Well… As expected, the vulnerability has been further refined and the time required to compromise WPA/TKIP protected networks has dropped to about 1 minute. Additionally, the attack has been expanded to work against more devices, increasing the attack success rate.

Though the attack has been refined and is now much more of a concern that it was back then, the basic principles touched on in that previous article still hold true. And while I would love to suggest that all WLAN administrators should disable WPA/TKIP and move to WPA2/AES, the reality is – and will continue to be for some time – there are many devices deployed in production wireless networks that cannot support WPA2/AES. So what’s the answer? The same as it was last November…

• Segregate your WLAN into security zones based upon the capabilities of your production devices
• Apply upstream firewall rules or access control lists to restrict communications to only those applications required on the WLAN devices
• Implement WIDS/WIPS solutions to monitor and protect your wireless airspace and to enforce client configuration and access control rules
• Migrate to WPA2/AES for any devices that can support it

Network security is a moving target and wireless networks are no different than their wired cousins. Security policies need to be reevaluated regularly and must evolve to protect against the current threat landscape. Applying some basic best-practices as outlined above helps to maintain a secure architecture while simplifying the continued migration to more advanced wireless security standards and architectures.

Concerned about the security of your wireless network? Cumulus can help. Check out our web site for some of the services we offer or give us a call to discuss your situation with one of our consultants.

Now in its sophomore year, Partnerfest09 will go beyond last year’s format and will offer two significant changes. The first is industry focus – each day will focus on a specific vertical that includes Healthcare, Industrial and Logistics, and Enterprise. The second change is that each day will also offer a morning technical training session that provides insight in planning, deploying and supporting wireless and mobility solutions tailored to that day’s industry focus.

While specific topics and vendor presentations are currently in process, the daily agenda will include a technical session from 10 AM to noon and a technology overview from 12:30 until 2:30. The overall industry focus will be:

Tuesday Aug 4th – Healthcare
Performance Counts: Designing and Supporting WLANs for Voice, Real-Time Location, and Mission Critical Applications

Wednesday Aug 5th - Industrial and Logistics
Facing the Challenges of Supporting Wireless and Mobile Devices in Diverse Environments and Distributed Facilities

Thursday Aug 6th – Enterprise
The WLAN as a Platform: Meeting the Demands of Current and Future Networked Applications

Lunch will be provided and after the sessions we’ll be heading down to Musikfest to enjoy the sights and sounds. We’ll also have some great giveaways that include the coveted Musikfest mug, Partnerfest tee, and food tickets for all attendees. There is no cost for any of the sessions and we encourage our vendors, business partners, and end customers to join us. Last year’s sessions were a success and we expect this year to be even better.

If there is anything specific you want to know, don’t hesitate to contact me and I’ll see if we can make it happen. Also, feel free to contact me about presenting in the afternoon session, sponsoring a giveaway or event or otherwise participating.

What this means for you – no more will you to have to stage each device at Corporate IT, instead drop ship the device direct to your remote facilities, and have the Scan-to-Configure barcode sheet available onsite.  After the device has gained network connectivity via the Scan-to-Configure barcode sheet, your mobile device management suite can deliver the required applications.  Even if you do continue to stage devices for your users, Scan-to-Configure will save you hundreds of keystrokes.

Scan on!

In addition, one item listed in the release notes is the “initial release” of the “Web Console”. While this release of the Web Console appears to be limited to Alerts, one gets the feeling that there may be grander plans for the web interface.

Below is a list of a few important items from the v4.8 release notes:

• SNMP v3 support for Infrastructure dServers
• Support for new wireless infrastructure components and firmware versions
• Initial release of the Web Console
• CSV and XML reporting output as well as XML import for generating customized reports
• Integration of Wavelink Communicator to the right-click menu of a specific mobile device as well as the addition of launch icons to the ‘device details’ page
• For more information on Wavelink Communicator
  http://www.wavelink.com/products/communicator.aspx
• Sorting and filtering of the Mobile Device List view using custom properties

Avalanche Mobility Center 4.8 is available for download here:
http://www.wavelink.com/download/downloads.aspx?Section=4

USA Today has published an article about the breach here.

“Cleaning up the mess could be potentially much more expensive than any fines or penalties” says Michael Argast, senior analyst at security firm Sophos. –From the USA Today article

What makes this breach so disconcerting is the fact that Heartland had just gone through a PCI audit several months before. This calls into question the practices of the auditor and highlights the fact that simply meeting PCI compliance regulations may not be adequate. Instead, a comprehensive, vigilant approach to network and system security is the most prudent method for protecting customer records.

PCI DSS 1.2 provides a solid set of guidelines for protecting customer data but PCI has to balance regulatory guidelines with practicality to ensure that the regulations remain enforceable. This breach may or may not have involved wireless networks but take, for instance, the PCI DSS 1.2 Section 11.1  requirement for quarterly wireless scans. While performing quarterly wireless scans will satisfy this requirement, those scans only have to occur four times per year, which doesn’t do much to enhance the security of your network.

A better (and, potentially, more cost-effective) approach is to deploy a wireless IDS/IPS platform that can provide 24/7 detection and defense. WIDS/WIPS platforms are designed to monitor the wireless environment and alert on any unauthorized access attempts, compliance deficiencies and out-of-policy events in real time. A fully deployed WIDS/WIPS platform exceeds the requirements dictated by section 11.1, provides a much more comprehensive approach to security and, best of all, may actually cost less than quarterly scans!

To see how Cumulus can help secure your network and meet your PCI requirements, click here.

• 1000 Series
• 1120 Series
• 1200 Series
• 1232AG Series

There is also another promotion available to Cisco wireless partners.  Valid through April 30, 2009 Cisco is offering up to 10% off the list price of the 10-unit 1140 series eco-pack.

