S 4.295 Secure configuration of WLAN clients

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User, Administrator

In order to enable secure operation of a WLAN, all clients connected to the network must be configured securely. Suitable security recommendations for clients are described in the modules in layer 3 IT systems. In addition, the following WLAN-specific security safeguards should be taken:

• The default settings for SSIDs, cryptographic keys, and passwords must be changed directly after initial operation. Passwords should be selected in such a way that they are difficult to guess.
• The ad-hoc mode should be disabled so that clients can only communicate using an access point and not directly with each other.
• Data requiring protection on mobile terminal devices should be encrypted. There are numerous hardware- and software-based products for this purpose which allow encryption of individual files, certain areas, or the entire hard disk so that only those persons possessing proper access authorisation are able to decrypt the data.
• The WLAN interfaces of clients should be disabled as a matter of principle as long as they are not actually in use. In particular, they should always be disabled when the clients are logged in to a cable-bound LAN. Access from a client to the internal LAN using the usual internal connections should only be possible when there is no other activity on the WLAN. Otherwise, this provides an attacker with a chance to access any existing (and authenticated) connections in the internal network using the WLAN interface.
  -When establishing VPN connections, various security precautions should be taken on the client. For example, it should be impossible to use another communication interface parallel to a VPN connection so that the security of the VPN connection, which the user assumes to be secure, is not undermined using insecure channels. In addition, it is recommended not only to require a certain minimum set of security safeguards to be implemented on the clients, but to test them as well before granting access using the VPN. For this, it is recommended to use tools checking whether the security policies are being followed on the clients before the server permits any further communication.
• It must be checked regularly if all security-relevant updates and patches have been installed. It may be difficult to install a large software update on the WLAN clients using the WLAN, since the available bandwidth in the WLAN is much lower than that available in a cable-based LAN. The installation of updates will not only take much longer, but may also slow down the WLAN to an extent that the users notice it, because a WLAN is a shared medium. If possible, a client should therefore be connected to a cable-based LAN when installing large software updates. In addition, the transmission of software updates using the wireless interface can be assigned a lower priority provided that the resulting longer installation times are feasible. This way, the other WLAN applications will not be significantly hindered any more by the software update.

It should be checked regularly that security-relevant settings have not been changed.

There must be clear rules specifying whether and, if so, under which general conditions WLAN clients are permitted to log in to external networks (see S 4.251 Working with external IT systems), especially when the clients have access to the production environment or are used to store confidential information.

WLAN clients should never be operated in insecure environments such as public hotspots or WLANs only secured using WEPs. WLAN clients processing data with high protection requirements may only be used in WLANs operated under the complete control of the organisation and may only be operated when securely configured. Their use in other WLANs must be prohibited.

All users of WLAN components should be informed of the potential risks and problems involved in their use as well as of their advantages, but also of the limits of the security safeguards implemented. All users must be familiar with the security policy for WLAN usage (see S 2.382 Drawing up a security policy for the use of WLAN). Access to an internal WLAN should only be granted to persons who agreed in writing to the terms and conditions of use contained in the WLAN security policy beforehand.

Review questions:

• Has the ad-hoc mode been switched off generally on the WLAN clients?
• Are data requiring protection encrypted on mobile end devices?
• Are the WLAN interfaces only activated when they are actually needed?
• Has it been ensured that no other communication interfaces may be used in parallel when a VPN connection has been established?
• Are the WLAN clients provided with all security-relevant updates and patches at regular intervals?
• Is it checked regularly that all security-relevant settings have not been modified on the WLAN clients?
• Is there a provision governing the connection of WLAN clients to third party access points and networks?
• In the event of high protection requirements regarding confidentiality: Is there a rule regarding the exclusive connection of WLAN clients to access points and networks controlled completely by the organisation?