAN client with a higher transmitting power than the real access point, then the client will use it as its base station when mutual authentication is not enforced. Furthermore, the official access point may be disabled by a denial-of-service attack. The users then operate in a network that only pretends to be the target network. This makes it possible for an attacker to listen in on communications.

Poisoning or spoofing methods can also simulate a false identity for an attacker or redirect the network traffic to the systems of the attacker, meaning the attacker can intercept and control communications.

Compromising the distribution system

In addition to connecting an outside access point, it is also possible to compromise the distribution system by inserting an external hub or switch between the access point and distribution system, provided that this area is accessible.

By connecting a protocol analyser, all communication between the access point and distribution system can be recorded. Furthermore, using corresponding tools, an active attack on the infrastructure or on a client of the associated access point can be performed. "Breaking" the WLAN encryption is not even necessary in this case since data is transmitted completely unencrypted in the LAN section of the distribution system when no encryption mechanisms are used at the application level or protocol level, for example using VPN technologies.


Threats Catalogue Deliberate acts Comments ____________________________________________________________________ ..........................................


T 5.138

Attacks on WLAN clients

When a client connects to a WLAN, there are additional threats to the local data on the client. On one hand, attacks could be carried out on WLAN mechanisms, but also on any vulnerabilities of the operating system used. A client manipulated in this manner can lead to the compromising of the entire WLAN, and in the worst case, of the entire IT infrastructure of the organisation.

When data is transmitted in unencrypted form in the WLAN, an attacker can also easily listen in on communications when the data is easily exploitable, as is the case with VoIP voice data, for example.

The inadequately planned use of a WLAN client in a wireless network which is not trustworthy (for example a hotspot or ad-hoc network) entails additional dangers. Examples of some of these dangers are listed in the following:

- With the help of spoofing tools, an attacker could install tools on the client of a WLAN user to compromise the network.

- An attacker could examine the vulnerabilities of the network services and functions on the client and exploit them under some circumstances. This could then enable the attacker to access the computer if unsuitable passwords are selected or the personal firewall is not configured properly.

Attacks on access points

Attacks can also be performed over the clients on other WLAN components, and therefore on the connected network. If there are no security mechanisms for mobile components and transmission standards or they are poorly configured, then attackers could exploit this to gain unauthorised access to the internal network of a government agency or company. Every additional component integrated into a network creates additional network access points which are sometimes difficult to control. Every network connection available has the potential to be misused to eavesdrop on the network.


T 5.139 Tapping of WLAN communication Since wireless networks are a shared medium, the data transmitted over a WLAN can be easily recorded. The following information, among other information, can be gained from the recorded data:

- WLAN parameters such as the SSID, wireless channel used, and encryption method used

- MAC addresses of the communication partners in the WLAN

Furthermore, the broadcasts and multicasts of all stations in the broadcast domain on the WLAN, including the stations in the cable-based LAN, can be monitored provided that these packets are not filtered on the access point. In spite of the use of encryption, an attacker can still determine the MAC addresses, and therefore the manufacturers, of all stations in the broadcast domain as well as the multicast addresses used, and can therefore obtain information on which Layer 2 protocols are used. When poor encryption is used, the NETBIOS browser messages, and therefore information on the server services in the LAN, are directly accessible.

When encryption is not used or only poor encryption is used, the following information can still be accessed:

- IP addresses of and ports used by the communication partners in the WLAN

- Possibly the user data transmitted, provided that this data is not protected at the application level through the use of a VPN, SSL, or some other encryption mechanism.


Safeguard Catalogue Infrastructure Comments ____________________________________________________________________ .......................................... S 1.63

S 1.63 Appropriate location of access points Initiation responsibility: Head of IT, IT security management

Implementation responsibility: Internal Services Division, Administrator

Secure mounting of access points

To prevent manipulation to the access points, they should be installed in metal housings or secured in place with metal brackets which permit mounting on the wall. Installation in raised floors, intermediate ceilings, or suspended ceilings and the use of external antennas is possible. Depending on the shape of the antenna, even a specialist might not be able in this case to determine if the object is a fire detector or an antenna for an access point.

Spaces and locations in which persons who are not trusted may be present for a longer period of time without being observed (outdoor areas, stairwells) are not to be considered as a rule as possible installation locations when the access points will be visible and their shape is not disguised. However, access points without routing functionality can be installed in these areas. This prevents unauthorised persons from reading any detailed information on the structure of the network, which then reduces the number of possible attack points on the WLAN and on any LANs connected to it.

For a minimal level of protection, the access point should be securely bolted to a location inaccessible without additional tools or in a location hidden from view.

Positioning the access points

The position and direction of an access point has a critical influence on the transmission quality and throughput of a WLAN. In general, the emission of radio waves into areas which are not intended to be supplied by the WLAN should be reduced as much as possible. This not only reduces the number of possible points of attack, but also improves the level of service to the coverage area actually desired. Directional antennas, which bundle the electromagnetic waves radiated in a certain direction and therefore achieve a directionally dependent amplification effect (referred to as the antenna gain), can be used to accomplish this. This amplification effect must be adjusted to match the transmitting power of the access point. Some access points support adjustable settings for the transmitting power. In this manner, the coverage area will be illuminated with the necessary signal strength while simultaneously making it more difficult to access the WLAN from outside this area since only comparatively poor reception conditions prevail here now. A prerequisite for this is suitable positioning of the access point and of the antenna, which can be performed based on a corresponding measurement of the illumination.

When outdoor areas are to be supplied, antenna installations (antennas and possibly access points) must be suitably protected against the effects of weather, electrical discharges, and unauthorised access. The installation of access points outside of buildings should be avoided if possible.

When mounting antennas on the rooftops of buildings, the antennas must be protected against lightening. The antenna must be correspondingly shorter than the lightning rod and must be placed far enough away from the lightning rod.

Protection for outside antennas


Safeguard Catalogue Infrastructure Comments ____________________________________________________________________ ..........................................


S 1.63

This also applies to high-voltage power lines, i.e. a certain distance must be maintained. Antennas installed outdoors which may be subject to hazardous electrical discharges (this always applies to antennas mounted on rooftops) should be connected to a special overvoltage protector which quickly detects and shunts current and voltage spikes. The overvoltage protection is mounted between the antenna and the access point (usually inside the building or in a comparably well-protected place) and must be provided with a sufficiently dimensioned earthing connection. Access points generally should not be installed in areas which could be subject to electrical discharges.

If in special cases the access points are installed outside of a suitably climatised building, then it must be ensured that the access points are adequately protected against moisture, frost, and heat. Outside antennas are to be suitably protected against snow accumulations. They must be mounted in a location protected from the wind or, if this is not possible, be mounted tightly enough so that even high-intensity winds will not change the direction of antenna.

Additional controls:

- How are the access points protected against unauthorised access?

- Are you sure that the access points only supply the desired coverage area? Do they supply the coverage area optimally?

Safeguard Catalogue Organisation Comments ____________________________________________________________________ .......................................... S 2.381

S 2.381 Determining a strategy for the use of WLAN Initiation responsibility: Public agency/company management, Head of

IT, IT security management

Implementation responsibility: Head of IT, IT security management

Before WLANs are used in an organisation, the general strategy taken by the organisation in terms of WLAN usage must be specified. In particular, it must be clarified in which organisational units, for which applications, and for what purpose WLANs will be used as well as which information is permitted to be communicated in a WLAN. The areas for which the WLANs will be set up (this could be, for example, environments in which the users often move through certain areas) as well as the areas in which no WLAN at all is permitted to be available (extending up to active shielding) should also be specified.

WLAN components can be used, for example, to

- supply blanket coverage to an organisation, a single department, or a production area with a wireless network,

- enable the use of mobile components in individual rooms, e.g. in meeting rooms,

- provide a commercial WLAN for external users (hotspots).

Wireless networks can be set up with or without connections to other networks, which also has a significant influence on the threat scenario and therefore on the security safeguards to be taken as well. Depending on the intended use and environment in which the WLAN is set up, the security safeguards necessary may differ significantly. This must be considered in all cases when formulating the security policies and regulations for WLAN usage. The decisions should be documented together with the reasons for the decisions.

When setting up a wireless network, a significant amount of planning is necessary to achieve the stability, transmission quality, and security required for professional use (see also S 2.383 Selection of a suitable WLAN standard and S 5.140 Setting up a distribution system).

Those responsible for IT as well as the IT Security Management in an organisation should be completely aware of the fact that many technical aspects in wireless communication systems, and especially in WLANs, are subject to rapid developments and changes. For IT Security Management and for those responsible for IT, this means on one hand that more expense is generally required to achieve secure operation of the WLAN, and on the other hand that the effectiveness of IT security safeguards must be tested more often than on other systems, and adapted more often to changes.

Expense is high for secure operation

The following points are important for the secure operation of wireless networks and the IT systems connected to them:

- The method of operation and technology of the wireless communication system used must be completely understood by those responsible for its operation.


Safeguard Catalogue Organisation Comments ____________________________________________________________________ ..........................................


S 2.381

- The security of the technology used should be evaluated regularly. Likewise, the security settings of the IT systems used (e.g. access points, laptops, PDAs) should be examined regularly.

- The subject of WLAN usage must be handled in the security policy of the organisation, and every change to the WLAN usage must be coordinated with IT Security Management.

- To reliably secure the transmitted data, specifications must be worked out that deal with, among other things, the selection and configuration of adequate encryption and authentication methods as well as with key management.

- The minimum WLAN standard, e.g. IEEE 802.11g, that must be supported by the WLAN components must be defined to guarantee secure interoperation of the individual components and to be able to use the necessary security mechanisms throughout the entire coverage area.

Use of WLAN components

Many IT systems used by end users such as laptops or PDAs contain WLAN functionality that is usually enabled by default. It must be ensured that no "wild" WLAN usage is possible using this functionality, and there must be clear rules stating whether or not it is permitted to use this WLAN functionality (and if yes, under what conditions).


- Is the use of the WLAN permitted?

- Is there a documented strategy for WLAN usage?

- Has the minimum WLAN standard that needs to be supported by the WLAN components used been specified?


S 2.382 Drawing up a security policy for the use of WLAN

Initiation responsibility: Head of IT, IT security management

Implementation responsibility: Head of IT, IT security management, Administrator

Suitable security policies must be established for the use of WLAN components in government agencies and companies. These WLAN-specific security policies must conform to the general security concept and the general security policies of the organisation. They must be checked regularly to ensure they are up to date and modified if necessary. The WLAN-specific rules can be added to the existing guidelines or can be collected in a separate guideline.

A WLAN security policy should contain the following points, among others:

- It should describe who is permitted to install, configure, and use WLAN components in the organisation. A number of conditions must be specified for this purpose, for example:

- Which information may be disclosed over WLAN components

- Where the WLAN components are used and where access points may be set up

- Which internal or external networks the WLAN is permitted to connected to

- Security safeguards and a standard configuration must be specified for all WLAN components.

