UNIT V: Wireless Deployment Strategies

Implementing Wireless LAN’s- Security Considerations: Common Wireless Network Applications, Enterprise
Campus Designs, Wireless IST Design, Retail and Manufacturing Design, Small Office/Home Office Design
(SOHO)

……………………………………………………………………………………………………………………………..

To properly understand and counter the risks, the functional goals of the wireless network must be fully
understood. We will explore the security considerations that should be applied to different layers of the
wireless network—namely, the physical, network, and application layers. The physical section will cover radio
frequency (RF) coverage, equipment placement, and building construction. The network section will cover the
general network architecture, wireless local area network (LAN) medium access protections, and mobility and
virtual private network (VPN) considerations. The application section will cover application communications
tunnelling encryption.

1. Common Wireless Network Applications

• Wireless Ethernet is used as a drop-in replacement for Ethernet in situations where mobility is needed
or wiring is difficult.
• Wireless bridge and directional antennae are common for bridging networks over short distances
between buildings.
• Wireless Internet Service Providers (ISPs) provide last-mile wireless access to fixed-point locations,
known as point-to-multipoint.
• Roaming occurs when a wireless user moves out of range from the access point providing network
services.
• Roaming deteriorates the existing link and requires a new network connection upon association with
the new access point.
• Networks allowing roaming are often large and cover vast distances, but poorly designed can be a
nightmare for network administrators.
• If designed with security and performance in mind, administrators can benefit from a high-performance,
dynamic wireless environment and facilitate wireless network incident response.

1.1. Physical Security Considerations

Effective security engineering starts at the physical layer in building a wireless network, focusing on control
over coverage, network boundaries, incident response, and infrastructure placement. This approach ensures
better network performance and eliminates coverage gaps.

a) Site Survey

A site survey is a crucial process for installing a wireless LAN in a building or area. It involves a physical
walkthrough and an evaluation of signal strength and access point placement. The survey also involves a
roaming wireless client, where the engineer evaluates the network coverage, design directional antennae, and
adjusts the overall signal strength to control wireless network exposure within a controllable range. A site plan
is recommended for this process.

b) Equipment Placement

You should follow several guidelines when deploying equipment in the field:

• Ensure that the access point is installed out of the normal reach of employees. Where possible, conceal
the access point from sight.
• If the access point is installed outdoors, make sure the equipment is properly secured, discouraging
tampering.
• When appropriate, sector network areas with directional antennae. This places RF where you intend
it to be. It also quantifies areas where users are when connected to that cell. This is very useful when
tracking down problems or running through incidence-response procedures.
1 | © www.tutorialtpoint.net Prepared by D.Venkata Reddy M.Tech(Ph.D), UGC NET, AP SET Qualified
 • Name the access points so that they can be tracked down easily during frantic troubleshooting events.

Once the access points are in the best possible configuration, you should perform a perimeter sweep to ensure
that excess radiation isn’t bleeding into unintended areas. Most access points designed for corporate and
enterprise use have an adjustable power output and can be trimmed down to remove excess bleeding.

c) RF Containment

RF containment aims to limit network scope within known boundaries, especially in large networks with
roaming. It reduces drive-by profile and performance benefits when combined with directional antennae.
Physical tasks like installing metallic film, paint, and window blinds can also help limit RF bleed out of buildings
and rooms, resulting in a wireless perimeter extending from tens of feet to hundreds of feet.

1.2. Network Security Considerations

Enterprise network architecture should prioritize security and performance. Wireless networks should be
treated as untrusted anonymous hosts, with access granted after presenting credentials to an authentication
server. Segmenting networks can minimize physical layer DoS attacks and aid in incident response.

Access points often have limited administrative interfaces, but out-of-band management through a serial port
is the only secure method. Configuration capabilities over the wireless interface should be disabled to prevent
tampering. Access point management should consider Telnet, HTTP, and SNMP, and use Secure Shell (SSH) or
Secure Sockets Layer (SSL) for network device management.

a) Physical and Data Link Layer Security Controls

• The 802.11 wireless Ethernet standard has flawed authentication and packet encryption methods.
• When used with Wired Equivalent Privacy (WEP), 802.1x corrects some of the standards pitfalls.
• Dynamic WEP keys with 802.1x eliminate most attacks against WEP, as long as keys are rotated
frequently.
• Shared authentication should never be used; always use an open system.
• 802.1x requires more back-end equipment and a Remote Access Dial-In User Service (RADIUS) server
with 802.1x capabilities.
• WEP key hashing is implemented by many vendors to prevent recovery of the WEP key.
• Media Access Control (MAC) access control lists are a common 802.11-based security mechanism.
• MAC addresses of all wireless clients and access points are sent in the clear, even when WEP is enabled.
• Changing the MAC address of a network card is a trivial task, but can be time-consuming.

2 | © www.tutorialtpoint.net Prepared by D.Venkata Reddy M.Tech(Ph.D), UGC NET, AP SET Qualified

b) VPN Tunneling

• VPN tunneling is a proven technology used in various environments.

• Access to VPN from the wireless network can be added by adding a network card or changing firewall
rules.
• Network designers need to consider network subnetting when roaming.
• VPN tunnel may drop during roaming, resetting TCP connections and requiring user authentication.
• MobileIP can be used for roaming to prevent VPN connection torn down.
• MobileIP can be used across different wireless network types and on cellular telephone data services,
eliminating the need for separate infrastructure.

c) Intrusion Detection Systems (IDSs)

In the digital realm, intrusion detection systems (IDSs) are akin to home alarms, allowing businesses to detect
potential threats. These systems can be either host-based (HIDS) or network-based (NIDS).

Host-based IDSs monitor system files for changes or new software, while network-based IDSs examine network
traffic.

NIDS can monitor for suspicious activity by comparing traffic to signatures of known attacks or anomalies.
Some hybrid systems combine both technologies, with commercial and open-source options available.

NIDS can simplify installation and configuration, but some HIDS can significantly reduce host operating system
performance. Companies often outsource IDS monitoring due to administrative overhead.

Regularly reviewing and archiving logs for suspicious events is also a common practice, but the effectiveness
of these systems as IDSs is limited. Therefore, businesses should evaluate their in-house security and monitoring
expertise before deploying IDSs to their entire network.

3 | © www.tutorialtpoint.net Prepared by D.Venkata Reddy M.Tech(Ph.D), UGC NET, AP SET Qualified

3. Application Security Considerations

Wireless networks are often set up to offer a specific application. This may include roaming agents in airports,
inventory tracking in warehouses, email, or service of the “killer app” to end users. Many times, these
applications have already been hardened to work on a hostile network: the Internet. In these cases, wireless
security precautions, such as WEP and IP Security (IPSec) may not be needed. Instead, SSL/Transport Layer
Security (SSL/TLS) and SSH may be good ways to secure an existing application.

2. Enterprise Campus Designs

The following section deals with the security needs of the enterprise campus. Many applications are available
for wireless networking on a campus.

In some cases, these designs can be combined into a hybrid design to solve multiple business problems. Key
design concepts are highlighted as best practices. Use these best practices when evaluating your current design
or when creating a hybrid design for your application.

Enterprise Design 1

Wireless network designers face the challenge of supporting multiple platforms, operating systems, and
hardware vendors in a single infrastructure. In a campus with engineers and salespeople using various operating
systems, security and ease of use were key concerns.

To address this, a separate wireless network was built, with the internal network only accessible through the
corporate VPN. The VPN consisted of an IPSec appliance and an SSH gateway configured for port forwarding,
using token-based one-time passwords. Additional network cards were added for connectivity, and a server
was added for DHCP and DNS services. A terminal server was installed to manage access points and Ethernet
switches, as the vendor offered only cleartext options.

The best practices include the following:

• Segment the hostile wireless network from the rest of the internal network.
• Disable the management of access points with the wireless interface.
• Harden the DHCP/DNS server.

4 | © www.tutorialtpoint.net Prepared by D.Venkata Reddy M.Tech(Ph.D), UGC NET, AP SET Qualified

Enterprise Design 2

802.1x is a new technology that offers security for wireless networks. Despite its limited vendor
interoperability, it shows great promise and should be considered in a network designer's toolkit. The 802.1x
implementation uses Cisco's corporate directory services and a new RADIUS server for the vendor's EAP over
RADIUS. It provides authentication services and dynamically creates WEP keys, with RADIUS session timeouts
of three hours forcing frequent changes. The architecture includes key-hashing features and is suitable for
Windows users.

The best practices include the following:

• Use 802.1x for authentication and encryption.

• Change keys frequently; three-hour timeouts are used.
• Use key-hashing features.
• Advanced proprietary integrity checking features are used.

5 | © www.tutorialtpoint.net Prepared by D.Venkata Reddy M.Tech(Ph.D), UGC NET, AP SET Qualified

b) Enterprise Guest Network

A wireless network can be used for a guest network at an enterprise campus, universities, or training centers.
A guest network was established to protect the enterprise's intellectual property and prevent unsigned users
from accessing the network. The network was initially set up without wireless, but evolved into a wireless
network after a visitor infected machines. The network was configured with a web proxy, DHCP services, DNS
services, and an NIDS. Wireless cards are checked out by the help desk, and each user's password expires after
a week. This system ensures secure and efficient internet access for guests and visitors.

The best practices include the following:

• The guest network is segmented and firewalled from the rest of the network.
• NIDS is installed on the hostile guest network.
• Users must agree to an acceptable use policy in order to use the network.
• Network uses 802.11 standards to give the maximum hardware support.
• Corporate laptops are hardened before using the wireless network.

c) Enterprise Point-to-Point Configuration

The cost savings of replacing a traditional telco point-to-point connection with a wireless link can be
tremendous; wireless links can also be set up much faster than traditional telco links. Existing wireless
networking technologies can be used to create these point-to-point links. In many cases, ranges can be extended
by using directional antennae and amplifiers.

The security benefit of using a directional antenna is that it makes the link much more difficult to sniff or jam.
This link is trivial to secure because both ends of the link are static and known.

