Securing WLANs While Remaining FCC Compliant

3/23/2015
A Wi-Fi monitoring system is typically a combination of Wi-Fi scanning radio and centralized intelligence engine. The system monitors the private WLAN for the presence of rogue access points (unauthorized devices that create security vulnerability in the network) and prevents any impending security breaches by disrupting their wireless communications. Enterprises use such systems, also called Wireless Intrusion Prevention Systems (WIPS), to protect private networks and Wi-Fi devices from security breaches. These systems are also used to meet the wireless security requirements of the compliance standards such as PCI (Payment Card Industry), HIPAA (Healthcare Information Portability and Accountability Act) etc.

Typically, there are two types of Wi-Fi security threat vectors that organizations worry about:
Outside-In Connections: When an access point that is not owned or controlled by the organization is introduced into its wired network, it creates a backdoor into the private wired network from the area of its RF coverage. For instance, an employee who seeks personal wireless Internet access may connect a commodity access point or a router to the corporate wired network.
Inside-Out Connections: Honeypot APs (malicious attackers) attract unsuspecting clients by posing as an authorized AP and can then inflict attacks on the client and steal confidential information such as passwords, payment details and more by inserting a fake login page.

Securing against the above vulnerabilities is critical. However, in light of the recent FCC ruling against Marriott regarding the hotel company using a Wi-Fi monitoring system and its rogue containment feature to block guests’ personal Wi-Fi networks, enterprises must ensure that Wi-Fi monitoring is deployed in a judicious manner. AirTight Networks offers the following guidelines to help avoid infraction of rules of usage of the unlicensed Wi-Fi spectrum in the pursuit of security.

Deploy technology to confirm security threats
Not all devices that can be detected in the organization’s wireless space and that are not owned or controlled by the organization pose a security threat. In fact, most of them don’t. So, ensure to deploy technology that has intelligence to separate credible threats from co-existing overlapping wireless networks. Remember that a policy such as “anything not mine is rogue” is ill-conceived.

Deploying technology that can accurately distinguish unauthorized access points that are physically connected to the organization’s private wired network versus those that are visible in the wireless space but connected to other networks (such as personal hot spots and neighborhood facility Wi-Fi) is essential to properly detect outside-in rogue access threat. Similarly, not all devices that can be detected in the wireless neighborhood pose security harm to the organization’s Wi-Fi clients. Unless the Wi-Fi client reaches out and connects to such unauthorized access point, there is no credible security breach.

Maintain audit trail of security threats and countering actions
Keeping record of the confirmed vulnerabilities created by unauthorized Wi-Fi devices should help in demonstrating to the authorities that the blocking was purely in the interest of security. A good Wi-Fi monitoring system can facilitate this via its alerting and forensics capabilities. It can maintain proof points on when the unauthorized access point was connected to the wired network, its location, which wireless devices accessed the network through it etc. It can maintain proof points of which enterprise Wi-Fi clients connected to Honeypot access points and at what times. It can also maintain an audit log of the precise targets of the blocking action.

Perform surgical containment
Surgical containment refers to blocking only those connections that are proven security threats. It is not correct to block access points just because they are visible in the organization’s wireless space. However, if it poses demonstrable security threat by way of having been connected into the private wired network, it should be contained. Such access points can be effectively contained using wire side techniques which will avoid FCC scrutiny entirely. Even if wireless containment is used, it should not result in RF jamming. Deauthentication is a common technique used in wireless containment which does not harm legitimate connections in the same spectrum if properly targeted.

When an organization’s Wi-Fi client is lured into connecting to a Honeypot access point, the monitoring system should only prevent that client from connecting to the Honeypot access point and not block any other clients that are not owned or controlled by the organization from connecting.

Block wireless connections only for security reasons
There are several reasons why an enterprise may wish to use blocking containment:  
Performance: Independent hot spots operating in the wireless space cause interference to the private WLAN of the organization causing degradation in its performance.
Payment: Make visitors connect to paid in-house Wi-Fi service instead of allowing them to use personal hot spots.
Security:  Unauthorized access points that open up security holes and expose the enterprise to malicious attacks.

The FCC did not specifically address the issue of whether organizations can or cannot block wireless connections with an aim of improving performance or charging fees. However, it seems difficult to justify containment for performance or paid services, because Wi-Fi operates in the unlicensed spectrum to which the public has equal rights. FCC also did not categorically comment on the propriety of containment for security.

Implement user opt-in for BYOD
Many organizations are experimenting with or have introduced BYOD (Bring Your Own Device). When an employee-owned device connects to the private WLAN, enterprises may want to protect it from wireless Honeypot attacks using containment. If that is the case, it is desirable to take users’ opt-ins via corporate policy or via terms and conditions during the BYOD onboarding process. This will ensure that the user voluntarily agrees to containment when the device connects to non-corporate WLAN while at or around the work place and avoid any liabilities arising out of user complaints. 

Wi-Fi monitoring systems are powerful tools to enforce security. However, proper precautions must be taken to avoid contravention of spectrum rules while utilizing. Using an improperly implemented Wi-Fi monitoring system can not only expose you to security risks, but also push you into the murky waters of spectrum rule violations. The tool is only as good as a person using it, so it’s important to train network designers and administrators to deploy Wi-Fi monitoring systems properly.   
X
This ad will auto-close in 10 seconds