- When security problems are suspected, the person responsible for security must be informed of this so that additional steps can be taken (see also B 1.8 Handling of security incidents).

Handling incidents

- The administrators as well as the users of WLAN components should be informed and/or receive training on the threats posed by WLAN components and the corresponding security safeguards to follow.

WLAN security training

- The correct implementation of the security safeguards described in the WLAN security policy should be checked regularly.

User guidelines for WLAN usage

To prevent overloading users with too many details, it may make sense to create a separate WLAN user guideline. In this case, the user guideline should contain short descriptions of the special aspects related to WLAN usage, for example:

- To which other internal and external networks the WLAN client is permitted to connect

- Under what general conditions clients are permitted to log in to an internal or external WLAN

- If and how hotspots are allowed to be used

- That the ad-hoc mode is to be disabled so that no other client can directly access the WLAN



- What steps need to be taken if it is suspected that a WLAN client has been compromised, and in particular, who must be informed in this case

It is also important to clearly describe how to handle security solutions on the clients. This includes, for example, rules stating that

- no security-related configurations may be changed,

- a virus scanner must always be activated,

- existing personal firewalls may not be disabled (see also S 5.91 The Use of Personal Firewalls for Internet PCs),

- all shared directories or services must be deactivated or at least protected by good passwords, and

- only special user accounts with restrictive rights should be used when using an external WLAN.

In addition, the user guideline should contain a clearly stated ban on connecting unauthorised access points. Furthermore, the guideline should contain specifications, especially for the use of classified information such as classified materials, of which data is used in the WLAN as well as of which data is permitted to be transmitted over the WLAN and which not. Users should be sensitised to WLAN threats and be familiar with the contents and consequences of the WLAN guideline.

Guidelines for administrators of a WLAN

In addition, WLAN-specific guidelines for administrators should be created which can be used as the basis for training the administrators. It should specify who is responsible for the administration of the various WLAN components, which interfaces are available between the administrators responsible for operations, and when which information must flow between the persons responsible. It is common for one organisational unit to be responsible for the operation of the active components (distribution system and access points) while a different organisational unit is responsible for supporting WLAN clients or for identity and authorisation management.

The WLAN guidelines for administrators should also contain the essential, core aspects of the operation of a WLAN infrastructure, for example:

- Specification of a secure WLAN configuration and definition of secure standard configurations

- Use of a WLAN management system

- Selection and configuration of cryptographic methods including key management

- Regular assessment of log files, but at least of the access points

- Performing WLAN measurements: the configuration and the network coverage of access points and clients should be checked regularly using a WLAN analyser and a network sniffer. When checking, unauthorised WLAN clients and access points within the boundaries of the organisation should be searched for in particular.

- Initial operation of replacement systems




S 2.382

- Safeguards when the WLAN has been compromised

Even if there are no WLANs officially installed in an organisation, IT Security Management should still ensure that the systems are scanned regularly for unauthorised WLAN component installations.

All WLAN users, both general users and administrators, should confirm with their signature that they have read the contents of the WLAN security policy and will follow the instructions defined in the security policy. No one should be allowed to use the WLAN without this written confirmation. The signed declarations should be kept in a suitable location, for example in the personnel file.


- Is there an up-to-date security policy for WLAN usage?

- How do you check if the users are following the security policy for WLAN usage?

- Does every WLAN user have a copy of the WLAN guidelines or an instruction sheet with an overview of the most important security mechanisms?

- Is the security policy for WLAN usage part of the training program on IT security safeguards?


S 2.383 Selection of a suitable WLAN standard Initiation responsibility: Head of IT, IT security management


In the context of WLAN planning, an analysis of the current situation must be performed first to determine which of the systems in the organisation operate in the ISM band at 2.4 GHz and in the 5 GHz band. After the analysis of the current situation is complete, it can be determined from the analysis which WLAN standard can be used. The WLAN standards IEEE 802.11, IEEE 802.11b, and IEEE 802.11g use the 2.4 GHz band while the IEEE 802.11a and IEEE 802.11h standards operate in the 5 GHz band. By selecting the correct frequency band, interference in the WLAN generated by other systems operated by the organisation can be prevented. Only the IEEE 802.11 and IEEE 802.11i standards contain descriptions of security mechanisms.

In addition to these technical considerations, the security mechanisms available in the individual WLAN standards must be compared to each other. In general, only methods generally recognised as secure should be used for authentication and encryption. In this case, it must be ensured that recognised cryptographic methods with sufficient key lengths as well as collision-free hash procedures are used (see also S 2.164 Selection of a suitable cryptographic procedure). When using WPA or WPA2, it is recommended to use authentication procedures with mutual authentication. In procedures with mutual authentication, the WLAN client must provide authentication to the access point and vice-versa. A secret text, the pre-shared key, or the EAP framework with a RADIUS server can be used for authentication purposes. If a high protection level is required, then it is recommended to use device and user authentication so that only those clients known to the organisation (and configured according to the security policies) are permitted to access the WLAN.

The IEEE 802.11 standard, for example, uses Wired Equivalent Privacy (WEP) with static keys, which has been determined to be insecure. For this reason, WLANs in which WEP is used should not be used without additional security safeguards in areas in which confidential information will be transmitted. In this case, the Wi-Fi Protected Access (WPA) method created by the Wi-Fi Alliance should be selected. Even better is the use of the supplemental IEEE 802.11i standard and WPA2 to secure WLAN communication. The standard specifies the use of pre-shared keys with the temporal key integrity protocol (TKIP), among others, to secure communication in the WLAN. IEEE 802.11i itself prescribes the use of the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) as a prospective method for authentication which also guarantees additional confidentiality using the Counter Mode method. Likewise, CCMP uses the Advanced Encryption Standard (AES) to encrypt the information, in contrast to the use of RC4 in WEP and WPA.

WEP is insecure, WPA/WPA2 is better




S 2.383

A careful examination of each of the WLAN standards, especially in terms of their security functions, is unavoidable and must always be performed. It is possible to decide on the use of a certain WLAN standard only after detailed assessment of each of the standards. The reasons for the decision must be documented so that the decision can be understood later.


- Which protocols and standards were selected for WLAN operation?

- Have the reasons for the choice been documented?


S 2.384 Selection of suitable crypto-methods for WLAN Initiation responsibility: Head of IT, IT security management


To guarantee secure operation of a WLAN, it is necessary to completely secure the communication over the wireless interface. Without adequate encryption, there is a risk that unauthorised persons could read the data transmitted over the WLAN. Likewise, an inadequately protected WLAN offers a point of attack to any LAN it is connected to, if any. Furthermore, the integrity of the data must be ensured so that manipulations to this data can be detected. Use of a (mutual) authentication procedure among the WLAN components is also important.

In the IEEE 802.11 and 802.11i WLAN standards, various cryptographic methods are described which can be used to secure a WLAN. They must be selected and applied depending on the area of application, required protection level, and size of the organisation.

Wired Equivalent Privacy (WEP)

WEP is the oldest and most common encryption standard for WLANs and is described in the IEEE 802.11 standard. WEP only offers an absolute minimum of protection against unintentional reading of data and accidental logins.

WEP is currently considered to be outdated and insecure since a number of security gaps have been found. WEP should therefore be considered unsuitable for use in securing WLANs and should not be used any more.

WEP is outdated and insecure

If no other cryptographic methods other than WEP are available and the WLAN components will continue to be operated anyway, then WEP should be activated. In this case, the maximum key length should be selected and the key should be changed regularly by hand (at least once per day). Such a decision is to be documented, and all users of the WLAN must be informed of the decision. Such an inadequately secured WLAN may only be used in uncritical areas, for example when it is only used to access the Internet. It must be ensured, though, that no sensitive data is transmitted over the WLAN or is accessible over its connected WLAN components when the WLAN has only been secured using WEP.

WPA, WPA2, and IEEE 802.11i

IEEE 802.11i is considered to be the new security standard for WLANs, parts of which correspond to Wi-Fi Protected Access 2 (WPA2) from the Wi-Fi Alliance. In contrast to WPA, which corresponds to Draft 3.0 of IEEE 802.11i and which was also published by the Wi-Fi Alliance, WPA2 and IEEE 802.11i use the Advanced Encryption Standard (AES) as the encryption algorithm. In WPA, just like in WEP, RC4 is still used as the encryption algorithm. Both WPA and WPA2/IEEE 802.11i provide additional protection using the optional Temporary Key Integrity Protocol (TKIP) through dynamic key generation. Furthermore, in WPA2 and IEEE 802.11i the use of CCMP as the implementation method for AES is prescribed to ensure integrity.



If possible, a WLAN should be secured everywhere and consistently using WPA2 and CCMP (but at least WPA with TKIP) since they use stronger algorithms for encryption and ensuring integrity. Weaker methods are unacceptable according to the current state of the art.

Pre-shared keys (PSK) can be used for user authentication. These keys are used the first time a connection is established for the purpose of providing authentication to another WLAN component. If pre-shared keys are used, then it must be ensured that the keys are significantly longer than the usual six to eight characters since the security of the encrypted data depends on the key length. This method is only practical, though, for small WLAN installations; an EAP method according to IEEE 802.1X should be used for large WLANs.

The following table provides a better overview of the various security mechanisms:

WEP WPA 802.11i (WPA2)

Encryption algorithm

RC4 RC4 AES

Key length 40 or 104 bits 128 bits (64 bits for authentication)

128 bits

Key Static Dynamic (PSK)

Dynamic (PMK)

Initialisation vector

24 bits 48 bits 48 bits

Data integrity CRC-32 MICHAEL CCMP

TKIP and CCMP

The Temporary Key Integrity Protocol (TKIP) is based on WEP as a downward-compatible solution, but it does not eliminate its main weaknesses. For TKIP, IEEE 802.11i solved the problem of poor integrity checks in WEP through the additional use of the MICHAEL method (for checking message integrity). TKIP and MICHAEL should be understood as temporary solutions.

CCMP stands for CTR Mode (Counter Mode) with CBC-MAC Protocol (Cipher Block Chaining Message Authentication Code). In this case, the plain text is not encrypted directly with AES, but instead with a counter formed from the symmetric key. The actual result of the encryption is then obtained by XOR-ing a block of the plain text with the AES-encrypted counter. In addition, the Cipher Block Chaining method (CBC) is used to ensure data integrity. The use of IEEE 802.1X is required in this case to manage and distribute the keys. A key length of 128 bits is used in IEEE 802.11i.

Extensible Authentication Protocol (EAP)

The Extensible Authentication Protocol (EAP) according to the IEEE 802.1X standard can be used for additional protection of the authentication procedure. EAP is described in detail in RFC 3748. In this case, the user logs in to an authentication instance, e.g. a RADIUS server, and this instance checks for access authorisation before handing over the session key.



