Decades ago, your network was a collection of routers, firewalls, switches, wall ports, and what seemed like a million miles of cable. The only way for your employees and guests to access it was to be seated near a port and get plugged in. It was a pretty straightforward proposition but didn’t allow much in the way of mobility or convenience. But hey, it was all we had. As a young admin I used to dread seeing a calendar invitation for a 20-person meeting because I knew it meant setting up the “snake farm” in the boardroom so that every person could bring their laptop. It was nearly always a mess.
At the turn of the century we saw some of the first devices using the IEEE LAN/MAN Standards. We know these standards collectively as IEEE 802 and they changed the face of corporate (and home) networking forever. Our admin pool thought it was a miracle as we brought those first access points online and fitted laptops with PCMCIA 802.11b cards. Sure it was all in the clear, and sitting too close to a cordless phone would cause problems, but we were too excited to care.
What is CIS Critical Security Control 15?
As we detour off of Memory Lane, we now know that wireless access is ubiquitous and even expected in the enterprise. Access is no longer limited to a few lucky executives as now nearly all of your workforce need to be mobile, both in the office as well as on the go. With all these emails, documents, logins, and the like being transmitted around us, we turn our attention to securing this sensitive data. Here at Rapid7 we rely on the Critical Security Controls to guide us, and in the case of Wireless Access Control, we look to CSC 15. The Control itself reads:
“The process and tools used to track, control, prevent and correct the security use of wireless local area networks (LANs), access points and wireless client systems.”
How can you implement CIS Control 15?
It seems pretty straight forward, right? Control your access. But like with so many straight forward things, the devil is in the details. While there are a multitude of ways to reduce and control access to your wireless network, we’ll look at some simple steps that are often overlooked.
Do not broadcast your SSID. Seriously, turn off broadcast. While it’s not foolproof, it will stop most casual “curious types” from trying to have a peek.
Deploy TLS certificates on your main/secure networks. This takes a little extra effort to set up but is far superior because the end-user devices will need the SSL certificate which you control. This also helps with the threat of rogue access points being set up with the same name.
Use WPA2-Enterprise. This forces per-user authentication via RADIUS. Again, it’s more involved than setting a shared WPA2 passphrase but far more secure.
Adjust and limit your radio broadcast levels. Some access points are very powerful and may well broadcast outside of your building. With simple testing you can tweak these levels to get as close to your building as you can.
Perform Wireless (RF) site assessments. This can be performed by professional services organizations or by running some readily available tools on your own. Performing these types of assessments can help in identifying rogue wireless devices on your network as well as verify that the controls you currently have in place limiting wireless to authorized access points are functioning appropriately.
Create a guest network. It’s alarming how many companies don’t do this. Having a segmented, bandwidth limited guest network that does not have access to any of your critical resources will allow your vendors and visitors to get to their emails and VPNs without giving them the keys to the kingdom.
Monitor. Keeping an eye on (and logging) who is connected to what networks will help in the event of an incident. You know who is in your house, right? This is no different.
Wireless access is a convenient, and perhaps even mandatory, component of your overall network. The protection of this component should be an elevated and discrete part of any mature security plan. Knowing who is connected and from where is key. It’s not like there is a cable to chase down.
Ready to get started?. We assist many organizations of different sizes and industries in how to mature their security programs.
Like what you see? Check out our next post in this series, “Critical Control 16: Account Monitoring and Control (Ain’t Nobody Got Time for That!).”