In this commonly found scenario, you can easily use traditional IPSecbased VPN-tunneling software or
appliances to protect all traffic flowing between one end of the bridge to the other, as shown in Figure 8-7.
These VPNs can be set up using VPN appliances, routers, or software-based VPNs.

6 | © www.tutorialtpoint.net Prepared by D.Venkata Reddy M.Tech(Ph.D), UGC NET, AP SET Qualified

The best practices include the following:

• Use directional antennae to eliminate signal loss and boost power.

• Configure access points to only connect to the other end of the connection; many times this is
accomplished with entering a MAC address.
• Use WEP.
• Use IPSec tunnel mode.
• Use a strong form of encryption, such as Advanced Encryption Standard (AES) or Triple Data Encryption
Standard (TDES).
• Rekey the VPN frequently.

3. Wireless ISP Design

Metropolitan area networks (MANs) have seen a rebirth from almost certain doom with the adoption of
wireless network technologies. Many regional and specialty ISPs are starting to offer wireless Internet access.

This Internet access can be limited to a small area or can be offered in coffee shops, hotels, or airports. In order
to prevent customer support calls and improve the customer experience, the network needs to be open. In
this scenario, you don’t know who is going to join the network. Therefore, network resources need to be well
protected.

In order to meet customer requirements, an open design is required. The network administrators chose to
implement a separate back-end network for management. During implementation, careful consideration was
given to finding a vendor that had features for securing managing network devices, such as access points and
routers. Unfortunately, no vendor was offering this during the buildout of the network so a separate
management network was necessary. The management network had the added benefit of giving the network
designers a lot of flexibility to roll out new applications. See Figure 8-8 for details.

The network was set up with a dynamic firewall that would open up holes for Internet access after users
authenticated to the billing server. This was an off-the-shelf product that had some security holes, but building
a custom solution would be cost-prohibitive. A VPN was used to access the management network for the
network operation and management functions.

7 | © www.tutorialtpoint.net Prepared by D.Venkata Reddy M.Tech(Ph.D), UGC NET, AP SET Qualified

4. Retail and Manufacturing Designs
Wireless networking has proven to be a killer app for many network retail and manufacturing companies. The
return on investment (ROI) for wireless applications has proven to be significant. Unlike the corporate campus,
the common workstations for a retail or manufacturing wireless application are personal digital assistants
(PDAs), bar-code scanners, and other thin clients. The following network designs were used in these
environments.

a) Kiosk/Roaming Agent Design

Wireless applications can enhance customer satisfaction by providing convenient and easy-to-use solutions.
This wireless design was created for a large user population with minimal technical expertise. PDAs with bar-
code scanners were used for the application, which needed a small printer. A proof-of-concept application
was created using a wide-open wireless network and a modified web browser. The application was customized
to address security concerns and was hardened using WEP and MAC access controls. VPN gateways and servers
were set up for the entire network, serving hundreds of stores.

The best practices include the following:

• All traffic is authenticated and encrypted.

• An IDS system is used for watching the network.
• Standard-based 802.11 security features are used, but are not relied on.
• A hardened server provides network services (DHCP and DNS).

8 | © www.tutorialtpoint.net Prepared by D.Venkata Reddy M.Tech(Ph.D), UGC NET, AP SET Qualified

b) Warehouse Design

Wireless technology was initially adopted by manufacturing and warehousing industries for mobility and
preventing significant wiring changes. Common applications include inventory tracking and shipping, often
using telnet or a simple browser. WEP was used to secure these applications. After publicizing WEP's shortfalls,
a network redesign was needed to maintain functionality and security. The network was redesigned with
modifications such as open system authentication, monthly rotation of WEP keys, MACs, IDS, SSH, and port
forwarding to email servers. The network was designed to allow the addition of thin clients using an encrypted
protocol.

9 | © www.tutorialtpoint.net Prepared by D.Venkata Reddy M.Tech(Ph.D), UGC NET, AP SET Qualified

 • The best practices include the following:
• Use encrypted protocols.
• Use a firewall or packet filter to limit network exposure.
• Monitor for potential failure conditions or attacks.
• Regularly change WEP keys.
• Use MAC access controls.

5. Small Office/Home Office Design (SOHO)

Securing a Small Office/Home Office (SOHO) wireless network is a challenge due to the lack of security features
in inexpensive hardware. However, achieving adequate security is possible with proper planning and
purchasing of necessary hardware. Adding wireless to a SOHO network does not significantly change threats,
but a malicious user could attach to the wireless connection for free Internet access, potentially introducing a
new virus. To protect the wireless connection, it is essential to harden the machines on the network, which
may involve disabling unnecessary services, using strong passwords, deleting unused accounts, or adding
firewall software. To secure a SOHO wireless network, consider using the security features of the access point,
such as WEP and MAC access controls, and consider purchasing high-end access points with advanced security
features.

The best practices include the following:

• Access point—use WEP and MAC access controls. This will significantly increase the level of complexity
of an attack.
• Network hosts—add personal firewall software to machines and add strong passwords to the printer
and router.
• Turn off the equipment when it is not in use.

10 | © www.tutorialtpoint.net Prepared by D.Venkata Reddy M.Tech(Ph.D), UGC NET, AP SET Qualified