S 5.141 Regular security checks of WLANs

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

A WLAN security check should be performed regularly, but at least once per month.

WLANs should be checked regularly with WLAN analysers and network sniffers to see if there are any security gaps such as weak passwords, inadequate encryption, or an enabled SSID broadcast. The check should also look for WLANs installed without authorisation.

Network analysis programs

Specific tools for monitoring and analysing the quality of service and level of security are helpful not only in WLANs, but also in other networks. For secure operation of a WLAN, it is particularly important to check the extent to which the prescribed security policies are being followed and the overall availability of the WLAN. The latter also includes performance measurements and error analyses. Tools providing a list of all active WLAN subscribers and of any subscribers recognised recently are also helpful.

Network analysis or sniffer programs read data streams and examine the data packets transmitted for different, variable criteria. For example, such a program can search for certain patterns in the data packets or evaluate routing information.

Network analysis tools should be used regularly to

Monitoring the WLAN infrastructure

The simplest way to monitor the WLAN infrastructure is to perform a spot check of a location using a WLAN client equipped with special software. Access points installed and operated without authorisation can be detected this way.

Better control can be obtained using a WLAN management system that can be used in order to perform the following activities at regular intervals:

Use of a wireless intrusion detection system

When planning an access point based wireless intrusion detection system (IDS), it must first be specified if a separate measurement infrastructure will be built or if the access points and WLAN clients in the live network will be switched to a measurement mode at certain intervals. If it is impossible to take measurements everywhere in the coverage area to be monitored, attacks in the WLAN at the wireless level cannot be detected. Furthermore, it must be taken into account that an access point or WLAN client cannot transmit data when in the measurement mode, and therefore a reduction in the performance, and possibly the availability, of WLAN data transmissions may need to be accepted. Likewise, a small window of vulnerability always remains open when using the access points belonging to the live network in the scan mode, and it is impossible to monitor the wireless interface when scanning.

Whenever an intrusion detection system or even an intrusion prevention system (IPS) is used, the normal communication patterns in the WLAN must be determined or defined based on measurements (see also S 5.71 Intrusion detection and intrusion response systems).

Alert and error handling

The WLAN administration should provide alert and error handling procedures. The following tasks must be performed by the administrators in this regard:

Penetration testing

In the course of a security check, a WLAN can also be examined for vulnerabilities with the help of penetration tests. In this case, all security safeguards taken must be tested exactly to determine if they are able to defend against the attacks they are supposed to counteract. A penetration test should be conducted at least every six months, but no less than once per year.

Documentation

When conducting the security check, the administrators should document all steps taken so that they can be retaken at a later date (for example when it is suspected that a system has been compromised). The results of the security check must be documented, and deviations from the target state must be examined.

Review questions:

© Federal Office for Information Security. All rights reserved.