EAP supports a series of authentication methods so that certificates and two-factor authentication procedures can be used.

EAP methods which can be used in a WLAN include, for example:

- EAP-TLS

In EAP-TLS, which is defined in RFC 2716, mutual authentication is performed based on X.509 certificates. For authentication, the partner to be authenticated must prove that it knows the private key corresponding to the public key known by its communication partner. Subsequently, methods must be established to distribute and manage the corresponding certificates. The establishment and operation of a Public Key Infrastructure (PKI) requires careful planning (see for example S 2.232 Planning the Windows 2000 CA structure). The keys themselves are exchanged over a tunnel secured using TLS.

- EAP-TTLS

In EAP-TTLS, in contrast to EAP-TLS, the WLAN client does not have to possess its own certificate. Only the server needs a valid certificate in EAP-TTLS. Using a tunnel secured with TLS, other possibly less secure methods can be used for client and/or user authentication. EAP-TTLS is, like EAP-TLS, a key-generating method, i.e. a new session key is created every time a communication link is established. The key is then used to secure the tunnel using TLS.

- EAP-PEAP

EAP-PEAP is also a key-generating method and, similar to EAP-TTLS, only the authentication server requires a valid X.509 certificate. In contrast to EAP-TTLS, though, only other EAP methods can be used for client authentication in the secured tunnel such as EAP-MSCHAPv2 or EAP-TLS, for example. In this case, combination with EAP-MSCHAPv2 is interesting for networks which primarily use Windows 2000 or Windows XP as the client operating system since this method is supplied with the operating system.

Additional EAP methods are described in the IEEE 802.1X standard or in the Secure WLAN technical guideline from BSI.

In general, for larger installations it makes sense to implement EAP user authentication according to IEEE 802.1X. Modern WLAN components support IEEE 802.11i, and therefore already support WPA2. When purchasing new WLAN components, always check beforehand to see if the components also support the corresponding EAP methods.

WPA2 with EAP

Key management

The cryptographic keys used to protect communications or for authentication must be changed regularly (see S 2.388 Appropriate key management for WLAN).

For all WLAN components, it must be ensured that they do not accept any cryptographic methods with a lower level of protection than the selected method when establishing a connection to other WLAN components. Connections to such components must be rejected.




S 2.384


- Was a suitable encryption method selected? Was this decision documented?

- Do all WLAN components support the selected WLAN security standard, for example IEEE 802.11i, so that compatibility problems are avoided?


S 2.385 Selection of suitable WLAN components Initiation responsibility: Head of IT, IT security management


When selecting WLAN devices, you must first ask if the devices fit the WLAN security strategy. There are numerous types and device classes of WLAN components. They not only differ in terms of the features they offer, but also in terms of their security mechanisms and ease of use. In addition, they place different requirements on hardware and software components in the operational environment.

Due to the numerous different types of WLAN components, compatibility problems can be expected. The most important criteria for the selection of WLAN components are therefore security and compatibility.

If it has been decided to build a WLAN in an organisation, then a list of requirements should be created with which the products available on the market are evaluated. The products to be purchased should then be selected based on the evaluation. Based on various requirements for use, it has been shown in practical applications that it may be perfectly sensible to select several types of devices for purchase. The variety of devices should be limited, though, to simplify support. An important criterion when purchasing WLAN components is their compatibility to existing devices.

List of requirements

When purchasing the devices, the data throughput and range should also be considered. Using external antennas, the range of WLAN components can be improved. However, it must be ensured in this case that the emissions do not radiate into areas in which the WLAN is not intended to be used and should not be used because of the increased range.

When purchasing access points, the following should be checked, among other items,

Criteria for access points

- How many channels can be set

- If the SSID can be set

- If the SSID beacon can be deactivated

- Which cryptographic methods are implemented (WEP, WPA, WPA2, and others)

- If the Open System mode as well as the Shared Key mode can be specified for authentication (the latter is unfortunately not always available by default)

- To what extent EAP methods according to IEEE 802.1X are supported

- If administration over secure lines of communication, e.g. SSH or SSL, is possible and insecure protocols such as HTTP or Telnet, for example, can be disabled

- If IP and/or MAC address filtering is possible

- If ACLs can be set up for access over the WLAN, a connected LAN, or to configure the access points



- If a packet filter is already integrated

- If additional mechanisms for access control are available (filtering based on various criteria such as the port numbers, applications, URLs, etc.)

- If tunnel protocols like PPTP or IPsec are supported

It absolutely must be tested if the designation of the cryptographic method implemented is not only exactly like the designation of the method used by the other WLAN components, but also if the methods work together correctly.

The correct configuration of the access points is an essential aspect of security. On some access points, configuration is possible wirelessly directly over the WLAN, which is usually touted by the manufacturers as being comfortable. This also poses security problems, and configuration over the WLAN should not be done, but if such functionality is available, you should at least be able to switch it off (and it should be switched off at all times during operation). Many access points also offer the ability to connect over a serial or USB interface to a management console to enable easy configuration. The management console can then be administered via HTTP or Telnet over the Intranet or Internet. In this case, the remote access must be reasonably secure, for example by securing the communication with SSL or SSH. Remote access over the Internet should generally be examined critically.

Access to the WLAN components for administration purposes should only be possible by authorized persons. For this reason, it should be examined how this access is secured. If access is secured via passwords, then the passwords selected should be as complex as possible (see S 2.11 Regulation of password usage). It is better, though, to use strong authentication methods for administration accesses (see also S 4.133 Appropriate selection of authentication mechanisms).

Implementation of the necessary security rules on access points is often very complicated. In addition to key management, you also need to specify the settings necessary for the various parameters and options. There are now solutions available for some access points to control them in an organisation over a central server. Unfortunately, only proprietary solutions have been available so far, and they only support the WLAN components of the particular manufacturer.

Since it can take a lot of time and effort until the network administrator has determined the correct configuration, especially for network switching elements, it should be possible to save the configuration.

The language used in the online help system and documentation of the WLAN components should be formulated so that future users and administrators will be able to understand the technical descriptions.

Interoperation with the corresponding infrastructure

When purchasing, all WLAN components should be checked to determine if they operate correctly with the corresponding infrastructure. This includes checking the following, for example:

- The authentication method used in the WLAN must be supported by the clients and access points as well as by the authentication server.




S 2.385

- If authentication according to IEEE 802.1X is performed in the WLAN, then the access points must support the EAP authentication method and process the information transmitted in the IEEE 802.1X specification correctly.

- It must be examined if the authentication server can be operated without its own, separate database for user authentication and if it can pass the authentication requests to a central user database using securing querying methods instead.

When purchasing for a large WLAN installation, the corresponding tests must be performed before actually purchasing. The degree of fulfilment of the technical requirements can be evaluated with the help of a test catalogue. These tests make it easier later on to actually install the WLAN and obtain approval.


- Was adequate consideration given to security aspects when selecting the WLAN components?

- Was compatibility with the existing WLAN components checked?


S 2.386 Careful planning of necessary WLAN migration steps


Implementation responsibility: Administrator

Due to the rapid development of WLAN technology, migration from an existing installation to new protocols, technologies, or products can seldom be prevented. In general, there are two different types of migration:

- Migration of the transmission technology (e.g. from IEEE 802.11g to IEEE 802.11h)

- Migration of the WLAN security mechanisms (e.g. from WEP to WPA-PSK or IEEE 802.11i with IEEE 802.1X)

In the first case, the entire planning process for a WLAN must be carried out, from the assessment of the risk to the selection of suitable security safeguards.

In the second case, it may be necessary to temporarily operate different security systems in parallel and extend the configurations of the access points, distribution system, and connection point to the WLAN. The use of WLAN components or WLAN areas not yet migrated must be reduced to a minimum through the corresponding technical and organizational specifications, if necessary. For example, it may be necessary to prohibit access to sensitive data from components not yet migrated or secure the WLAN area not yet migrated from the rest of the WLAN and LAN using an additional DMZ.

If it is necessary to operate two different security mechanisms in parallel, e.g. WPA-PSK or WPA2-PSK and WEP, then the following points must be considered:

- The duration of parallel operation should be kept as short as possible.

- If WEP and pre-shared keys are used simultaneously, then particular care must be taken to ensure that the keys are changed often (at least daily) and that only complex passwords can be used (see S 2.388 Appropriate key management for WLAN).

- Access points must permit the operation of both mechanisms at the same time during the migration phase. Access points that support a maximum of WEP must be replaced as quickly as possible and removed from the WLAN.

- WLAN clients that only support WEP (e.g. a printer or a PDA) should only be switched on when they are needed. They should be replaced by clients that support WPA2 as quickly as possible.

- WLAN components such as WLAN printers should not be configured over the wireless interface, if it is possible to disable this, but over the console port of the component instead.

In all cases, each of the migration steps must be planned carefully. The migration should also be used to consolidate an expanded the WLAN infrastructure, and the WLAN administrators and WLAN users should receive additional training.




S 2.386

If the login procedure for the WLAN users changes due to the introduction of new WLAN authentication mechanisms, then the users must also receive additional training. Furthermore, the WLAN user guidelines should be adapted to reflect the new procedures.


- Is there a plan for the migration of the WLAN technology available? Is the length of time required for migration specified?

- Has it been ensured that components with weaker protection do not have access any more to sensitive data?


S 2.387 Installation, configuration, and support service for a WLAN by third party



If a WLAN will be installed, configured, or supported by an external contractor, then the points described in the following must be taken into account in addition to the recommendations in module B 1.11 Outsourcing for the WLAN:

- It should always be checked if the WLAN installation can be performed in-house or by the organisation’s own employees. A feasibility study and a cost study should be performed for this purpose.

- The security strategy and the security policy should always be created by the organisation itself and not by third parties. This prevents the possibility that no one deals in detail any more in the organisation with the security aspects of WLANs, and therefore possibly forgetting any necessary security safeguards. It does make sense to use consulting services and the services offered by third parties when there are no resources available for this internally.

- When awarding the contract for a WLAN installation, a detailed requirements specification must be created. It must contain all minimum requirements on the WLAN components and precisely define all network components connected to the WLAN, etc. The requirements specification should be used as the basis for the contract when awarding the contract to an external contractor, and serves later on as the basis for the tests conducted for approval.

- The contractor is to be provided with the security strategy and the security policy for the use of WLANs. The contractor must promise in the contract to follow and implement these policies and strategies. The performance of the services agreed to in the contract must be checked regularly to enable early detection of any eventual problems. The security strategy and the security policy should be a permanent part of the requirements specification.

- The contractor should possess extensive and, ideally, many years of experience in the installation and securing of WLANs. The corresponding references must be submitted, and random spot checks of the references must be made.

- The contractor must promise in the contract that he will not pass the configuration of the WLAN and of the WLAN components or any passwords, connection keys, access codes, and access mechanisms on to any unauthorised persons. Likewise, the contractor should be made to promise that any information or data that he may eventually obtain knowledge of due to working on the rest of the network will not be stored temporarily or handed over to any unauthorised persons.




