This is Part 7 of a 'How-To' effort to compile a list of tools (free and commercial) that can help IT administrators comply with SANS’ Security Controls. A summary of the previous posts:
- Part 1 - we looked at Inventory of Authorized and Unauthorized Devices.
- Part 2 - we looked at Inventory of Authorized and Unauthorized Software.
- Part 3 - we looked at Secure Configurations.
- Part 4 - we looked at Continuous Vulnerability Assessment and Remediation.
- Part 5 - we looked at Malware Defenses.
- Part 6 - we looked at Application Security
Now we are taking on Wireless Access Control
7-1 - Ensure that each wireless device connected to the network matches an authorized configuration and security profile, with a documented owner of the connection and a defined business need.
- FreeRADIUS & 802.1x - How to setup 802.1x with FreeRADIUS. Just know that Windows, Linux, and Mac come built in with their own Supplicant. No need for a third party.
- SANS guide to deploy 802.1x - Though Cisco is not free, if you already have Cisco switches, this guide can help get become compliant.
- Group Policy for Wireless 802.1x - Group Policy for Wired 802.1x
7-2 - Configure network vulnerability scanning tools to detect wireless access points connected to the wired network.
- PWNie Express - hardware based "detect everything" device. It WILL find those rogues.
- Many WAP vendors offer these kind of detection tools. You may even have them, but aren't using them!
7-3 - Use wireless intrusion detection systems (WIDS) to identify rogue wireless devices and detect attack attempts and successful compromises. In addition to WIDS, all wireless traffic should be monitored by WIDS as traffic passes into the wired network.
Again, these tools are heavily dependent on your WAP vendor. Make sure you go with a good vendor that offers these tools.
7-4 - Where a specific business need for wireless access has been identified, configure wireless access on client machines to allow access only to authorized wireless networks.
- Group Policy - How to whitelist SSIDs for wireless clients on your domain.
- Non-Domain joined Windows - batch scripting your whitelist of SSIDs
7-5 - For devices that do not have an essential wireless business purpose, disable wireless access in the hardware configuration (basic input/output system or extensible firmware interface), with password protections to lower the possibility that the user will override such configurations.
This is more of a policy rather than tools. Just make sure that these devices are monitored for wireless connections using any of the tools already mentioned.
7-6 - Ensure that all wireless traffic leverages at least Advanced Encryption Standard (AES) encryption used with at least Wi-Fi Protected Access 2 (WPA2) protection.
This is referring to your SSIDs you setup in the workplace. Don't have the guest network un-secured. Always at the very least use AES with WPA2. I still recommend WPA2 Enterprise (RADIUS with NPS/Network Health Validation).
7-7 - Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS), which provide credential protection and mutual authentication.
See note for control 7-6.
7-8 - Disable peer-to-peer wireless network capabilities on wireless clients, unless such functionality meets a documented business need.
- GPO - you can find this setting at Computer Configuration > Policies > Administrative Templates > Network > Microsoft Peer-to-Peer Networking Services
- Disable Ad-hoc GPO - Computer Configuration > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies > Set the policy to "Network to access: Access point (infrastructure) networks only"
7-9 - Disable wireless peripheral access of devices (such as Bluetooth), unless such access is required for a documented business need.
- GPO - How to disable Bluetooth and other wireless beaming
7-10 - Create separate virtual local area networks (VLANs) for BYOD systems or other untrusted devices. Internet access from this VLAN should go through at least the same border as corporate traffic. Enterprise access from this VLAN should be treated as untrusted and filtered and audited accordingly.
- 802.1x (section 1-5) can aid in this situation, but it is not required. Small businesses should have the ability to configure their wireless routers/APs to provision clients on a segregated network and deny that network from accessing internal resources (don’t forget to block VPN access!).
About the Author:
Rich Johnson is currently a Systems Security Administrator with 15 years of professional experience working in IT (more if you count the years programming in Basic on the Commodore 64 and repairing Nintendo consoles as a child). Rich has a bachelor degree in Information Technology, but feels his real knowledge has been gained through hands on experience, exploring security tools, and attending various security conventions. Rich currently resides in Utah and is probably learning some new interesting thing at this moment.