WIRELESS INFRASTRUCTURE

  • 08/12/2015
    8:00 AM
  • Rating: 
    0 votes
    +
    Vote up!
    -
    Vote down!

The 9 Worst WiFi Security Mistakes

Loopholes in your WLAN security could put your business at risk. Here are the common security pitfalls when it comes to wireless networking.

Comments

WiFi security

Community members: Any other WLAN security mistakes you'd add to this list?

Re: WiFi security

with regards to no. 5 - lack of passwords - I have visited places that provide day-passes (expiring user names and passwords). Although it's a bit cumbersome, it works better than a single password which eventually gets known widely.

On the other hand, I've seen places wit no password, and they require use of VPN to access anythig important. This still makes the place vulnerable to people who siphon-off usage, if that's a concern.

Re: WiFi security

The single-day pass for guests sounds much better than a single password. It seems NAC technology was supposed to help prevent access to sensitive resources, but that technology always seemed more about hype than reality.

Re: WiFi security

good note

Re: WiFi security

Hacking tools for this part of the network are widely developped and multipkying everyday. So, we need to pay attention of the WLAN Security design. We must follow a good process with all the team when implement a WLAN.

Re: WiFi security

Hi Jerome -

You make a great point about hacking tools and the fact that more and more are being created everyday, are we just fooling ourselves about Wifi Security ?

Re: WiFi security

Hi my friend ClassC,

Thank you very much.

Right, that's great question. Because, regarding all about wifi security nowadays, this anxiety is common. I think, we must push this question to the researchers or persons involves in this domain, because we talk about security in each area, ok, but in the area of WIFI oufff, the lack is high, IMO.

 

Re: WiFi security

But i think that, we are moving to an era where, more attention will be paid to WIFI techno, maybe like wireless techno into pure telecoms technologies.It will be mandatory ! :), anyway, the security as we saw it here, is an end-to end actions, even if the techno is natively secure (with some security features built-in), it will be very interesting to have :

end devices (from vendor side) need to have some advanced maybe customized security features (what could be viable for marketing purpose),

and we must as always advice /instruct some good pratices of security to the End users!!!

I've noted your great question ClassC, i will ask one day somewhere for others point of view :)

Last thing, i want to add, in my opinion again, we have reach the era where reseachers/innovators in the domain (Wifi) will reveal what they have for a secure solutions. Indeed, sometimes it is more valuable when we need/require/want it! :)

Thanks and Regards,

Jerome

Re: WiFi security

We need to pay attention, and try to improve security in these wireless techno or implement some native security features in. Reseachers, vendors or others operators in these areas much rethink and redesign the wireless techno now for a better future with the Internet of Everything.

Re: WiFi security

Because i think that one of the power or the success of IoT will be the Wireless techno, IMO.

Thanks,

Re: WiFi security

Ok, when you are setting up the installation, pay attention with the time on you ISE (NTP server) and the Time of your Active directory, it is the rigour! One ISE can support up to 5k

The second mode of deployment, if i  remember, is to have up to 5 dedicated PSN. And have two boxes : one box --  make it, admin master and monitoring backup.

second box : vice versa!

Re: WiFi security

Third model of deplym : support up to 40 PSN.

In this case, we must have, a dedicated physcal box for each role.

one box as admin master

one box as admin backup

one box as monitor master

one box as monitor backup

and add your physicall PSN. It is for very large network!

Re: WiFi security

The ISE can do what we call Posture, it consist of, for example, analysing the user OS software, update of the anti-virus, OS firewall and its updates before give access to the network. Sometimes we can configure to force the update of all the user OS before let him access to the network or have some access to some ressources.

Re: WiFi security

Hi everyone, Hi Marcia,

We can allow based on hour the voice trafic and deny the data trafic. We can allow only specific vendor phone to be connected, or more and more..... large range of feature.

I would like to share this challenge, we have one customer one day we ask us to shut all the user (switchs interface) at a specific day and hour and this periodically. Ok, we can push based on the period the DACL to deny any trafic, but he want also to wake up these ports (allow the traffic at a specific period), very difficult , because the second requirement can't be done by this platform :) Need to check and check maybe combine with the Cisco built-in features to clean the Virtual ACL or i don't known :)

That all i like in this platform, rigour, required of many skills, features built-in, flexibility ....

Hope that helps. Have a great sunday that God bless us!

Thanks and Regards,

Jerome AMON

Re: WiFi security

Wow, thanks for all that technical guidance Jerome! The granular access control ISE provides sounds great, but like you say, you really need the right skills to be able to set it up properly.

Re: WiFi security

Hi Marcia,

You're welcome and thank you also.

