Place anonymous access WAPs on perimeter networks

An anonymous access WAP (wireless access point) is one that users can connect to without requiring user or computer authentication. Many companies provide anonymous access WAPs as a convenience to customers and consultants. Although anonymous access WAPs are a great convenience to your customers, they can create a significant security threat to the corporate network because hosts connecting to them are not managed clients, and there’s a chance that these hosts are compromised by worms, viruses, and Trojans.

The solution is to deploy the anonymous access WAP on a perimeter network segment that does not have access to the corporate network. This allows you to provide Internet access to your guest users without incurring the administrative overhead of assigning users WEP and WPA keys and walling off the corporate network from these unmanaged clients. For example, you can create a wireless DMZ on a multi-homed ISA firewall as discussed in the article "Grant Internet access while securing your network using a wireless DMZ."


Require VPN connections for links between anonymous access WAPs and corporate network segments

Corporate network WAPs do not allow anonymous connections. You will require user or computer authentication for a highly secure corporate wireless deployment. For example, we use EAP user and computer certificate authentication when deploying corporate wireless deployments. Certificate authentication means that only managed machines and users can connect to the corporate network via the corporate WAP.

However, the convenience provided by the anonymous access WAP to guests can also be useful for employees, such as executives who bring in unmanaged, personal laptops from home. These machines aren’t provisioned to use the corporate WAPs, so they have to use the anonymous access WAP. You can provide these users access from the anonymous access wireless DMZ segment by having them use VPN connections to the corporate network. The VPN link secures the connection and prevents intruders from intercepting the communications with resources on the corporate network.


Force client health checking for all hosts connecting from anonymous access WAP segments

VPN client connections from hosts on the anonymous access wireless DMZ segment provides a quick and dirty way to allow authorized users access to corporate resources from the untrusted network segment. Although this solves the immediate problem of allowing authorized users “just in time” access to corporate resources from an unmanaged client, it exposes us to problems related to the unmanaged client computer itself. The unmanaged client has a high probability of harboring viruses, worms, and Trojans that can put the corporate production network at risk.

One way to handle this problem is to use a VPN client hygiene solution, which will analyze the software environment on the VPN client and compare it with your corporate security requirements. A number of VPN server solutions provide this capability, including ISA Server 2004’s VPN Quarantine controls. Most VPN client hygiene solutions also enable to you provides remediation services so that VPN clients that do not meet corporate security requirements can automatically update themselves to a state where they meet security requirements.


Limit anonymous access perimeter segments to unencrypted protocols

Although you want to provide guest users with the convenience of an anonymous access wireless segment, you don’t want hosts on that segment to use your Internet connection to download dangerous software or launch attacks against other networks over the Internet. Unmanaged clients combined with unfettered Internet access can be a recipe for disaster.

For this reason, you should configure your firewalls to allow hosts on the anonymous access wireless segment access only to unencrypted protocols so that your stateful packet and application layer inspection firewalls can inspect and block suspect and dangerous communications. Communications moving over network layer VPN connections (L2TP/IPSec, PPTP, IPSec tunnel mode) and over SSL sessions can’t be analyzed at the application layer. If the application layer firewall can’t inspect the communication, it can’t block virus, worm, and Trojan attacks and can’t record user activity for future forensic reporting.


Enforce strong bandwidth control on anonymous access WAP segment

Anonymous connections to any network, whether it be wired or wireless, from unmanaged machines is a setup for bandwidth abuse. You likely have strong network use policies that corporate network users adhere to, which throttles employee bandwidth abuse, but these same constraints don’t exist for users on your anonymous access wireless segment. Make sure you have deployed either hardware or software solutions that place a hard-coded limit on the percentage of Internet bandwidth and bandwidth quotas on anonymous wireless users. Failure to do so could lead to employees being unable to access resources required to get their work done and could even add to your monthly bandwidth charges.

Require certificate authentication for WAPs connected to corporate network segments

You want to make sure that anonymous users can’t connect to corporate WAPs. This means you need to require machine and/or user authentication before allowing users to connect to the corporate network. All corporate-level WAPs support authenticated access before allowing connections to the corporate network.

For many networks, machine certificate authentication will be considered secure enough. For high security networks, consider using solutions that require both machine certificates and user certificates (either "soft" certificates or smartcards) before allowing access to the corporate network. This ensures that only managed devices are allowed to connect to corporate resources through the corporate WLAN.


Enlist “secret agents” to find rogue WAPs

Rogue WAPs are a constant threat to the corporate network. This problem is probably not as widespread at is was when companies didn’t maintain strong network use policies, but rogue WAPs still represent a major security issue that allows anonymous wireless client systems access to resources on corporate network segments.


Use IPSec-based domain isolation to protect domain members

No matter what you do, there is always a chance that an employee or even a malicious intruder will connect a WAP to the corporate network, which can be used to compromise network servers. You can protect yourself from this by carrying out a good defense-in-depth strategy: Harden your servers, fine-tune permissions for all network servers and services, and use perimeter firewalls to wall off security zones from one another.

One exceptionally effective method you can use to secure your network from unauthorized wireless users is IPSec-based domain isolation. IPSec domain isolation is a technique that isolates domain servers or all domain member computers from untrusted machines. IPSec domain isolation is one of the most effective methods available for Windows networks today to protect your critical servers from not only rogue wireless clients but from all untrusted computers on the corporate network.

Block Internet access for wireless devices from corporate network segments

Unfortunately, it’s difficult to manage all the wireless devices users want to bring into the corporate network. Pocket PCs, Smart Phones, and other wireless-enabled handheld devices are often used to connect to the Internet. In fact, it’s the desire to use these devices that leads many users to set up rogue WAPs. Handheld devices can be used to connect to the Internet and download dangerous software, worms, viruses, and Trojans to the corporate network. They can even take part in malicious actions aimed against other networks over the Internet.

You can use your firewall’s application layer access controls to block these devices from connecting to the Internet. For example, you can configure the ISA firewall to require user authentication before enabling outbound access from the corporate network to the Internet. For Web protocols, you can configure an application layer inspection firewall to block the user-agent headers sent by handheld devices or force integrated authentication with the firewall before allowing outbound access. Since handheld devices cannot be domain members, any attempt to connect to the Internet will be blocked.


Prevent VPN connections from wireless handheld devices

You want to block both anonymous and corporate wireless clients from using encrypted protocols through your corporate firewall. Encrypted communications can’t be application layer-inspected by your stateful packet and application layer inspection firewall and thus the VPN link can be used to import all forms of network exploits from Internet servers to your network. Many wireless handheld devices can be configured to establish VPN connections to untrusted servers. You can stop this by configuring your firewall to allow outbound VPN connections only from highly trusted users and machines.

Many commercial grade WAPs include a feature that will detect rogue WAPs and try to shut them down. However, the technology is not foolproof and doesn’t help you when there are areas in the company where there is wired access but no wireless access. One way you can get around this problem is with the help of “secret agents”. Hand out small WAP detectors to the mail staff and users in each department and reward them a bounty for each rogue WAP they find. You’ll be amazed how many rogue WAPs you find once you properly “incentive-ize” key employees.


For help with matters like this consult with: