Building blocks for a secure, reliable wireless network

Building blocks for a secure, reliable wireless network

Schneider Electric White Paper

Building blocks for a secure, reliable wireless network 2

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

The benefits of wireless LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Security concerns and threats of wireless networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Wireless security standards and options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Security options at a glance — WEP, WPA, WPA2 (802 .11i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Selecting the right wireless network security options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Schneider Electric Wireless Performance Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Table of contents



Wireless connectivity enables mobility and increases employee productivity with lower capital investments . Unfortunately, it also opens doors for intruders and unwanted visitors to easily access networks if proper precautions and tools are not employed to protect them . Plant managers must be assured that they will see the same level of control and security demonstrated in wired local area networks (LANs), otherwise deploying wireless technology can be a risky business . This White Paper outlines best practices for securing industrial wireless networks and solutions .

Most industries understand the advantages of wireless connectivity and actively deploy wireless solutions for their business requirements, providing connectivity where traditional wired connections are not possible or cost effective . Such environments include manufacturing, oil and gas, petrochemical, and power industries requiring connectivity across plants, offshore locations, or rigs . With wireless mobility solutions, employees can access plant information from any location . For example, a plant manager can access the central database and obtain information about work assignments, material inventory, and resource availability from any location within the plant using a mobile device (such as a PDA) .

Wireless connectivity enables easy mobility and reduces the cost of cabling . However, if security issues are not considered in the deployment, wireless connectivity can potentially lead to information leaks and identity theft . To take full advantage of wireless connectivity, it is important that plant managers consider security during the planning and deployment phases of wireless networks . The key issues to consider include user authentication and future expansion of the network .

Fortunately, the wireless industry has also evolved, developing new standards, security solutions for the wireless infrastructure, and protecting today’s industrial plants’ wireless perimeter, whether inside buildings or at remote locations . This allows the enterprise to focus on the business at hand — serving customers and gaining competitive advantage .

Five fundamental steps must be taken to secure an enterprise against wireless threats . An organization must comply with the following:

• Create a wireless security policy

• Secure the enterprise wireless network

• Secure the enterprise wireline (Ethernet) network

• Secure corporate notebooks/handhelds from wireless threats when outside the enterprise

• Educate employees regarding the wireless policy

Introduction

The benefits of wireless LANs



Security concerns and threats of wireless networks

Threat Threat description

Eavesdropping (disclosure of data)

Eavesdropping on network transmissions can result in disclosure of confi dential data, disclosure of unprotected user credentials, and the potential for identity theft . It also allows sophisticated intruders to eavesdrop into an environment, providing information that can be used to mount an attack on other systems or data that might not otherwise be vulnerable .

Interception and modifi cation of transmitted data

An attacker inserts a rogue computer to intercept and modify network data communicated between two legitimate parties .

Spoofi ng

Ready access to an internal network allows an intruder to falsify legitimate data in ways that would not be possible from outside the network (such as sending a spoofed email message) . People, including system administrators, tend to trust items that originate internally far more easily than those items that originate outside the corporate network .

Despite the benefi ts that can be realized when a wireless network has been implemented, a number of security concerns have limited their adoption . While the risks of broadcasting unprotected network data to anyone in the vicinity might seem evident, a surprising number of wireless networks are installed without enabling security features . The majority of plants and enterprises have implemented some form of wireless security . Typically, this security only includes basic, fi rst generation features, which offer inadequate protection by today’s standards .

When the fi rst IEEE 802 .11 WLAN standards were written, security was nowhere near as big a concern as it is today . In contrast, modern WLAN security methods have been designed to work in a hostile environment, for example, in the air where there are no clear physical or network perimeters . Before looking at how modern WLAN security solutions work, it is worth reviewing the principal threats to wireless networks . These threats are summarized in the following table .



Threat Threat description

Denial of service (DoS)

A determined assailant may trigger a DoS attack in a variety of ways . For example, radio-level signal disruption can be triggered using a microwave oven . There are more sophisticated attacks targeting low-level wireless protocols and less sophisticated attacks that target networks by fl ooding the wireless network with random traffi c .

Free-loading (or resource theft)

An intruder may want nothing more sinister than to use your network as a free point of access to the Internet . However, while not as damaging as some threats, this will at least lower the available level of service for your legitimate users, and may introduce viruses and other threats .

