Protecting a Wireless LAN? How do i do it?

TKHDebater

Senior member
Jan 2, 2003
241
0
76
I'm taking an Ethics in Technology class and my group has been assigned a project to work on. A hospital's WLAN wasn't protected, someone got access to the files etc... Anyways, my question to you is what could this hospital have done to protect its network? With my limited knowledge i thought of encryption and maybe some VPN setup? Any ideas? Thanks
 

MichaelD

Lifer
Jan 16, 2001
31,528
3
76
They should've used Wireless Encryption Protocol (WEP). What that does is records the MAC addresses of the wireless cards that are authorized to be on the network and only allows access to those addresses.

Also, physical security is always a factor. I.E. you dont' leave your servers sitting out in the middle of the visitor's reception area, but behind locked doors, preferably with a recording camera on the door 24/7 and some type of key card swipe entry system with logging.
 

cmetz

Platinum Member
Nov 13, 2001
2,296
0
0
TKHDebater, technologically, IPsec, and treat the entire WLAN as an untrusted network you VPN over. Administratively, hire competent outside security folks to do a vulnerability assessment and document their results. I'm NOT a HIPPA expert, but it would seem to me like from a HIPPA and liability perspective, there's a huge difference between demonstrating good faith by bringing in competent outside security assessors and following up on their suggested improvements.

MichaelD, WEP != MAC filtering. WEP also != security. It raises the bar slightly, that's about it.
 

MichaelD

Lifer
Jan 16, 2001
31,528
3
76
Originally posted by: cmetz
TKHDebater, technologically, IPsec, and treat the entire WLAN as an untrusted network you VPN over. Administratively, hire competent outside security folks to do a vulnerability assessment and document their results. I'm NOT a HIPPA expert, but it would seem to me like from a HIPPA and liability perspective, there's a huge difference between demonstrating good faith by bringing in competent outside security assessors and following up on their suggested improvements.

MichaelD, WEP != MAC filtering. WEP also != security. It raises the bar slightly, that's about it.

Wow...I didn't think there was that much ELSE to it. I mean, wireless is wireless, AFA the actual transmission goes, right? Once the signal has been allowed in thru MAC filtering, all the usual filters, firewalls and permissions that apply to wired ethernet still apply.

*shrug* I learn everyday that I'm here. :)
 

MichaelD

Lifer
Jan 16, 2001
31,528
3
76
Originally posted by: TKHDebater
What is IPsec. cmetz, thanks, i hadnt realized all that was possible

IP security. Defined.

I never meant my original reply to be the end-all reply; I know zero compared to cmetz and others...i was just setting the first building block in place....yeah, that's it. :)
 

cmetz

Platinum Member
Nov 13, 2001
2,296
0
0
Wired Equivalent Privacy (WEP) actually encrypts the data in the frames over the air, and some of the control frames. It also provides a weak authentication in that frames that don't have the right key won't decrypt right and get through (I don't remember at what level the filtering's done, but I think you can't even get the control frames back and forth that would allow a normal station to send data towards the AP). The problem is that the crypto is done poorly, and thus, it is possible to capture a bunch of ciphertext traffic off the air, do some heavy processing on it, and recover the WEP key. This process takes on the order of days on a significantly used network.

Many of the proposals to increase wireless security are proposals that effectively just change the WEP keys every few hours or so, such that you can't capture enough traffic and do the post-processing necessary before the key's changed and it won't get you in. This still doesn't help protect the content of the traffic, and frankly, it's all around a kluge. It makes it much harder to break WEP, but doesn't fix the fundamental flaws. The main reason these proposals are even being considered is that a lot of the hardware out in the field today does WEP in hardware / firmware, so anything that can be bolted on as a driver update rather than requiring new hardware will be accepted more quickly and readily.

WEP will not really deter someone clueful who wants into your network. WEP will deter someone who is just poking around / wardriving - why spend the effort breaking into a WEP network when you can go down the block and find someone else with WEP turned off?

