When talking about wired security, enterprise IT administrators talk about multiple layers of defense such as internet firewalls, VPNs, admission control, email filtering, content filtering, web application scanning and many others. It is like a hacker has to peel multiple layers of an onion before getting to the core. Each layer of security is independent and is preferably sourced from different vendors. Each layer compounds the amount of work that a hacker has to perform to get in.

When considering the security of a wireless network, the same enterprise IT administrators are content with the basic security mechanisms integrated into the wireless LAN infrastructure by vendors such as Cisco Systems and Aruba Networks. IT departments have a hard time understanding why an inner layer of defense for wireless network security is needed in the form of an advanced wireless intrusion prevention system (WIPS). The wireless network security posture of an organization is the weakest when the security integrated into wireless LAN infrastructure is the only layer protecting the core network. Without an inner WIPS layer, the core network is open to rogue APs, unauthorized client connections, ad-hoc networks, MAC spoofing and many other attacks that the wireless LAN infrastructure security cannot protect against.

The figure below shows how your core network can be exposed to wireless attacks when there is no WIPS layer.

There are two paradoxes about wireless security that puzzle me.

• First, while multiple layers of security are being built to protect attacks from the internet over the wired network, the wireless door is left relatively unsecured by relying on a single layer of protection provided by security integrated into the WLAN infrastructure (access points and controller).
• Second, if a wireless intrusion prevention system (WIPS) is considered, it is sourced from the same vendor that provides the WLAN infrastructure. While the concept of separating the “church” from the “state” has been considered a prudent practice for centuries, and is applied to wired network security, somehow, it is not applied to wireless network security. Thus, if a wireless intrusion prevention system (WIPS) is set up as a inner layer of defense for wireless networks, it is likely to have the same weaknesses as the first line of defense (i.e. the WLAN infrastructure) if both lines of defense are sourced from the same vendor, thus rendering WIPS defense as relatively useless.

The weakness of the outer layer of defense provided by wireless security integrated into the WLAN infrastructure has become even more glaring due to two recent developments:

• In Aug, 2009, AirMagnet revealed that a hacker could use Over-the-Air-Provisioning (OTAP) feature built into Cisco access points (APs) to gain control over that AP and hence, access to the network. Click here for details regarding this vulnerability. This vulnerability clearly demonstrates that though WLAN infrastructure vendors have traditionally denied it, the security provided by WLAN infrastructure is very basic and has serious holes.
• In Aug, 2009, Japanese researchers published their findings about how WPA could be cracked in one minute. Click here for details regarding this vulnerability. While this vulnerability is relatively hard to exploit, it still highlights the fact that there are cracks in the security built in to the WLAN infrastructure.

It is true that any network infrastructure has security holes, and wireless networks are not different. As the vulnerabilities are discovered, they will be patched and the holes will be filled. This is true in the evolution of any networking technology. However, there are two mistakes being made by IT administrators when dealing with the security of wireless networks.

1. IT administrators assume that the security provided by WLAN infrastructure is “good enough”. They do not provision for an inner layer of defense such as a wireless intrusion prevention system (WIPS).
2. If a wireless intrusion prevention system is considered, most IT administrators consider it “administratively convenient” to source the WIPS from the same vendor that provides WLAN infrastructure. This creates a second line of defense that has the “same” weaknesses as the outer layer of defense provided by security built into WLAN infrastructure. Hence, some attacks can still pass through the WIPS layer and reach the core network.

The figure below highlights how wireless attacks could reach the core network inspite of a WIPS layer, if IT administrators make the mistakes described above.

These mistakes must be corrected to ensure that the wireless “back-door” is as secure as the wired network “front-door” facing the internet. There are three things that IT administrators should consider to ensure total wireless security.

1. Install a wireless intrusion prevention system (WIPS) as an inner layer of defense for your WLAN infrastructure. This enables zero-day protection even if the WLAN infrastructure security shows cracks. It also protects against many wireless attacks that the WLAN infrastructure security does not protect against.
2. Consider installing a WIPS before installing the WLAN infrastructure. This guarantees higher levels of security against rogue wireless devices and other wireless attacks even before WLAN infrastructure is installed.
3. Source WIPS and WLAN infrastructure from different vendors. This ensures that the two lines of defense have non-overlapping weaknesses, resulting in effective attack-blocking.

The figure below shows how building a two-layer defense against wireless attacks, with the WIPS layer and the WLAN security layer being sourced from different vendors can enable a strong wireless security posture for an organization.

Having multiple layers of defense sourced from different vendors has been considered prudent practice in wired network security. Is it not time to consider the same approach for wireless security?