Financial-services providers are subject to extensive regulations that govern how customer data must be safeguarded. Regulations like the Gramm-Leach-Bliley Act (GLBA) may be broad and abstract, but its requirements to identify/assess risks and implement/monitor safeguards apply to every kind of network -- including wireless. Other regulations -- notably the Payment Card Industry Data Security Standard (PCI DSS) -- specify explicit requirements for in-scope WLANs, from rogue detection to wireless security encryption. The gory details differ for each regulation, but financial-services organizations can establish a solid foundation for compliance by adopting these best practices to secure wireless networks:
- Know your enemy: To implement reliable safeguards for wireless networking security, you must understand the threats you face. For example, PCI DSS requires every organization that handles card holder data to assess threats posed by unauthorized (rogue) wireless access points (APs), including firms without any WLANs of their own. Start by reviewing wireless security threats to identify those applicable to your business and assess the risks posed to sensitive data (e.g., personally identifiable financial information, card holder data).
- Know yourself: Many safeguards used to mitigate wireless networking security threats depend upon an accurate understanding of network topology (wired and wireless) and the ability to recognize authorized devices. To establish a baseline for WLAN security auditing and enforcement, maintain an inventory of permitted APs and clients, their users and locations, and the security measures that each is expected to use.
- Limit exposure: Regulations like PCI DSS kick into high gear in environments where WLAN use is authorized and traffic passes through a sensitive network segment. Reduce risk by partitioning traffic to limit threat exposure. Specifically, use firewall packet inspection to prevent wireless traffic from entering segments where no access is needed and implement time-synchronized logging to document allowed and blocked wireless traffic. As a rule, segments with wireless access should be treated like a DMZ: default and deny everything, permit only necessary services and destinations.
- Batten down the hatches: Harden all wireless-exposed network infrastructures (e.g., APs, controllers, DNS/DHCP servers) using traditional network security best practices. For example, change factory defaults, set strong administrator passwords, disable unused services, apply patches and penetration-test the result. During this step, address wireless-specific vulnerabilities, such as choosing non-default network names (SSIDs) to deter accidental intrusion and enabling dynamic frequency selection to circumvent RF interference. Also, take steps to deter physical tampering with APs in public areas (e.g., cable removal, reset to default).
- Secure transmissions: Contemporary APs support WPA2 (AES-CCMP) over-the-air encryption -- use it wherever possible. If legacy clients require WPA (TKIP/MIC), use that cipher sparingly, preferably on WLANs (SSIDs) segmented from other users. Avoid WEP encryption; newer regulations no longer permit this long-broken encryption protocol. In addition, use higher-layer encryption (e.g., SSLv3/TLS, IPsec) to selectively protect sensitive application streams and transactions, and don't forget to harden those servers and gateways as well.
- Restrict access: Wireless opens a window for outsider intrusion unless you control access. Choose and implement a strong WLAN authentication method -- preferably WPA2-Enterprise (802.1X) with mutual authentication. If your organization lacks the skills, infrastructure or client-side support for 802.1X, use WPA2-Personal (PSK) with a random passphrase at least 13 characters long and change it regularly. Never rely upon MAC address filters as your only form of access control. If your WLAN offers guest Internet access, segment off and log that traffic to reduce business risk.
- Monitor the air: Many regulations strongly encourage full-time distributed wireless intrusion detection or prevention (WIDS/WIPS), but allow periodic wireless scans at all sites that handle regulated data. The former is far more efficient and effective, especially for large-scale WLANs. No matter which approach you choose, monitor not only for rogue wireless APs, but also for unauthorized clients, misconfigured devices, policy deviations, reconnaissance and attack traffic, and misbehaving clients that connect to each other or external WLANs.
- Be prepared: Monitoring is a means to an end. Develop a process for WLAN incident response. For example, how will you temporarily block a rogue AP? How will you find and physically remove it? Review all scan results, WIDS/WIPS alerts, and traffic logs in a timely manner to assess potential threats. Where practical, tap automated tools like WIPS connectivity traces and quarantine to stop penetration in real-time. Ensure that data gathered by monitoring tools is sufficient for incident response and forensic investigation.
- Defend endpoints: A stolen point-of-sale terminal or a hacked laptop can ride an otherwise authorized, encrypted WLAN connection right into your hardened network. Apply remote access security best practices to insulate wireless endpoints from each other, deter unauthorized use of lost/stolen mobile devices, etc. If your organization implements network access control (NAC), apply integrity checks to wireless-connected devices and use host-based intrusion detection/prevention to deter endpoint misbehavior (e.g., simultaneous connection to wired and wireless networks).
- Assess and improve: Never assume that safeguards work as expected -- your auditors won't. Penetration test wireless-connected networks and devices. Intentionally trigger WIDS/WIPS alerts. Capture and analyze over-the-air traffic. Try to connect unauthorized devices and users from a variety of locations. Record what happens, and then raise the bar by eliminating discovered vulnerabilities. Assessments should be performed at scheduled, randomized intervals to find and fix newly-introduced holes, including newly-discovered attacks that can be mitigated by AP/controller/client security patches.
By taking the time to assess wireless security threats, restrict access, secure transmissions with strong wireless security encryption, and other critical steps, financial firms can get a head-start on meeting auditor expectations.
About the author:
Lisa Phifer owns Core Competence Inc., a consulting firm specializing in network security and management technology. She has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for over 20 years. At Core Competence, she has advised large and small companies regarding security needs, product assessment and the use of emerging technologies and best practices.