MAC filtering is a whole different thing. It's very simple -- frames with source address on the ACL are bridged in, and frames that aren't, aren't. This can be defeated by sniffing a working station (easy enough) and spoofing that MAC address (also easy enough). Again, it'll prevent random folks from poking around, but is not security.
 

cmetz

Platinum Member
Nov 13, 2001
2,296
0
0
TKHDebater, IP Security (IPsec) is an IP-ish-layer encryption/integrity/authentication security solution. It's most commonly seen as a VPN solution using ESP and IKE. Conceptually, it sets up an encrypted and authenticated virtual link using an untrusted IP network as the "link layer". There's not much difference between connecting a client somewhere to your trusted LAN with a VPN over top of the untrusted Big Bad Internet and connecting a client to your trusted LAN with a VPN over top of a privately addressed wireless Internet. And if you set your network up properly, you can have one big fat VPN concentrator that serves clients on both untrusted networks.
 

cmetz

Platinum Member
Nov 13, 2001
2,296
0
0
MichaelID, hard-wired Ethernet is more secure than wireless, but not by as big a margin as you'd think. Ethernet jacks are usually all over a building as are plugged-in stations, and visitors have laptops. Few sites are clueful enough to do any authentication on hard-wired Ethernet ports. Guess what can happen next?
 

JackMDS

Elite Member
Super Moderator
Oct 25, 1999
29,509
406
126
Been a Hospital and given the importance of file security.

They should buy a Propriety Wireless that employ stronger Dynamic hardware based encryption.

Such a system is available at Cisco.
 

MichaelD

Lifer
Jan 16, 2001
31,528
3
76
Originally posted by: cmetz
MichaelID, hard-wired Ethernet is more secure than wireless, but not by as big a margin as you'd think. Ethernet jacks are usually all over a building as are plugged-in stations, and visitors have laptops. Few sites are clueful enough to do any authentication on hard-wired Ethernet ports. Guess what can happen next?

That's why you only allow machines registered in the Domain to logon to the network. That's also why you have physcial security in the building and TRY not to allow visitors unrestricted access to places like empty offices. :)

That's also why you have Group Policies that automatically lock workstations w/password protected screen savers after 5 minutes of non-use and enforce things like Complex Password compliance. :)

Etc, etc. I'm sure you know this...we're just talking....
 

TKHDebater

Senior member
Jan 2, 2003
241
0
76
It's all making sense..... Thanks

Edit: wow, i never realized there was this much, ha... so much i want to learn at some point.
 

cmetz

Platinum Member
Nov 13, 2001
2,296
0
0
JackMDS, I believe Cisco's solution is a combination of the faster re-keying and 802.1x. This raises the bar but is not secure.

MichaelD,
>That's why you only allow machines registered in the Domain to logon to the network

Attackers with the right tools (none of which are Windows) will find this quaint. Windows domain access controls are okay for preventing people from getting into Windows file/printer sharing services, but don't do a darn thing for access to the Ethernet and/or IP network. An attacker can still sniff you. And depending on what Windows authentication method you're using, the sniffed traffic may be enough to allow an attacker to gain access. Oh, and if the attacker can get into an IP network with a bunch of Windows hosts, chances are very good he can break into some Windows box (Windows security is well known, and all an attacker needs is to get into one) and use whatever credentials that box has on the file/print servers.

You're right, though, physical security is critical. Without good physical security, technical security becomes moot.
 

MichaelD

Lifer
Jan 16, 2001
31,528
3
76
CMetz, remind me to not let you anywhere NEAR my little home network. Hahahah! Just kidding. I'm doing a lot of reading and asking a lot of questions (both here and at work) and learning a little more everyday. As you can imagine, the IA folks don't share much of their knowledge very readily...I keep pestering them though. :D

Thanks for sharing your knowledge. :)