Sorry for my late reply, after working on the design of a big ISP (MPLS) project, i started the implementation (racking, mounting, testing, and configuration from the scratch). 2 new ASR 9k6 must work with a MGW. Techno a this event : IOS-XR, bgp, is-is, mpbgp, ospf, vrrp, bvi, rpl, snmp and more :)

Thanks for your reply, Yes, we need skills !!! And test the skills/knowledge of your infrastr, of the person before let him start put it on your infrastructure :)

Thanks and Regards,

Jerome

Re: WiFi security

Good luck with the project Jerome! 

Re: WiFi security

Hi Marcia,

Thank you very much. the project was a success. The huawei MGW is connected and everything work as expected. This prototype of design will be reproduced next here in more than 7 locations/regions in all the country. Great achievement :)

Thanks again.

Re: WiFi security

Congratulations Jerome! Thanks for the update.

Re: WiFi security

Hi Marcia, thank you very much. It remember me, all the emails i received when i succeffully finished this prject :) Sorry for my late reply, now working as a Principal Field Engineer for a new ASR-based project, P router (ASR9006) to be install and configured from the scratch regarding lot of constraints. And, new other one after this, IPTV project with full ASR products. Ahh, Cisco ASR line products Done right here!!! Thank you Marcia for you support :)

Re: WiFi security

Hi Marcia,

Thank you for mentioning the NAC techno. Yes, i worked and i'm working on this techno precisely those of Cisco called ISE (Identity Service Engine), we can do many great things  with this, but what i notice is the restrictions with the Access Points (more those of Cisco with specific software and version). Yes, ISE does this job very well! i like it :)

Thanks and Regards,

Re: WiFi security

Hi Jerome! Can you elaborate on what you like about ISE?

Re: WiFi security

Hi Marcia, Hummm Great question, i like everything about this product thanks to its features and how it brings a secure unified access and support this trend of BYOD. Marcia, here i will describe some good features/actions that we can do with this Cisco platform :) Developpers of this platform have done a great job trust me, but there are lot of to do also!

Boummm let's start now with some ideas :)

 

Re: WiFi security

Hi Marcia, as i said i got the chance and i'm still working on this platform for some customers, and this platform is very rich but it requires to pratice and pratice in order to discover its power. And when a customer ask you something it will be a challenge to learn also new one.

Re: WiFi security

Hi Marcia, We deployed it for lot of bank, enterprise corporate ... One thing i noticed from Cisco side, is there are no more documentation and book about this product, and trust me lot of systems integrator doesn't have skills on this :). Marcia, "on dirait que tu m'a pincé" lool. one thing i woulld like to notice is that we have the chance to have a CCIE higly trained on this Platform by a well-known partner! Ok, this platform have some bugs that we discover step by step when we are working, of course, we contact the Cisco TAC and we share with them, and they try to fix it with some released patch :) We help them!!!

Re: WiFi security

Hi again Marcia,

"je t'avais dit que tu m'a pincé" :)

When you need to work on this platform, due to its rigour (and there i'm totally agree, because we are talking about security platform, so nothing than rigour), have a skills on systems could help, i will say mandatory, i mean in terms of server Certificates and more, know how and where you can find these informatins in the customer infrastructure, as you have not access to some specific ressources of the customer, you must know and instruct/guide them to find what you need to implement/tshoot! ouff lot of to say:)

Re: WiFi security

Ok, let's move now to the operations.

We put all the rules on the Admin master, and it will push/clone the config on the admin backup. So all the confiuration must be done on the admin.

The monitoring is for log, helpful for tshoot, check who is connected, everyting on the network, backup config, restore as well, need to configure a ftp server for store all these huge amount of logs!

The PSN, receive all the rules form the Admin, receive the request of the users/devices, push the DACL (Downloable Access list) on the specific switch interface where the user is connected depending on the rules.

IPN mode, works with the ASA, becasue some versions of ASA don't support x and some others features that are required to communicate with the PSN. but, i thing the actual news versions have these features built-in so no IPN mode to be configured, we will have the PSN with the ASA only!

Re: WiFi security

We have the basic AAA (Authentification, Authorization and Accounting) as in the past on ACS with some config on the switchs/routers. The old NAC + with ACS, can almost  give some features of this all in one platform ISE, IMO. With the profiling we can say for exmaple, after authentificating the user based on mac or IP or username/password from AD, let him access to specific ressources. more and more we can do.