S 2.387

- Before the contractor installs the WLAN, corresponding tests must be performed. The tests should test all planned security settings in detail. During this phase, any LANs connected to the WLAN are especially at risk and should be secured accordingly.

- It must be ensured that no back doors are built into the WLAN by the contractor while the contractor is installing the WLAN. All settings and configurations must be documented accurately by the contractor and handed over in full to the client upon completion of the installation.

- After finishing the installation, the approval process should be performed based on the specifications. Furthermore, the execution documentation created in the requirements specification after awarding the contract serve as the basis for testing since this documentation may specify methods for taking measurements during the approval process, for example.

- The WLAN installation should be approved with the help of an independent expert so that the technical details can be checked precisely as well.

- If a wireless IDS was also purchased, then tests must be conducted in the appropriate test scenarios, which must have been specified in advance of the tendering for bids. In this case, it makes sense to operate the WLAN initially in a test environment. The tests should also verify if the entire monitoring area is also actually being monitored by the WLAN sensors. In addition, various malfunctions should be simulated.

- One of the main points of emphasis during approval is checking the documentation for completeness and any possible inconsistencies.

- If the WLAN will also be supported after installation by an external contractor, then the contractor must also promise in the contract that he will not pass any information such as passwords, sensitive data, configuration settings, etc., on to unauthorised persons. Likewise, a contingency plan should also be created together with the contractor. When creating the contingency plan, the severity, the reaction time, the corresponding steps to take, and who must be informed in case of an emergency must be precisely defined for each possible problem that could occur in the WLAN.


- Has the contractor been provided with the security strategy and the security policy for WLAN usage?

- Was a contingency plan for problems in the WLAN created together with the contractor?


S 2.388 Appropriate key management for WLAN Initiation responsibility: Head of IT, IT security management


The use of cryptographic security mechanisms requires the confidential, integral, and authentic generation, distribution, and installation of suitable keys (see also S 2.46 Appropriate key management). When using WEP and WPA-PSK or WPA2-PSK, the security of the WLAN depends primarily on the selection of suitable WLAN keys that have not been compromised. For this reason, a suitable method for key management must be selected which fits the existing cryptographic mechanisms. In this case, we differentiate between two types of key management: static (manual) and dynamic key management.

WEP

In WEP, only a single, static key is used, i.e. the same WEP key must be entered in every WLAN component in a network. Furthermore, WEP has no provisions for dynamic key management so that the keys need to be administered manually. Since WEP keys can be compromised in a very short amount of time, WEP should not be used any more. However, if it is necessary for some reason to use WEP, then the keys must be changed regularly by hand (at least once per day).

WPA / WPA2 with TKIP or CCMP

WPA uses TKIP, which permits the use of dynamic cryptographic keys instead of just the static keys permitted by WEP. In IEEE 802.11i (WPA2), CCMP is also used as the cryptographic method for ensuring data integrity and for encrypting the user data.

TKIP and CCMP are symmetric methods, which means all communication partners must have a shared key configured. This key is referred to as the Pairwise Master Key (PMK). The Pairwise Master Key (PMK) can be sent to the participating WLAN components in one of two ways:

- Static key: The PMK can be configured manually (similar to WEP) as a static key, referred to as a pre-shared key (PSK), on access points and clients. It is usually possible to specify the shared, secret key using passwords. These passwords are used to calculate the PMK using hash functions. If such a PSK is not complex enough (in terms of the length of the key and the randomness of the characters), then it is vulnerable to dictionary attacks. For this reason, these passwords should be highly complex and have a length of at least 20 characters. Once a WLAN reaches a certain size, it becomes much more difficult to roll out a new key.

It is possible to use PSK in combination with WPA or WPA2. If WPA-PSK or WPA2-PSK will be used, then it is recommended to change the key every three to six months to protect communications and for authentication purposes.

- Dynamic key: Dynamic key administration and distribution offers a mechanism with a higher level of security which ensures that a new key (PMK) is provided regularly, and especially after a WLAN client has successfully provided authentication on the access point.




S 2.388

To achieve key administration and distribution, IEEE 802.11i falls back on another standard, the IEEE 802.1X standard. This standard was designed for port-based network access control in cable-based networks. The basic idea in IEEE 802.1X is that a network port is only activated when the user has successfully provided authentication for the network. Authentication is therefore performed in Layer 2. In order for such a procedure to even function at all, IEEE 802.1X specifies an interface between the client, the network element, and an authentication system. This interface is based on the Extensible Authentication Protocol (EAP) and the adaptation of this protocol for transmission in Layer 2 in a LAN (referred to as EAP over LAN or EAPOL). This means the specification of a function for key administration and distribution go hand-in-hand.

In general, the keys of all WLAN components should be changed at regular intervals, but at least once every 3 months. In large installations, the central WLAN management solution should contain a suitable function for this purpose to keep the amount of work necessary to a minimum.

The changing of the key information should be tested specifically on all WLAN components during the planning phase so that any possible problems with changing the keys are detected early.


- Was the test in which the key is changed performed on all WLAN components?

- Is there a schedule available specifying when to change the key information?


S 2.389 Secure use of hotspots Initiation responsibility: Head of IT, IT security management

Implementation responsibility: Users

Hotspots are areas with local wireless access whose coverage area may be limited to a room, a hall, or a production facility, for example. Usually, hotspots are set up specifically for use by external subscribers. They are used mainly to provide wireless access to the Internet. Hotspots are often found in hotels, airports, trade fairgrounds, train stations, and convention centres.

Hotspots should always be considered insecure networks because, on one hand, it is difficult from the outside of these networks to assess the level of security available, and on the other hand because most hotspots offer their services in the form of shared networks. They generally permit every end device access to all other end devices in the network. If it is generally impossible to estimate the risk posed by a hotpot, then it is also possible to completely prohibit the use of hotspots in the WLAN security policy. In this case, though, it must also be ensured through technical means that a WLAN client cannot access such a hotspot.

The operators of hotspots can do a lot to ensure the security of the wireless access and other services they provide (see S 4.293 Secure operation of hotspots), but without the co-operation of the users, it is impossible to achieve a proper level of security. The following safeguards, among others, should be taken by the users:

- The users should ask which security precautions have been taken on the hotspot so they can estimate the security level of the network and the trustworthiness of the operator.

- Before using the network, the users should ask about the prices and how the services are billed. From the point of view of a consumer, it would be interesting to know how much personal data needs to be disclosed and how this data will be handled. The users should also make sure that their authentication data is not stored and cannot be misused on the hotspot. Authentication should always be performed in encrypted form.

- Every user of a hotspot should be aware of his or her security requirements and decide if, and if yes, under what conditions it is acceptable to use the hotspot based on these requirements.

- Whenever financial, personal, or other sensitive data such as credit card numbers, PINs, passwords, or even e-mails need to be transmitted, it must be ensured that all necessary security safeguards are activated on the client, and in particular that encryption is enabled. Examples in this case would be the secure processing of e-mails over a HTTPS web interface and the secure Internet protocols (Secure POP, IMAPS, and SMTP with SSL/TLS) used for precisely this purpose.

Use encryption

- When the operator guarantees encryption is enabled for wireless access, then encryption is not necessary any more at the application level. Encryption should still be enabled, though, as an additional security safeguard since this encryption is under the control of the user.




S 2.389

Passwords in particular should never be sent over an external network without encryption.

- To access an internal network of an organisation, an encrypted connection for the WLAN client should be established over a trusted access point of the organisation.

- If you are located in an area with a hotspot but do not want to use the hotspot, then the WLAN interface on the WLAN client should be disabled to prevent accidentally logging in to the hotspot.

- If the operator offers certificates for authentication on the hotspot, then the users should check the certificates to ensure they are correct. Even though it may be annoying, the plausibility of specifications such as the fingerprint, validity period, owner, and certifying body of the certificate should be checked.

Is the certificate correct?

- In general, additional local safeguards should be implemented on all mobile clients which are able to log in to different WLANs. Examples of such safeguards include access protection, user authentication, virus protection, personal firewalls, restrictive sharing of files and resources at the operating system level, local encryption, etc. Additional safeguards for WLAN clients can be found in safeguard S 4.297 Secure operation of WLAN components.

Securing the clients

- When using hotspots, it is also recommended to create special user accounts with secure basic configurations and limited rights. A user with administrator rights should never log in to an external network from his or her client.


- Have the users been informed of the rules to be followed and security safeguards to be activated when using hotspots?


S 2.390 Withdrawal from operation of WLAN components



When WLAN components need to be taken out of operation, all sensitive information on them must be deleted. In particular, the authentication information used to access the WLAN and other accessible resources stored in the security infrastructure and other systems must be deleted or declared invalid. This means that cryptographic keys must be securely deleted and certificates for digital signatures need to be blocked, for example.

Taking WLAN clients out of operation

A variety of devices are used as WLAN clients. These devices include, among others:

- Laptops

- PDAs, smart phones, and similar devices with WLAN support

- WLAN-enabled telephones, printers, and cameras

The WLAN functionality is typically one of a number of various other functions on these end devices. When taking these end devices out of operation, you must therefore examine such devices to determine if they contain WLAN information critical to security that needs to be deleted, transferred, or archived, e.g.:

- Information on the users of the end device

- Certificates and the corresponding private keys (for users or devices)

- Passwords for WLAN access

- Keys for authentication methods such as WPA-PSK keys, for example

- PIM data, i.e. contact information, deadlines, etc.

Suitable methods must be used to destroy, delete, or reuse this data depending on device and storage method. For certificates, for example, you need to make an entry in the corresponding CRL to revoke the certificate.

If a WLAN client is stolen, then a minimum of all information listed above must be taken into account, and it must be ensured that the information cannot be used any more to access the WLANs of the affected organisation.

Taking access points out of operation

The same applies when taking access points out of operation as when taking WLAN clients out of operation. A minimum of the following security-related information must be deleted, transferred, or archived (when applicable):

- Pre-shared keys (PSK) for WPA or WPA2

- RADIUS keys (RADIUS shared secrets)

- IPSec keys (PSKs or private keys for certificates)

- User data (especially if WLAN user administration is integrated)




S 2.390

- Configuration information such as IP addresses and the names of RADIUS servers, name of the access point itself, its IP address, and its SSID

Suitable methods must be used to destroy, delete, or reuse this data depending on device and storage method. The corresponding method must be selected and tested in time.

Access points often contain additional data (for example configuration data) stored in non-volatile storage or have information written on them (for example the name of the computer, SSID, IP address, and other technical information). This information should be removed if possible before handing over the device since an attacker may also be able to obtain data which can be used in possible attacks from such information.

It is recommended to create a checklist based on the recommendations provided above which can be used when withdrawing a system from operation so that no steps are forgotten or skipped.