Accidental threats

Some features of wireless LANs make unintentional threats more real . For example, a legitimate visitor may start up a portable computer with no intention of connecting to your network, but is automatically connected to your wireless network . This could open a potential entry point for viruses onto your network . This kind of threat is only a problem in unsecured wireless networks .

Rogue WLANs

If a company offi cially has no wireless devices, it may still be at threat from unmanaged access points on the network . Low-priced hardware can open a company to unintentional network vulnerabilities .

Wireless security standards and options

Wireless networking introduces new challenges to network security . These challenges must be considered, along with manageability and coverage when selecting a wireless solution . Since multiple access points are required to cover the industrial area, protecting a wireless network involves three major elements:

• Authenticating the person (or device) connecting to the network to determine the identity of that person

• Authorizing the person or device to use the wireless network so access can be controlled

• Protecting the data transmitted on the network so that it is safe from eavesdropping and unauthorized modification



Wired Equivalent Privacy (WEP), part of the IEEE 802 .11 wireless networking standard, was intended to provide confidentiality equivalent to that of a traditional wired network . WEP uses the RC4 stream cipher for encryption . Because of certain design flaws (such as a too short initialization vector), WEP was shown to be easily cracked using several open source tools that are available free of charge on the Internet .

In order to address the vulnerabilities of WEP, the Wi-Fi Alliance introduced Wi-Fi Protected Access (WPA) in 2003 . The Wi-Fi Alliance is an industry trade group that owns the trademark to the “Wi-Fi” name and certifies devices that carry that trademark . The design of WPA was based on Draft 3 of the IEEE 802 .11i standard, which added TKIP to WEP in order to provide better management, but continued to use the RC4 stream cipher . WPA was designed for use with either Personal or Enterprise modes . WPA-Personal uses pre-shared keys (PSK), in which each user is given the same pass-phrase to gain access to the network . WPA-Enterprise employs IEEE 802 .1X authentication . This is a port-based authentication mechanism based on Extensible Authentication Protocol (EAP) . EAP provides a framework for various authentication mechanisms .

The following are some common examples:

• EAP-TTLS provides server authentication using digital certificates

• EAP-TLS uses both client- and server-side certificates

• EAP-PEAP is similar to EAP-TTLS using server-side authentication

• EAP-SIM for GSM subscribers uses the GSM SIM for authentication

In 2004, the Wi-Fi Alliance announced WPA2, affirming that it is based on an implementation of the full IEEE 802 .11i standard . WPA2 implements the AES-128 block cipher for encryption in place of the RC4 stream cipher and supports 802 .1X as an authentication option . Just like its predecessor, WPA and WPA2 have two modes: Personal and Enterprise . WPA2-Personal uses pre-shared keys, while WPA2-Enterprise uses 802 .1X for authentication .

Security options at a glance — WEP, WPA, WPA2 (802 .11i)

(1) Association request

(2) EAP identity request

(3) EAP identity response

(6) Authorization request

(7) Authorization response

(10) Success message

(4) EAP identity response

(5) Authorization request

(8) Authorization response

(9) Success message



The table below provides a brief comparison of the available wireless security options:

WEP WPA WPA2

Security level Less secure Secure Highly secure

Encryption Open Key, Shared Key TKIP TKIP, AES

Authentication Open Key EAP over 802 .1X EAP over 802 .1X

Key length• 64 bit (10 digit key)• 128 bit (26 digit key)

TKIP• 128 bit (default)• 192 bit• 256 bit

Key type Static Key Dynamic Key Dynamic Key

Application Small home networks• Small- to medium-sized

environments• Local LANs

• Defense• Government• Industrial plants• Enterprise

Selecting the right wireless network security options

The following basic steps are recommended to secure a wireless network . Through the proper use of these various approaches, it is possible to strengthen wireless security appreciably and mitigate potential vulnerabilities or exposures of Wi-Fi/wireless technologies .

• Creating VPN links and IPSec (IP Security) protocols: Special additional protocol layers and encryption services allow traffic between a sender and receiver to be further secured while in transit across public or other unsecured network links (such as the Internet) . Most experts recommend the use of VPN/IPSec or similar technologies when sensitive data must traverse unsecured links or media .

• Internet Key Exchange (IKE): IKE protocols are often used with VPN or IPSec technologies because they provide a secure means to exchange shared keys across inherently unsecured links . Essentially, IKE comes into play as communication between pairs of devices is negotiated . It provides a mechanism for exchanging highly sensitive data (such as shared keys) .

