S 2.386 Careful planning of necessary WLAN migration steps

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Due to the rapid development of WLAN technology, migration from an existing installation to new protocols, technologies, or products can seldom be avoided. In general, there are two different types of migration:

• Migration of the transmission technology (e.g. from IEEE 802.11g to IEEE 802.11h)
• Migration of the WLAN security mechanisms (e.g. from WEP to WPA-PSK or IEEE 802.11i with IEEE 802.1X)

In the first case, the entire planning process for a WLAN must be carried out, from the assessment of the risk to the selection of suitable security safeguards.

In the second case, it may be necessary to temporarily operate different security systems in parallel and extend the configurations of the access points, distribution system, and connection point to the WLAN. The use of WLAN components or WLAN areas not yet migrated must be reduced to a minimum through the corresponding technical and organisational specifications, if necessary. For example, it may be necessary to prohibit access to sensitive data from components not yet migrated or secure the WLAN area not yet migrated from the rest of the WLAN and LAN using an additional DMZ.

If it is necessary to operate two different security mechanisms in parallel, e.g. WPA-PSK or WPA2-PSK and WEP, then the following points must be considered:

• The duration of parallel operation should be kept as short as possible.
• If WEP and pre-shared keys are used simultaneously, then particular care must be taken to ensure that the keys are changed often (at least daily) and that only complex passwords are used (see S 2.388 Appropriate key management for WLAN).
• Access points must permit the operation of both mechanisms at the same time during the migration phase. Access points that support a maximum of WEP must be replaced as quickly as possible and removed from the WLAN.
• WLAN clients that only support WEP (e.g. a printer or a PDA) should only be switched on when they are needed. They should be replaced by clients that support WPA2 as quickly as possible.
• WLAN components such as WLAN printers should not be configured over the wireless interface, if it is possible to disable this, but over the console port of the component instead.

In all cases, each of the migration steps must be planned carefully. The migration should also be used to consolidate an expanded WLAN infrastructure, and the WLAN administrators and WLAN users should receive additional training. If the login procedure for the WLAN users changes due to the introduction of new WLAN authentication mechanisms, then the users must also receive additional training. Furthermore, the WLAN user policy should be adapted to reflect the new procedures.

Review questions:

• Is the entire planning process for a WLAN carried out during migration of the transmission technology?
• Is the use of the WLAN components or WLAN areas not yet migrated reduced to a minimum during migration of the WLAN security mechanisms?
• Are appropriate safeguards implemented in case of parallel operation of two WLAN security mechanisms?
• Is the expanded WLAN infrastructure consolidated and do the WLAN administrators and WLAN users receive additional training in case of a migration?
• Is the WLAN user policy adapted to reflect the new procedures in case of a migration?