- Have suitable methods for destroying, deleting, or reusing security-related information on WLAN components been specified?

Safeguard Catalogue Personnel Comments ____________________________________________________________________ .......................................... S 3.58

S 3.58 Introduction to WLAN basics Initiation responsibility: Head of IT, IT security management


WLANs can be operated using two different architectures. In the ad-hoc mode, two or more mobile end devices which are equipped with a WLAN card (clients) connect directly with each other.

In most cases, WLANs are operated in the infrastructure mode, which means the clients communicate through a central wireless link, referred to as the access point. Connection to cable-bound LAN segments is then obtained through the access point.

There are several different ways to implement the infrastructure mode:

- Using several access points, overlapping wireless cells can be installed so that the wireless connection is maintained when a client moves to the next wireless cell ("roaming"). In this manner, large areas can be provided with wireless access coverage. The range of a wireless cell is extremely dependent on the environmental conditions and is usually within a range of approximately 10 to 150 metres.

- Two access points can also be used as a link (bridge) between two cable-bound LANs. Likewise, it is also possible to use an access point as a relay station (repeater) to increase the range.

- When the corresponding components (directional antennas) are used on the access points, a WLAN can also be used to network different locations. According to manufacturer specifications, ranges of up to several kilometres can be obtained. The access points can be operated as relay stations or bridges in this case.

In the IEEE 802.11 standard, the term Independent Basic Service Set (IBSS) is used for wireless networks in the ad-hoc mode, and Basic Service Set (BSS) is used for constellations in the infrastructure mode with an access point. A set of BSSs linked together is referred to as an Extended Service Set (ESS), and the linked network is called the Distribution System (DS).

The WLAN systems designed according to IEEE 802.11, 802.11b, and 802.11g permitted for use in Germany and in almost all European states use the ISM (Industrial-Scientific-Medical) frequency band between 2.4 and 2.48 GHz, which can be used for free and without any additional licenses. The transmitting power is limited to a maximum of 100 mW EIRP (effective isotropic radiated power).

Systems based on the IEEE 802.11 standard transmit data at a rate of 1 or 2 Mbit/s using a band spreading method; either the Frequency Hopping Spread Spectrum (FHSS) or the Direct Sequence Spread Spectrum (DSSS) method. For reasons of completeness, we would like to point out that 802.11 also defines an infrared transmission method, but the use of this method in practical applications has been insignificant to date.



Systems designed according to IEEE 802.11b use only the DSSS method. The data to be transmitted is spread using fixed code to make the transmission less susceptible to interference. Access to the wireless channel is obtained, as in all systems in the 802.11 standard, according to a random procedure referred to as Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). The maximum gross data transmission rate for IEEE 802.11b is 11 Mbit/s. The transmission rates cannot be guaranteed in any of the systems based on the 802.11 standard since they depend on the number of clients and the quality of the wireless transmission route.

Systems based on the IEEE 802.11g standard use the Orthogonal Frequency Division Multiplexing (OFDM) transmission method based on IEEE 802.11a and therefore permit data rates of up to 54 Mbit/s.

In the 2.4 GHz frequency band in Germany, there are 13 frequency channels available with a distance between frequencies of 5 MHz for wireless transmission based on 802.11b. For a channel bandwidth of approximately 22 MHz, though, a maximum of only 3 channels can be used simultaneously without overlapping, for example channels 2, 7, and 12.

Systems based on the IEEE 802.11a and 802.11h standards use the 5 GHz band. In Germany, there are a total of 19 channels in intervals of 20 MHz authorised for use with some restrictions in the frequency range from 5.15 to 5.35 GHz and from 5.47 to 5.725 GHz. For a channel bandwidth of 20 MHz, channels directly next to each other will not interfere with each other. Since military and civil radar and navigation applications also operate in the 5 GHz frequency range, only systems supporting dynamic frequency selection and the ability to change the transmitting power are permitted to be used in this band.

Overview of security mechanisms

The security mechanisms in all 802.11-compatible systems are defined in the IEEE 802.11 standard. The extensions a, b, g, and h to the standard do not offer additional security mechanisms, and only extension i defines new security mechanisms. The mechanisms defined in IEEE 802.11 only serve to secure the transmission route between the clients and access points. Furthermore, the standard also provides enough freedom to allow proprietary extensions.

All security mechanisms in the IEEE 802.11 standard presented in the following can be overcome and do not provide reliable protection for sensitive information.

- The standard offers the ability to assign a name to the network (ESSID or SSID: (Extended) Service Set Identity). There are two modes of operation in this case. If the user specifies the identifier "Any", then the WLAN component accepts any SSID. In the other case, the name entered is checked, and only those clients with the same SSID are permitted to connect to the network. When moving between two neighbouring wireless cells, the SSID is used to find the next access point. Since the SSID is sent in plain text over the network, an attacker can obtain it using only simple tools. Some access points offer the ability to suppress the transmission of the SSID in the broadcast mode.

Network name (SSID)



The suppression of the SSID in this manner does not conform to the standard, though.

- Every network card has its own unique hardware address, which is referred to as the MAC address (Media Access Control address). In principle, it is possible to define MAC addresses in a WLAN so that only these addresses are permitted to communicate with an access point. The list of addresses must be administered "by hand" in this case, though, which can be timely and become complex. This is impossible in many operational scenarios. The filtering of MAC addresses is not part of the standard; yet filtering MAC addresses conforms to the standard since the filtering has no effect on the compatibility of the clients.

MAC address

- Confidentiality, integrity, and authenticity in the WLAN should be ensured using the "Wired Equivalent Privacy" (WEP) protocol. The WEP protocol is based on the RC4 stream cipher and converts the plain data packet-by-packet into encrypted data based on a key and an initialisation vector (IV). The key in this case is a character string containing 40 or 104 bits and which must be provided in advance to the clients in the WLAN as well as to the access point. A shared key is used in this case for the entire WLAN. The initialisation vector is selected by the sender and should be different for each data packet transmitted. The IV is prefixed in unencrypted form to the encrypted data packet and transmitted over the WLAN.

WEP encryption, integrity protection, and authentication

WEP only encrypts the transmitted user data and the integrity checksum. Management and control frames are not encrypted on the wireless interface, though.

During the development of the IEEE 802.11i standard, the Wi-Fi Alliance published the Wi-Fi Protected Access (WPA) method based on Draft 3.0 of IEEE 802.11i. WPA already contains several improvements to the security mechanisms and describes the use of the Temporary Key Integrity Protocol (TKIP), essentially based on the Wired Equivalent Protocol (WEP), in combination with the MICHAEL integrity checksum method to encrypt the data packets. Through the use of MICHAEL, WPA solves the problem of the poor integrity check in WEP. TKIP and MICHAEL are to be understood as temporary solutions since the use of TKIP is only an option; its use is not mandatory according to the WPA specification.

In the IEEE 802.11i standard, which corresponds to WPA2 of the Wi-Fi Alliance except for the fact that it provides more freedom in the selection of the EAP method, the use of a different encryption method, the CTR mode (Counter Mode) with CBC-MAC Protocol (Cipher Block Chaining Message Authentication Code, CCMP) is prescribed. This method uses the Advanced Encryption Standard (AES) to encrypt the authentication and user data, in contrast to RC4 in WEP and WPA. During authentication, the plain text is not encrypted directly with AES, but from a counter constructed from the symmetric key instead. The actual result of encryption is then obtained by XOR-ing a block of the plain text with the AES-encrypted counter. In addition, the Cipher Block Chaining method (CBC) is used to ensure the integrity of the data. The use of IEEE 802.1X is required for key administration and distribution.


Safeguard Catalogue Personnel Comments ____________________________________________________________________ ..........................................


S 3.58

An AES key length of 128 bits is used in IEEE 802.11i. This method is acceptable over the long term, but requires new hardware - in contrast to the TKIP version.

The Extensible Authentication Protocol (EAP) according to the IEEE 802.1X standard can be used for added protection of the authentication procedure. EAP is described in detail in RFC 3748. In this case, the user logs in to an authentication instance, for example a RADIUS server, and this instance then checks for access authorisation before the session key is exchanged. EAP supports a series of authentication methods so that certificates and two-factor authentication can be used.


- Have the users, and especially the administrators, been trained in the operation and security mechanisms of the WLAN?

- Were the users informed of the security mechanisms available in the tools used, and have they been trained in their use?


S 3.59 Training on the secure use of WLAN Initiation responsibility: Head of IT, IT security management


When operating WLAN components, it is necessary to have a wide range of knowledge of the basic methods of operation and of special technical versions, but also of a number of security aspects. For this reason, it is absolutely essential to inform those responsible for the IT as well as the IT Security Management of the basics of WLAN.

Training administrators

The administrators who operate WLAN components should possess practical knowledge as well as theoretical knowledge. WLAN training courses for administrators should handle the following subjects, among others:

- Overview of security aspects for WLANs

- Typical threats - SSID, operating modes, establishing connections, address filtering,

preventing spoofing, MAC address filtering

- Selection of appropriate security mechanisms, authentication, and securing communications

- WEP, WPA, WPA2, IEEE 802.11i, IEEE 802.1X - Key management in TKIP, CCMP, etc. - Authentication mechanisms in the WLAN, for example EAP,

RADIUS - Detecting WLANs

- Security safeguards for WLAN operation

- Security-related WLAN configuration parameters - System management - Network analysis programs and wireless intrusion detection systems - VPNs for WLANs, IPSec, DHCP - Interaction of WLANs with security gateways - Securing WLAN components against unauthorised access

Training users

The users of WLAN components, especially of WLAN clients, must be trained as well. During training, the users should become familiar with the method of operation and secure operation of the WLAN components. The meanings of the security settings and why they are important must be explained in detail to the users. In addition, they need to be informed of the threats posed when these security settings are overridden or deactivated for the sake of convenience or to reduce the number of annoying warning messages. By sensitising the users to specific threats, it is possible to achieve proper operation of the WLAN components and security settings.


Safeguard Catalogue Personnel Comments ____________________________________________________________________ ..........................................


S 3.59

Training factory safety personnel and gatekeepers

Due to the existence of wardriving attacks, the factory safety personnel and the gatekeepers should also be sensitised to the risks. The factory safety personnel should make sure that no strangers are lingering around the company premises for a long time with a notebook and possibly even a WLAN antenna. Security management must be informed whenever suspicious persons are noticed.

The contents of the training program must always be adapted according to the corresponding operational scenarios. Training programs using web-based, interactive programs in the Intranet could also be used for this purpose. In addition to receiving training on WLAN security mechanisms, the employees should also be given a copy of the WLAN security policy of the organisation.


- Are the administrators prepared to handle the WLAN components, and in particular, have they received training in aspects related to security?

- Are all users familiar with the contents of the WLAN security policy?

- Are the users familiar with the WLAN security mechanisms, and are these mechanisms also being used?

