S 2.385 Selection of suitable WLAN components

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, Head of IT, IT Security Officer

When selecting WLAN devices, it must first be examined whether the devices fit the WLAN security strategy. There are numerous types and device classes of WLAN components. They not only differ in terms of the features they offer, but also in terms of their security mechanisms and ease of use. In addition, they place different requirements on hardware and software components in the operational environment.

Due to the numerous different types of WLAN components, compatibility problems can be expected. The most important criteria for the selection of WLAN components are therefore security and compatibility.

If it has been decided to build a WLAN in an organisation, then a list of requirements should be created which is used to evaluate the products available on the market. The products to be purchased should then be selected based on the evaluation. Based on various requirements for use, it has been shown in practical applications that it may be perfectly sensible to select several types of devices for purchase. The variety of devices should be limited, though, to simplify support. An important criterion when purchasing WLAN components is their compatibility with existing devices.

When purchasing the devices, the data throughput and range should also be considered. Using external antennas, the range of WLAN components can be improved. However, it must be ensured in this case that the increased range does not cause the emissions to radiate into areas in which the WLAN is not intended to be used and should not be used.

When purchasing access points, the following should be checked, among other items,

• how many channels can be set,
• whether the SSID can be set,
• whether the SSID beacon can be deactivated,
• which cryptographic methods are implemented (WEP, WPA, WPA2, and others),
• whether the Open System mode as well as the Shared Key mode can be specified for authentication (the latter is unfortunately not always available by default),
• to what extent EAP methods according to IEEE 802.1X are supported,
• whether administration over secure lines of communication, e.g. SSH or SSL, is possible and insecure protocols such as HTTP or Telnet, for example, can be disabled,
• whether IP and/or MAC address filtering is possible,
• whether ACLs can be set up for access over the WLAN, a connected LAN, or to configure the access points,
• whether a packet filter is already integrated,
• whether additional mechanisms for access control are available (filtering based on various criteria such as the port numbers, applications, URLs, etc.),
• whether tunnel protocols like PPTP or IPsec are supported.

It absolutely must be tested whether the cryptographic methods implemented not only have the same designation as the methods used by the other WLAN components, but also work together correctly.

The correct configuration of the access points is an essential aspect of security. On some access points, wireless configuration directly over the WLAN is possible, which is usually touted by the manufacturers as being convenient. However, such functionality also poses security problems and should therefore not be used. If it is available, it should at least be possible to switch it off (and it should be switched off at all times during operation). Many access points also offer the ability to connect over a serial or USB interface to a management console to enable easy configuration. The management console can then be administered via HTTP or Telnet over the Intranet or Internet. In this case, the remote access must be reasonably secured, for example by securing the communication with SSL or SSH. Remote access over the Internet should generally be examined critically.

Access to the WLAN components for administration purposes should only be possible by authorised persons. For this reason, it should be examined how this access is secured. If access is secured via passwords, then the passwords selected should be as complex as possible (see S 2.11 Provisions governing the use of passwords). It is better, though, to use strong authentication methods for administration accesses (see also S 4.133 Appropriate choice of authentication mechanisms).

Implementation of the necessary security rules on access points is often very complicated. In addition to key management, this includes the necessary settings for the various parameters and options. There are now solutions available for some access points to control them in an organisation over a central server. Unfortunately, only proprietary solutions have been available so far, and they only support the WLAN components of the particular manufacturer.

Since it can take a lot of time and effort until the network administrator has determined the correct configuration, especially for network coupling elements, it should be possible to save the configuration.

The language used in the online help system and documentation of the WLAN components should be formulated so that future users and administrators will be able to understand the technical descriptions.

Interoperation with the corresponding infrastructure

When purchasing, all WLAN components should be checked to determine if they operate correctly with the corresponding infrastructure. This includes checking the following, for example:

• The authentication method used in the WLAN must be supported by the clients and access points as well as by the authentication server.
• If authentication according to IEEE 802.1X is performed in the WLAN, then the access points must support the EAP authentication method and process the information transmitted in the IEEE 802.1X specification correctly.
• It must be examined whether the authentication server can be operated without its own separate database for user authentication and whether it can pass the authentication requests to a central user database using secure querying methods instead.

When purchasing a larger WLAN installation, the corresponding tests must be performed before actually purchasing. The degree of fulfilment of the technical requirements can be evaluated with the help of a test catalogue. These tests make it easier later on to actually install the WLAN and obtain approval.

Review questions:

• When selecting WLAN devices, was it ensured that they fit the WLAN security strategy and that they are compatible with the hardware and software components in the operational environment?
• Was a list of requirements created for the WLAN components?
• When using WLAN with an increased range, was it ensured that the emissions do not radiate into areas in which the WLAN is not intended to be used and should not be used?
• When using cryptographic methods, is it ensured that their designation is the same across the organisation and that they work together correctly?
• If wireless configuration of an access point directly over the WLAN is possible, can this configuration be switched off and is it switched off at all times during operation?
• Has it been ensured that only authorised persons have administrator access to WLAN components and that the passwords used for login are as complex as possible?
• Has the correct configuration of the network coupling elements been saved and backed up?
• Is the online help system and documentation of the WLAN components easy to understand?
• Before actually purchasing WLAN components, are corresponding tests performed and is a test catalogue prepared for evaluation of the degree of fulfilment of the technical requirements?