The findings generally point to configuration settings that are not in line with recommendations set forth in the Ascom configuration guide for Meru Networks. In addition to the settings outlined in the configuration guide, the following configuration settings should be confirmed:

The full Service Alert Bulletin can be found here.

Cisco lists the affected AP models as:

• AIR-AP1252AG-A-K9
• AIR-AP1252AG-E-K9
• AIR-LAP1252AG-P-K9

The associated bug ID is CSCsu70617. (Link requires CCO login)

More information regarding the field notice can be found here. Have any APs with this problem? Leave a comment and let us know.

Planning

The first question should be: “What business problem are we trying to solve with wireless technology?”  The type of application that drives the mobility solution is of critical importance.  How a wireless infrastructure is designed is dictated by the clients that will connect to it and the applications that those clients will run.  Are we talking about ruggedized handhelds running telnet or are we looking at wireless VoIP phones and a Wi-Fi location system?  Maybe you’re looking to stream live video?  This is going to influence not only the technology that is recommended, but the deployment method of the chosen solution.  Add to this concerns with security that are dictated either internally or by regulating bodies such as PCI, HIPAA, and SOX and you have a new set of issues to deal with - how secure does this network need to be?

Beyond the technology, who in the organization is responsible for supporting the new solution?  Wireless and mobility has matured to a network component equally as critical as the wired network which means that not only must it have the same uptime as the LAN, it also may create a new group of users that need support.  Do you add staff, make do with what’s at hand or outsource the support and management?  Also, in a typical mobility deployment you have mobile devices and an infrastructure that supports them - are the same people supporting both?  If not, where does the handoff occur?  In either case, how are you managing and supporting the mobile clients? 

And finally, who is responding to alerts from the security solution, infrastructure and devices?  If you have the staff to do it, great, if not, all of these tasks can be outsourced - but again, this must be determined in advance and tested in the next phase.  All of this must be planned very carefully, especially if the deployment adds hundreds of users at locations across the country or worldwide.

Testing

Once the technology is selected and a design put in place, it’s time to test it.  You need to put this equipment in a lab environment and make it work.  You also need to put in place your support plan - when a problem arises, how do you minimize loss of productivity - both from the operational side as well as the Information Technology side.  Does the expertise exist internally to determine if the cause of the Zebra printer not printing is because of the Bluetooth connection to the Motorola hand held or because of the Motorola’s connection back to the Cisco WLAN?  Substitute any manufacturer’s name and the point stands - can you support this as a system?  You need to determine this now, otherwise you’ll be scrambling during…

Pilot Deployment

The misconception about a pilot is the tolerance of the users subject to your experiment.  They don’t care if you call it a pilot, test, trial or whatever, their primary concern is getting their job done.  So if your stuff doesn’t work, they don’t want to use it.  Get it right during the Planning and Testing phases and you should be good to go.  Minor tweaks and changes shouldn’t cause many issues, but major, unplanned functionality problems will have your users asking for the old system back again.  Poor user adoption can kill a deployment if not planned properly - ask anyone that has tried to deploy wireless VoIP phones in a hospital without first making sure the wireless infrastructure supports the application.  Ever tried to check your email in the bathroom?  Probably not, but I’m sure any doctor or nurse expects their wireless VoIP phone to ring.  Check out a previous blog on why WLAN site surveys are more important than ever at http://tinyurl.com/7yypyd for more information.

Summary:

If there is one takeaway it’s Planning.  If you don’t plan it properly, problems will inevitably surface and will compound themselves as the rollout progresses.  Don’t give in to “we need this done tomorrow”, I’ve seen those deployments end up taking twice as long as a deployment that was carefully planned, tested, piloted and deployed.  If you’re being asked to rollout a new wireless mobility solution and you don’t know who will manage it or how it will be managed, go read the planning section again - or give me a call.

Any IT security staff knows that unauthorized access points plague most organizations and are often a more significant problem for organizations that do not provide sanctioned wireless access for the client base. Non-technical users will often buy and install SOHO-type wireless access points or routers to facilitate a perceived need for mobility. In most cases, these wireless devices are deployed with little or no regard for network integrity or security and very often present a major security vulnerability. Conventional wired infrastructure-based counter measures can protect against a rogue layer 2 access point by restricting the uplink switch port to a single MAC address (typically the first MAC seen by the port). But this type of port security will have no effect on layer 3 wireless routers (which are much more readily available, by the way.) Other approaches require that technical personnel and RF scanning equipment be deployed periodically to all organization locations to manually scan for, detect and classify any wireless devices. This manual approach is neither practical nor effective since it is costly and provides only point-in-time data.

So how can ‘no wireless’ organizations ensure that their network infrastructures remain wireless free? The same rogue detection, classification and mitigation capabilities that help organizations with sanctioned wireless networks protect against unauthorized or incorrectly configured access points can be retuned to aggressively maintain a ‘no wireless’ state. The detection and classification thresholds can be modified to allow for faster rogue identification since any wireless network devices detected on-network will be considered unauthorized rogue devices. Once identified as an on-network rogue, the IPS system can take over and begin to actively defend the network, marginalizing the risk posed by the rogue access point while also providing IT security personnel with the approximate location of the rogue device.

In short, while it may seem like an unconventional solution, WLAN IDS/IPS platforms provide a simple, cost-effective option for maintaining a ‘no wireless’ state. Coupled with alerting, reporting and incident response, these solutions help provide the peace of mind IT security personnel need.

Click here for more information on wireless IDS/IPS platforms and to see how Cumulus can help your organization design, implement and maintain a secure wireless architecture.