- Have the gatekeepers and factory safety personnel been sensitised to security issues?

Safeguard Catalogue Hardware/Software Comments ____________________________________________________________________ .......................................... S 4.293

S 4.293 Secure operation of hotspots Initiation responsibility: Public agency/company management, Head of

IT

Implementation responsibility: Head of IT, IT Security Officer, Administrator

The purpose of a hotspot is generally to permit (unknown) users easy access to the Internet. To be able to operate a hotspot securely over the long term, successful authentication of all users is necessary on the hotspot. Commonly used and (for the most part) secure methods include, for example:

- Web authentication

In this case, the user enters his access data (IP address, username, password, etc.) over a web interface. The data should naturally be transmitted in encrypted form using SSL/TLS. After successfully logging in, access is enabled for the client.

- PPTP (Point to Point Tunnel Protocol)

PPTP is a typical tunnelling protocol for VPNs, i.e. a protocol which is used to encrypt the data for transmission, send the data through the tunnel, and administer the connection. RC4 with 40 or 128 bits is available as a cryptographic method for PPTP for encryption, and PAP or CHAP are available for selection for authentication purposes. Due to security problems in the first version, only PPTPv2 should be used, together with an encryption method permitting a sufficiently long key.

- IPSec

IPSec offers strong cryptographic methods and mutual authentication of the communication partners. Authentication should be performed, of course, using certificates. However, on one hand, certificates cannot be used in all IPSec implementations, and on the other, the certificates need to be suitably generated and distributed first (typical PKI problem).

- WLAN-specific security mechanisms such as WEP, IEEE 802.1X, WPA, WPA2, TKIP, and IEEE 802.11i

All WLAN-specific security mechanisms are intended to secure the transmission route and must be suitably combined. Due to the rapid development in this area (see above), these methods are not suitable for use in hotspots due to the widespread use of these methods and their security deficiencies.

The following security safeguards should also be implemented when operating a hotspot:

- Access points intended to be operated as hotspots may not be connected directly to a LAN and must be connected over a security gateway instead.

- Communication between the WLAN clients, referred to as inter-client communication, should be prevented completely.

- The wireless interface should be monitored by wireless analysis systems to detect unknown access points and hotspots.


Safeguard Catalogue Hardware/Software Comments ____________________________________________________________________ ..........................................


S 4.293

- The authentication data should always be transmitted in encrypted form over the transmission route, i.e. between the WLAN client and access point. For the further transmission of the data from a hotspot access point to the authentication system (for example a RADIUS server), suitable encryption methods such as SSL or IPSec are to be used, especially when using public networks.

- If certificates are used for authentication, then the certificates should be signed by a suitable certification instance. In addition, the fingerprint of the server certificate should be published so that users can check their authenticity.

- Every operator of a hotspot should offer at least one suitable method for encryption of the data sent over the transmission route so that the users can protect their data from unauthorised reading. Not all users, though, are very interested in protecting their data and systems. Furthermore, the technical requirements for the use of the encryption method offered may not be met. For this reason, their use should remain optional. The users absolutely must be informed, though, of the capabilities and the advantages of encrypting their transmitted data.

- Many users want to access their own organisation’s network remotely over a hotspot. To accomplish this, the users must be able to implement the organisation’s security policies. For this reason, the technical design of the hotspot should permit the use of typical security safeguards such as IPsec.

In addition, hotspot operators should check their logs regularly to see if any irregular activities were recorded, for example if the number of users is greater than the number of guests logged in.

Providers of public hotspots must also follow the corresponding legal and regulatory specifications. In Germany, this includes following the specifications from the Federal Network Agency for the provision of Internet access.

The security policies to be observed by the hotspot users are described in S 2.389 Secure use of hotspots.


- Are the conditions for the use of the hotspot clear to every user?

- Have adequate safeguards been taken to secure the transmission route?


S 4.294 Secure configuration of access points Initiation responsibility: Head of IT, IT security management


Under no circumstances may access points be used with the configuration set to the factory default or with the same settings specified in the manuals of the products for the SSIDs (Service Set Identifier), access passwords, or cryptographic keys.

The following settings should be enabled and/or changed to customised, secure values:

- To the greatest extent possible, administrative access to the access points over the wireless interface should generally be deactivated.

- All administration passwords should be as complex as possible and should be changed regularly.

- Insecure administration accesses (e.g. over Telnet, HTTP) should be disabled whenever possible. Administrative access must always be established over an encrypted connection (e.g. via SSL or SSH).

Deactivation of insecure administration accesses

- The default settings of SSIDs, cryptographic keys, and passwords must be changed immediately after initial operation.

- The SSID should not provide any information on the owner of a WLAN or its purpose. Likewise, the SSID should not be set to "Any" because otherwise any WLAN component will be able to communicate in the WLAN.

- The broadcast of the SSID should be deactivated so that the existence of the WLAN cannot be detected unnecessarily. Furthermore, association using SSID broadcasts should be deactivated so that the clients are required to specify the desired SSID explicitly when associating.

- Suitable encryption mechanisms must be activated. At the same time, it must be ensured that all components in the WLAN support the mechanisms. It must be impossible to establish connections with WLAN components that do not have any encryption mechanisms or only inadequate encryption mechanisms.

- Cryptographic keys should be selected as randomly as possible and should be changed regularly. A complex pre-shared key (PSK) should be used when using WPA-PSK or WPA2-PSK. If cryptographic keys like the PSK are generated using a password, then the password selected for this purpose should be very complex and have at least 20 characters.

- To restrict the communication partners permitted to access an access point, Access Control Lists (ACLs) should be used at the MAC address level. This is particularly helpful for small to very small WLAN installations. In general, though, this instrument alone cannot provide enough security, especially in a WLAN (since the WLAN is easy to listen in on) since MAC addresses are easy to change. ACLs in the WLAN can therefore only be viewed as weak, additional safeguards whose use only makes sense in special situations.

Access Control Lists




S 4.294

Since the additional security gained is limited, it must be examined for large networks if the additional security is worth the administrative work required.

- The DHCP (Dynamic Host Configuration Protocol) server in the access point should be switched off (if there is one and if this is technically possible), i.e. static IP addresses should be assigned and the size of the IP address space available should be kept as small as possible. Otherwise the DHCP server will automatically assign a valid IP address to the intruder.

- When using several access points, the frequency channels used by neighbouring access points should be selected so that they do not overlap.

- Changes to the system configuration must be tested and documented.

- It must be checked regularly if all security-related updates and patches have been installed. This must also be checked for the corresponding device drivers for the WLAN hardware on the WLAN clients as well. A new software version or a patch should only be installed in the WLAN after appropriate testing. In actual operations, software updates have resulted in making WLAN communication extremely limited or even completely impossible.

Notification and information procedures should be specified in the change management that describe who needs to be informed of such changes and how they are to be informed. Likewise, the documentation of the WLAN infrastructure must be changed accordingly.

- If WLAN components will not used for a longer period of time, then they should be switched off. Access points should be deactivated automatically outside of working hours (for example at night and on the weekends).

Support for and monitoring of these tasks can be achieved using a WLAN management software package or by integration into a central network management system.


- What routes are used to access the system for administrative purposes?

- How are changes to configurations tested and documented?

- Has it been ensured that patches and updates to close any security gaps which become known will be installed quickly?

- Has it been ensured that WLAN components will actually be switched off when they will not be used for a while?


S 4.295 Secure configuration of WLAN clients Initiation responsibility: Head of IT, IT security management

Implementation responsibility: Administrator, Users

In order to enable secure operation of a WLAN, all clients connected to the network must be configured securely. Suitable IT security recommendations for clients are described in the modules in Layer 3 IT systems. In addition, the following WLAN-specific security safeguards should be taken:

- The default settings for SSIDs, cryptographic keys, and passwords must be changed directly after initial operation. Passwords should be selected so that they are difficult to guess.

- The ad-hoc mode should be disabled so that clients can only communicate over an access point and not directly with each other.

- Data requiring protection on mobile end devices should be encrypted. There are numerous hardware and software-based products for this purpose which allow you to encrypt individual files, certain areas, or the entire hard disk so that only those persons possessing proper access authorization are able to decrypt the data.

- The WLAN interfaces of clients should be deactivated as a rule as long as they are not actually in use. In particular, they should always be deactivated when the clients are logged in to a cable-bound LAN. Access from a client to the internal LAN over the usual internal connections should only be possible when there is no other activity on the WLAN. Otherwise, this provides an attacker with a chance to access any existing (and authenticated) connections in the internal network over the WLAN interface.

- When establishing VPN connections, various security precautions should be taken on the client. For example, it should be impossible to use another communication interface parallel to a VPN connection so that the security of the VPN connection, which the user assumes to be secure, is not undermined over an insecure channel. In addition, it is recommended not only to require a certain minimum set of security safeguards to be implemented on the clients, but to test them as well before granting access over the VPN. To do this, it is recommended to use tools that check if the security policies are being followed on the clients before the server permits any further communication.

- It must be checked regularly if all security-related updates and patches have been installed. It may be difficult to install a large software update on the WLAN clients over the WLAN since the bandwidth available in the WLAN is much lower than that available in a cable-based LAN. The installation of updates will not only take much longer, but may also slow down the WLAN so much that the users notice it because a WLAN is a shared medium. If possible, a client should therefore be connected to a cable-based LAN when installing large software updates. In addition, the transmission of software updates over the wireless interface can be assigned a lower priority provided that the longer installation times resulting from this are practical.




S 4.295

In this manner, the other WLAN applications will not be significantly hindered any more by the software update.

It should be checked regularly to ensure that security-related settings have not been changed.

There must be clear rules specifying if, and if yes, under what general conditions WLAN clients are permitted to log in to external networks (see S 4.251 Working with external IT systems), especially when the clients have access to the production environment or have confidential information stored on them.

WLAN clients should never be operated in insecure environments such as, for example, public hotspots or WLANs only secured using WEP. WLAN clients which process data with a high protection requirement may only be used in WLANs which are operated under the complete control of the organisation and may only be operated when securely configured. Their use in other WLANs is to be prohibited.

All users of WLAN components should be informed of the potential risks and problems involved in their use as well as of their advantages, but also of the limits of the security safeguards implemented. All users must be familiar with the security policy for WLAN usage (see S 2.382 Drawing up a security policy for the use of WLAN). No one who has not agreed in writing beforehand to the conditions for use contained in the WLAN security policy should be permitted access to an internal WLAN.


- Have the users been informed of which security aspects they need to consider when using the WLAN?

- Has it been ensured that patches and updates to close any recently discovered security gaps will be installed quickly?

- Will the WLAN interfaces on the clients be switched off when they are not in use?


S 4.296 Use of a suitable management solution for WLAN



To guarantee optimal configurations from a security perspective on all WLAN components, these components need to be administered carefully. Since administration can be costly and complex in large WLANs, it makes sense in this case to use WLAN system management tools. These tools should also be capable of integration into any existing IT and network management tools, if possible.