• Stronger encryption keys: WPA2 encryption should be used, if possible . WPA encryption is the next best alternative . Although all WEP implementations are subject to the weaknesses of 24-bit IVs, other stronger protocols are not . These keys are best used in the context of IKE, Kerberos, RADIUS, VPN, and/or IPSec approaches .

• Remote Authentication Dial-In User Server/Service (RADIUS): RADIUS is designed to provide reliable, secure third-party authentication services for all types of remote network access, including wireless access . Environments that use RADIUS can rely on strong authentication from a RADIUS server and secure mechanisms for key exchange between entering workstations and the access point .

• MAC address filtering: This mechanism registers valid media access control (MAC) addresses in use and allows only recognized MAC addresses to establish communication with wireless access points . MAC address filtering is most effective when used in conjunction with the other approaches mentioned in this list .



• Change the default password required to access a wireless device: Default passwords set by the manufacturer are known by crackers . By changing the password, crackers will not be able to access and change network settings .

• Change the default SSID, or network name, and disable SSID broadcast: Crackers know the default names of the different brands of equipment . The use of a default name suggests that the network is not secure . Change the password to make it easier for users to find the correct network . Use a name that will not be associated with the owner to avoid being specifically targeted .

• Disable file and print sharing if it is not needed: This can limit crackers' ability to steal data or commandeer resources in the event that they get past the encryption .

• Cell sizing: Access points should be arranged to provide radio coverage only to the desired area . Any wireless signal that spills outside of the desired area could provide an opportunity for a cracker to access the network without entering the premises . Directional antennas should be used, when possible, at the perimeter, directing their broadcasting inward . Some access points allow the signal strength to be reduced in order to minimize such signal leakage .

• Network segmentation: Divide the wired and wireless portions of the network into different segments with a firewall in between . This can prevent a cracker from accessing a wired network by breaking into the wireless network .

• Detect rogue access points: Implement an overlay wireless intrusion prevention system to monitor the wireless spectrum 24/7 against active attacks and unauthorized devices such as rogue access points .

Improving the availability and utilization of assets can have a significant impact on a company’s bottom line . Implementing a scalable and secure wireless system customized for an organization can offer:

• More measurements at lower cost — more measurements, even with a limited budget

• Greater availability of real-time data integration

• Significant cost savings by not having to run wires

• Workforce mobility — connecting human, rolling, and remote assets to applications in the field

• New applications driving bottom line improvements, including Plant Business Optimization and Enterprise Asset Performance Management

• New measurements addressing mandated requirements

• Personnel and equipment safety

• Plant security



The value of wireless solutions goes beyond the simple cost savings of running wires to provide significant return on investment (ROI) through the life cycle of the applications . Wireless technologies offer a new way to deliver existing functions or new capabilities not possible with currently installed systems . Schneider Electric Wireless Performance Solutions provide value-add enterprise applications through the combination of expert services, proven methodology, and industry-leading technology . Schneider Electric has the expertise to design, implement, and manage a robust wireless solution set, removing the complexity and uncertainty associated with wireless technology while maximizing a company’s ROI .

Schneider Electric provides a variety of enterprise wireless applications that will increase productivity, facilitate asset monitoring, and improve safety and site security . At the core of these applications is an architecture that is designed to handle multiple devices . It supports a multitude of standards and uses a common security model that enables an enterprise to extend applications without losing initial investments .

Schneider Electric Wireless Performance Solutions

References

Wireless security on the plant floorWally Gastreich

O’Reilly Network, seven security problems of 802 .11Matthew Gast and Airmagnet

IEEE 802 .1x Authentication Client in Microsoft Windows for wireless and wired networksMicrosoft Corporation

Practical Wi-Fi security optionsHP

Top 10 security checklist for SOHO wireless LANsCWNP

Best practices for securing your enterprise wireless networkAirtight Networks

Securing wireless LANs with PEAP and PasswordsMicrosoft Corporation

802 .1X authenticationIEEE

WPA standardWi-Fi Alliance

©2

016

Sc

hn

eid

er

Ele

ctr

ic . A

ll R

igh

ts R

ese

rve

d . 9

98

-19

681

86

7_G

MA

-US

Documents

Building blocks for a secure, reliable wireless network