Re: WiFi security

So, for this first features the ISE need to get access to internet in order to check these updates information, i think the is a great cloud behind from Cisco side :)

We have also the Profiling, very interesting, at this point we can set up some rules, based on the mac adress of the computer, vendor name of the computer, user departement, trafic type (voice, data), IP address and more .... It is the most used!

Re: WiFi security

We can set up local usernames/passwords on the ISE, and authentificated the user, or use their mac adress, or use the protocol x but required to actived ot on the user computer, so it not interesting for guest and consultant...

So, we have the feature, hotspot, as in cyber cafe, we can for example, setup a username/passord and attribute to this a specific time and authorize only internet access (allow for exmaple the proxy address or DNS and internet gateway)....

Re: WiFi security

We have also the web portal for authentification, say if we don't have the mac address of the user in the database, or something else, redirect him to the web portal for a username /passord based authentification and then push the specific authorization to its interface port on the swicth where he is connected. hum, we have a DACL there. to check on the swiths these acl after pushed by the PSN, enter on cisco switch, i think, show authen session interface .....

Hope that helps!

Re: WiFi security

Hi Marcia, i'm still there ;)

About the rigour, this platform is okay, that is one thing i like also and on this point i say bravo to the developpers team:) You will need some mandatory information to install it before start to configure the rules and more .... And one thing you need to have skills into networking (routing and switching), it is a must, if  not  you couldn't do anything trust me with. Becasue for some operations, you will need to add configuration to the switchs (more), routers (less), master the customer environnement or master the infrastructure where you want to deploy this solution --- It can put down all your infrastructure due to a bad action! at this moment, you will need to call all your RS, Sec, Wireless, Systems Tshoot skills :)

Re: WiFi security

I like it because, it demand lot of skills in differents areas of IT in order to profit from all its power. NTP, Active Directory, Routing, Swiching, VoIP, Wireless, Mangement of Servers Certificates, .... And of course, when you have to implement it in a big infrastructure, trust me you need more skills than that !

Re: WiFi security

Hi Marcia,

"C'était le début, ça va commencer!!!" :)

Ok, what i like about ISE, Perfect!

It is just a box, precisely a Cisco server, UCS (so the CIMC included) with a hypervisor (Vsphere, what i known) on the top and a sofware installed on the top of all, called Identity Service Engine ! This platform/software can operate into different mode (3 precisely) : Admin, Monitoring, PSN (Policy Service Node). And there is one other mode when you want to secure and make flexible you remote VPN connexion, in this case, we talk about IPN (Inline Posture Node).

Re: WiFi security

Before, Cisco recommand 3 deifferent mode of deployment due to the size of you network (here number of devices/users to deal with). first mode you have two physicall boxes, you configure one to be  the master in  admin mode and backup in the monitoring mode and make it also a PSN.

The second box, backup in admin mode, master in monitoring mode and make it also a PSN.

We have high availalbilty because as i said, if you implement this solution you network for security (authentification, authorizatin), and you have these boxes down, all your network is down, IMO

Re: WiFi security

in the first model of deployment, you notice that the two boxes work as PSN, so depending on the configuration you will put on your devices (switchs), in order to specify which is the master and the backup in terms of PSN function. because, all the request and actions will be done by the PSN. we will come back!

Re: WiFi security

nice post good

Re: WiFi security

Hi everyone,

@ NWC Editors, great post. Thanks to bring this subject.

I think on of the big mistake is the bad design of the WLAN, indeed they don't take time to work well on this part of the infrastructure so it becomes the weak portion and the perfect space of hackers or the point of attack!

Thanks

Re: WiFi security

These kind of mistakes are reproduced in other area such IoT where we could see someone play with a car remotely  or something like that :) -- maybe the technology has a lack of security built-in or i don't, maybe the designers/users don't have a good understanding or best practices of this Techno.

Re: WiFi security

Good note. I use PureVPN mainly to protect my identity and personal information by encrypting my WiFi connection. Everything I do online is protected with PureVPN.

The Continuing Education Associated with WiFi Security

This was a fantastic piece on WiFi Security Mistakes. With everyone delploying WiFi , disclaimers to endusers for security breeches is not enough.

There is so much information here that I urge everyone to take the time to review it carefully - let it sink in. Because companies in general have no idea what is actually involved with WiFi security, they entrust sysadminsand networking professional to do so - but do we really understand the best practices  ?

I admit I don't.  How about you ?  Networking Computing does an excellent job in bring IT professionals up to speed.

Thanks.

IT Pro Advice is Just That .......Pro Advice

Making backups of Router setting is another great tip.  When you start trying to employ new techniques in security, it is reasonable to expect things might not to go as expected, so a backup will be your best friend when things go awry.

It should be the first step you make before employing any changes.