In general, it is recommended to implement a management solution that enables online documentation in addition to the ability to monitor the WLAN. Depending on the features, the solution should also offer the following capabilities:

- Documentation of the firmware versions of the access points

- Documentation of the firmware versions and drivers of the WLAN adapters of the WLAN clients

- Documentation of the security configurations

- Documentation of location-specific configurations

- Ability to administer the history of configuration changes

In order to provide the administrators with an overview of all stationary and mobile systems and applications and to generate this overview as easily as possible, the system management solution should be able to take stock of the mobile end devices and their applications automatically. Each end device should be integrated into the configuration and control process by the management software as soon as it logs in to the network.

These functions are used according to the specifications in the instruction manual.

The management system should also provide alarm and error handling. The administrators should be able to perform the following tasks for this purpose:

- Assessment and evaluation of alarms, e.g. to detect an unusually high number of failed attempts to obtain authentication on an access point

- Assessment of statistics for troubleshooting

- Triggering of safeguards when a security incident is suspected

- Adaptation of the threshold values triggering the alarms when the WLAN usage changes

A suitable network management protocol should be selected as well, for example SNMPv3 (see also S 2.144 Selection of a suitable network management protocol).

The log data recorded should be evaluated regularly, but at least once per month. The amount of information logged is to be co-ordinated by the personnel representative and the Data Protection Officer.




S 4.296

The WLAN management software and the general network management solution should provide filtering capabilities to improve the protocol data evaluation capabilities.


- When was the last time the log data recorded was evaluated?

- Has an inventory of all WLAN components been taken?


S 4.297 Secure operation of WLAN components Initiation responsibility: Head of IT, IT security management


WLANs are attractive targets for attackers and therefore must be configured very carefully in order to ensure secure operation. All WLAN components must be configured so that they are protected against attacks to the best extent possible. If a WLAN component is not correspondingly configured, then it may not be activated and connected to the productive environment.

WLAN components needing to be secured include the access points, the distribution system, the WLAN clients, the operating systems on which the WLAN components are operated, and the protocols used, among others. The following points in particular must be kept in mind:

- Employees must be assigned to be responsible for the administration of each of the various WLAN components.

- After the installation and initial operation of WLAN components, all necessary security mechanisms must be activated.

- The WLAN components may only be administered over a secure connection, i.e. administration should be performed directly on the console after executing a strong authentication procedure (for access from the LAN) or over an encrypted connection (for access from the Internet).

- The rule "everything which is not expressly permitted is prohibited" must apply in general. For example, users not entered in an access list must not be permitted to access the WLAN. Access rights for directories and files should be assigned as restrictively as possible.

- It must be ensured that the software used is always up-to-date and that any security-related patches are installed immediately.

- Configuration changes should be logged by the system so that manipulations can be detected and traced promptly. The log data must be secured so that it is impossible to manipulate the log data.

- All security-related events must be logged. These events include, for example, attempts to gain unauthorised access as well as data on the network load and any network overloads. The log data recorded must be evaluated regularly. The amount of data recorded in the log must be co-ordinated by the personnel representative and the Data Protection Officer.

- The WLAN components must be integrated into the data backup policy. When restoring backed up data resources, it must be ensured that the files relevant for the secure operation of the WLAN such as access lists, password files, and filter rule files are up to date.

If possible, a standard configuration should be developed for the WLAN components used which reflects the specifications in the WLAN security policy. This makes it easier to provide support for numerous devices and change the configurations. At the same time, deviations from the intended configuration can be identified faster.




S 4.297

It makes sense to use a WLAN management solution which ensures efficient configuration of the access points. Access points and the active components of the distribution system should still remain integrated into the network manage-ment system, and monitoring must also still be possible. After all, it should still be possible to check the availability of the authentication server through the management system. It may be necessary to expand a network management system already in use by adding a WLAN management module.

Connections of external access points or manipulations to the switches of the distribution system should be detected by the WLAN management system. The affected network port of the distribution switch should be blocked immediately in such cases.

Likewise, the configurations of the access points and of the distribution system should be checked regularly. To check the configuration, the system configuration currently in use must be compared to a documented and validated configuration. If any unconfirmed changes are found, then the systems must be examined and possibly even switched off and checked for evidence of an attack.

For the secure operation of WLAN components, both the basic configuration specified on the basis of the WLAN security policy as well as all changes made must be documented carefully so that they can be restored at any time. In addition to the documentation of the security configuration, documentation of the firmware versions of the access points and documentation of location-specific configurations must also be available.

Additional controls

- Has it been ensured that the necessary security mechanisms are activated on all WLAN components?

- How will it be ensured that the patch status of the operating systems and programs used on the WLAN components will always be secure?

- How will the administrators or auditors access the security gateway and the components?

- Has all relevant information on the WLAN components been taken into account in the data backup procedure?


S 4.298 Regular audits of WLAN components Initiation responsibility: Head of IT, IT security management


All components of the WLAN infrastructure must be checked regularly to ensure that all specified security safeguards have been implemented and these components are configured correctly. These components include, in addition to the access points, the components of the distribution system, the elements in the security infrastructure (including the authentication server) and the elements of the WLAN management system. Depending on the available functionality, the WLAN management system should not only administer the current configurations of the access points, but also the configurations of the components of the distribution system, and should also provide administration of the history of previous configurations (see S 4.296 Use of a suitable management solution for WLAN). Likewise, central security systems such as the authentication server or the link element on the transfer point between the distribution system and the LAN should be subjected to regular security checks.

Installations in areas accessible to the public in particular should be spot-checked for attempts to open the housings by force or any other attempts at manipulation (especially on access points). An indicator of a compromised WLAN is, for example, the discovery of a hub connected between an access point and the distribution switch. Such components, which are used for diagnostic purposes, should only be accessible to authorized personnel and must be removed immediately after the required measurements have been taken.

Furthermore, the WLAN clients must be checked regularly. If there are a large number of clients, then spot checks should be made at a minimum. When checking, check the configuration of WLAN adapters and IEEE 802.1X supplicant (or the VPN client if one is used in the WLAN) first. Depending on the system, the patch level of the operating system, the up-to-dateness of the drivers for the WLAN adapters of the clients, the basic rules used in the personal firewalls, the up-to-dateness of the virus protection software used, as well as the security settings of the applications used over the WLAN should also be checked.

If any irregularities or vulnerabilities are found, then they must be documented. In this case, it must also be documented how they will be handled.

Regular audits of the WLAN security policy should also be performed in addition to the regular audits of the individual WLAN components. In particular, the safeguards implemented to secure the WLAN should be checked to see if they correspond to the current state of the art in technology and if the base protection level specified is still valid.

In addition, you should ask yourself occasionally if all users have been informed of the necessary WLAN security safeguards and if they have implemented these safeguards.




S 4.298


- Are security audits performed regularly?

- How will any irregularities detected be documented and handled?

Safeguard Catalogue Communications Comments ____________________________________________________________________ .......................................... S 5.138

S 5.138 Usage of RADIUS servers Initiation responsibility: Head of IT, IT security management


In large networks, authentication servers, for example RADIUS servers, should be used. RADIUS (Remote Authentication Dial-In User Service) is a client-server protocol used for the authentication, authorization, and accounting (AAA system) of users to centrally secure connections. The protocol is described in a series of RFCs, the most important of which is RFC 2865.

An authentication server should guarantee that only authorised users are able to access the internal network, and that this access can also be restricted to certain end devices. During the process, identification must be provided first, for example using an identifier, and then authentication is performed, for example using a password. This data should be transmitted in encrypted form. The EAP protocol (Extensible Authentication Protocol) is often used for this purpose. Authentication is port-based in EAP and is based on the IEEE 802.1X standard. This means that access to the network is only permitted when the client has unequivocally provided identification on the RADIUS server.

The authentication servers operated must be appropriately secured (see S 4.250 Selection of a central, network based authentication service).

Sufficiently long and complex cryptographic keys are to be used for the secrets shared between the RADIUS server and RADIUS clients. In this case, a separate shared secret can be used for each RADIUS client-server connection when the administrative capabilities permit this.

The components used for RADIUS should meet the requirements of the RFCs for RADIUS to ensure the greatest possible interoperability between the various components. It should be possible to store the authentication and accounting protocols in a separate database system.

RADIUS communication should be restricted to ports 1812 and 1813. Ports 1645 and 1646 should not be used if possible. Other ports are to be closed if it is technically possible to close them. The RADIUS communication from the server is to be restricted to the RADIUS clients known by and authenticated on the server.

If a high level of protection is required for the confidentiality of the authentication information, then it is recommended to use IPSec to secure the RADIUS communication. You should not deactivate the methods for securing communications available in RADIUS, though. Likewise, you should also think about using a redundant RADIUS server in this case.

The rules specifying when a RADIUS server will respond to an authentication request should be set as restrictively as possible. In this case, the rules should specify the permissible dialup times, the MAC address of the RADIUS client requesting a connection and its port type, the IP address of the RADIUS client, and the EAP method to be used for authentication.


Safeguard Catalogue Communications Comments ____________________________________________________________________ ..........................................


S 5.138


- How will the authentication information be protected during transmission?

- How will attacks on the RADIUS server be prevented?


S 5.139 Secure WLAN-LAN connection Initiation responsibility: Head of IT, IT security management


A common goal when using WLAN components is to enable simple and mobile connection to other networks. These networks may be other WLANs, but could also be LANs existing inside the organisation. There are two main security aspects in this case:

- Protection of the WLAN components used against misuse when connecting to an external network

- Protection of the internal LANs against misuse from the outside.

When connecting a WLAN to a LAN, the transfer point between the WLAN and LAN must be secured based on the highest protection requirement of the two networks. The LAN generally has the higher protection requirement. There are two main approaches to take when connecting a WLAN to a LAN:

- You can attempt to reach a security level in the WLAN matching the security level within the existing, wire-bound LAN. To accomplish this, though, the security mechanisms integrated into standard WLAN components generally need to be extended, for example using stronger cryptographic algorithms, and more work will be required to attain the additional security.

- On the other hand, a more practical approach can be selected in which it is assumed that the data transmitted on the transmission route as well as the WLAN components themselves do not possess the same high level of security as the LAN. For this reason, accesses from the WLAN should be handled like Internet accesses in this case and therefore should only be permitted through a security gateway. This is the recommended procedure.

The higher the level of security available on the wireless interface and the active components of the distribution system, the less complicated the safeguards on the connection point to the LAN need to be. In any case, though, it must be possible to completely block WLAN communication to the internal LAN on the connection point as soon as an attack on the WLAN is detected.

The switching element between the distribution system of the WLAN and the LAN must be a Layer 3 router at a minimum to obtain effective separation of the broadcast domains. The use of more advanced mechanisms, such as using a dynamic packet filter instead of a router, must be decided upon based on the operational environment and according to the protection requirement.

If higher protection is required, then the security of the authentication procedure should be improved, for example through the use of EAP-TLS, so that mutual, strong authentication can be implemented between the WLAN clients and an authentication server in the LAN.




S 5.139


- Is the LAN protected from the WLAN by an additional security gateway?

- Is access from the WLAN to the LAN necessary and desired? Has this decision been documented?


S 5.140 Setting up a distribution system Initiation responsibility: Head of IT, IT security management


A distribution system is a network that connects the access points to each other and to the rest of the infrastructure, for example to a cable-bound network. In general, there are two different types of distribution systems:

- Cable-bound distribution systems

All access points are connected by cables to each other and to the rest of the infrastructure.

- Wireless distribution systems

A direct cable connection between the access points is not necessary any more in this case. The access points only need to be supplied with power.

In both cases, communication between the access points should be encrypted to guarantee the confidentiality of the data transmitted. An IPSec VPN tunnel can be used, for example, in a cable-bound distribution system, while CCMP can be used additionally for a wireless distribution system based on IEEE 802.11i. For wireless distribution systems, the availability is essential as well as the protection of the confidentiality and integrity, and safeguards should be taken to prevent any eventual denial-of-service attacks, etc. Through the use of wireless intrusion detection systems and regular security checks, vulnerabilities can be found promptly, and the corresponding countermeasures can be taken.

When building a distribution system, a basic decision must be made as to whether or not to build or connect a separate infrastructure for security reasons, i.e. whether or not the internal LANs should be physically segmented from the infrastructure. Alternatively, it can be examined if logical segmentation using VLANs suffices.

If a separate physical infrastructure is set up for the distribution system, then the size of the coverage area plays an essential role. As a rule, several access points are concatenated using Layer 2 or Layer 3 switches, in which case scaling is commonly based on 12, 24, or 48 ports per switch. For example, if 100 access points need to be connected to form a distribution system, then three to ten switches are necessary. Direct connection of the access points to switches in the central server room is generally not possible, which is why the switches must be distributed over the entire area to be equipped with WLAN. In this case, it must be ensured that the switches are adequately protected against external access and that there are enough redundant switches to maintain the required availability of the distribution system. However, large investments and additional security safeguards are necessary to build a separate physical infrastructure.

Physical distribution system

When logical segmentation is used, virtual LANs (VLANs) are formed to control the flow of data through the access switches of the cable-based LAN. If the WLAN clients are to be segmented within the distribution system, then each of the WLAN clients must be assigned to a VLAN in the access point as well.

Logical distribution system




S 5.140

The configuration of a logical distribution system in an existing LAN infrastructure is not entirely without problems in operational terms, and therefore in terms of availability, and requires extremely well-trained administrators. If the availability requirement is normal for the entire LAN and WLAN infrastructure, then configuration of VLANs is a plausible approach. However, when higher availability is required, then it is not recommended to use VLANs to set up a distribution system.


- Will a cable-bound or wireless distribution system be built? Was the decision documented and saved?

- Will the segmentation be physical or logical? Was this decision documented and saved as well?


S 5.141 Regular security checks of WLANs Initiation responsibility: Head of IT, IT security management


A WLAN security check should be performed regularly, but at least once per month.

WLANs should be checked regularly with WLAN analysers and network sniffers to see if there are any security gaps such as weak passwords, inadequate encryption, or an enabled SSID broadcast. However, the check should also look for WLANs installed without authorisation.

Network analysis programs

Specific tools for monitoring and analysing the quality of service and level of security are helpful not only in WLANs, but also in other networks. For secure operation of a WLAN, it is especially important to check the extent to which the prescribed security policies are being followed and the overall availability of the WLAN. When taking measurements to determine the availability, other measurements such as performance measurements and error analyses should be performed as well. Tools which provide a list of all active WLAN subscribers and of any subscribers recognized recently are also helpful.

Network analysis or sniffer programs read data streams and examine the data packets transmitted for different, variable criteria. For example, such a program can search for certain patterns in the data packets or evaluate routing information.

Network analysis tools should be used regularly to

- look for unauthorized WLANs on the property of the organisation,

- check regularly if all necessary security mechanisms have been activated, and

- detect dead zones and evaluate the signal quality of wireless networks.

Monitoring the WLAN infrastructure

The simplest way to monitor the WLAN infrastructure is to perform a spot check of a location using a WLAN client equipped with special software. The area covered is then checked by walking around the area. Access points installed and operated without authorisation can be detected in this manner.

Better control can be obtained using a WLAN management system. Such a system can be used to regularly perform the following tasks:

- Detection of external devices, especially of external access points

- Performance of wireless site surveys, i.e. surveys to obtain information on the coverage, data rates, bandwidth, QoS, etc., of a WLAN

- Recording login times

- Monitoring the configuration of WLAN network elements



Use of a wireless intrusion detection system

When planning an access point-based wireless intrusion detection system (IDS), it must first be specified if a separate measurement infrastructure will be built or if the access points and WLAN clients in the live network will be switched at certain intervals into a measurement mode. If it is impossible to take measurements everywhere in the coverage area to be monitored, then attacks in the WLAN at the wireless level cannot be detected. Furthermore, it must be taken into account that an access point or WLAN client cannot transmit data when in the measurement mode, and therefore a reduction in the performance, and possibly of the availability, of WLAN data transmissions may need to be accepted. Likewise, a small window of vulnerability always remains open when using the access points belonging to the live network in the scan mode, and it is impossible to monitor the wireless interface when scanning.

Whenever an intrusion detection system or even an intrusion prevention system (IPS) is used, the normal communication patterns in the WLAN must be determined or defined based on measurements (see also S 5.71 Intrusion detection and intrusion response systems).

Alarm and error handling

The WLAN administration should provide alarm and error handling procedures. The following tasks are to be performed by the administrators in this regard:

- Assessment and evaluation of alarms, for example when a high number of unsuccessful attempts to provide authentication on an access point is detected

- Assessment of statistics for troubleshooting

- Triggering of safeguards when a security incident is suspected

- Ability to change the threshold values triggering the alarms when the WLAN usage changes

Penetration test

In the course of a security check, a WLAN can also be examined for vulnerabilities with the help of penetration tests. In this case, all security safeguards taken must be tested exactly to determine if they are able to defend against the attacks they are supposed to counteract. A penetration test should be conducted at least every six months, but no less than once per year.

Documentation

When conducting the security check, the administrators should document all steps taken so that they can be retaken at a later date (for example when it is suspected that a system has been compromised). The results of the security check must be documented, and deviations from the intended state must be examined.




S 5.141


- Have the administrators been instructed in the alarm and error handling procedures to follow in case of an attack on the WLAN?

- Is the fact that a WLAN security check was performed documented together with the results?

Safeguard Catalogue Contingency planning Comments ____________________________________________________________________ .......................................... S 6.75

S 6.75 Redundant communication links Initiation responsibility: Head of IT, IT Security Management Team


Depending on the availability requirements, the failure of a communication link or the inability to establish the link can severely impair operations. This applies both to telephone connections as well as to LAN and WAN connections. The sources of error can vary so greatly in this case that it is often very difficult to determine the exact cause of the problem.

Since typical working environments are becoming more and more heavily networked these days, failures of communications links can mean that important data and information cannot be exchanged. Under certain circumstances, this can lead to interruptions in workflows until the connection has been restored or alternative solutions have been found.

It therefore makes sense to hold alternative solutions available in reserve for the various communication links (depending on their protection requirement).

Examples:

- The availability of the telephone connection of a control centre should be guaranteed not only over the land-based network, but also over a mobile phone.

- A second Internet provider should be used in addition to the normal Internet provider to guarantee that the e-mail server is able to connect to the outside world.

- In addition to the e-mail connection or a fax server, there should also be a fax machine available in case the network connection or server goes down.

It is not always necessary in this case to have another connection with the same bandwidth and the same quality requirements in reserve. In many cases, it will be sufficient to enable limited IT operations to be maintained in an emergency (see also module B 1.3 Contingency Planning).


- Are there any alternative solutions available for important communication links?

- Are the alternative solutions regularly adapted to reflect new developments in technology?


Safeguard Catalogue Contingency planning Comments ____________________________________________________________________ .......................................... S 6.102

S 6.102 Procedures in the event of WLAN security incidents


Implementation responsibility: Administrator, Users

If the WLAN does not respond in the intended manner (e.g. the WLAN is unavailable for a long period of time, access to network resources is impossible, or the network performance is reduced for a long period of time), then the cause may be a security incident. This can be brought about by an attacker, faulty configurations, or system errors.

In this case, users should note the following points:

- You should save the results of your work, terminate the WLAN connection, and deactivate the WLAN interface on your client.

What should the users do?

- If error messages appear or the client does not respond normally, then the users should document the response as precisely as possible. Likewise, the user should also document what he or she was doing before and during the security incident. This allows the administrators to quickly limit the number of possible reasons for the incident and promptly initiate countermeasures.

- The administrators must be informed by the users using a suitable escalation level (e.g. user help desk). It must be ensured in this case that the ability of the administrators to do their work is not significantly impaired by the notification process.

The administrators should initiate appropriate countermeasures when a security incident occurs. Examples of possible actions include:

Countermeasures initiated by the administrators

- Switching off access points

- Blocking communication on the connection point between the distribution system and the LAN / Internet

- Shutting down the servers (web servers, control servers in the production environment, or similar servers)

- Deactivating the WLAN interface of the WLAN client

- Checking the configurations of the access points

- Saving all files that could provide clues as to the type and cause of the problems encountered (for example, if there really was an attack and how the attacker was able to penetrate the system). In particular, this means saving all relevant log files.

- Restoring the original configuration data if necessary (see S 6.52 Regular backup of configuration data of active network components)

- Notifying the users with a request to check for anything unusual at their workspaces.

If an access point has been stolen, then specific security safeguards must be taken, for example:


Safeguard Catalogue Contingency planning Comments ____________________________________________________________________ ..........................................


S 6.102

- Changing all cryptographic keys used, meaning the PSKs when using WPA-PSK or WPA2-PSK, for example

- Changing the configuration on the RADIUS servers to exclude the stolen access point (IP, name, RADIUS client, shared secret, IPSec)

The possible consequences of events critical to security must be examined. Finally, all safeguards necessary to make it impossible to use stolen devices to gain access to the network of the organisation must be implemented. If a WLAN client is stolen, then the client certificates must also be blocked if a certificate-based authentication method is used.


- Is it guaranteed that an administrator will be notified effectively?

- Are the users and administrators aware of all necessary procedures to follow in case of a WLAN security incident?

- Have the possible consequences of events critical to security been analysed?

Date post:	11-Sep-2021
Category:	Documents
Upload:	others
View:	6 times
Download:	0 times

Module B 4.6 Wireless LAN (PDF)

Documents