WLAN Best Practices Webinar Series: Physical Security and the WLAN
You may not see physical security as much of an issue for a WLAN. But here are some key concerns to plan for in policies and audits.
One aspect of wireless security that often gets overlooked is physical security, especially if an incident of this nature has never hit you. But physical WLAN security matters greatly and lacking it can cause several issues. Fortunately, you can create policies that prevent or address common threats by considering these threats and what's at stake.
Here’s a look at why WLANs have different security needs and the top five physical security concerns for wireless setups:
Why is a WLAN unique when it comes to physical security?
Numerous exposed devices are part of a given WLAN or interact with it. Consider the fact that many access points (APs) are placed around the area, there is plenty of mobile equipment connecting to the network, and many new smart devices are introduced all the time, many of which are easy to steal. Wireless is essentially an unbounded medium, so it's more difficult to physically secure than traditional wired networking.
Another challenge is that all WLANs are different, so the design approach is unique based on varying performance requirements and security needs. Thus, one network could be more vulnerable than another, and a threat could therefore cause far more significant damage to one vs. another.
For example, a hotel guest Wi-Fi network will have much different security needs than a Wall Street trading floor or a production facility that relies on Wi-Fi for putting out tons of product. Environments vary tremendously.
Regardless of the differences, physical security for the WLAN should be part of every organization’s overall security approach, just like Wi-Fi is part of the overall network environment. Operational policies should consider and address the physical security of WLAN assets.
Concerns for the physical security of WLANs
Let’s take a high-level, general look at some WLAN physical security concerns. These examples don’t cover everything that could go wrong, but they’ll help you start brainstorming and preparing:
1. An AP goes missing
When an access point is stolen or otherwise goes missing, the level of risk to an organization depends on a few factors. For some small businesses, a single AP may represent the entire network. If it disappears, so does all of that connectivity and operational capability. But in an enterprise, perhaps there’s just a coverage gap for some services when an AP is gone. And additional problems and threats will depend on what kind of AP disappears and what configuration information, such as network access credentials, is stored on it and could be accessed by individuals with bad intent.
So, depending on what APs represent for a network and how they’re configured, a missing AP can matter a great deal — not to mention the cost of replacing the equipment.
2. Environmental damage
Environmental concerns aren’t always security issues, but there are some significant parallels between them.
For example, if an organization puts APs in places they’re likely to be physically damaged, it could also spell security trouble for the network. For instance, you may have seen an AP sitting on the desk in a hotel room, just waiting for someone to try and tamper with it. Improper placement ups the odds that that's precisely what will happen.
Another concern is using the wrong AP for a situation and setting; a great example is when someone puts an indoor AP outside of a building. Even if the device seems protected from the elements (with an overhang, for example), doing this is just asking for trouble — in terms of physical damage and security risks.
Of course, sometimes you can’t evade bad luck, even after diligently working to keep hardware safe. For example, there could be a water pipe leak or power issue that ends up damaging APs in the network. Nevertheless, remember that there are enclosures you can use to protect against physical, solar, or temperature damage. For outdoor APs, you also may need to worry about lightning and electrical damage.
3. An uplink port is exposed
If an AP is stolen or otherwise removed, a live network port is now sitting there. But again, the possible threat varies because WLANs are different.
There are a few pertinent questions in this situation. Is the port an access port? Is it just a management Virtual Local Area Network (VLAN) that doesn’t have access to anything beyond itself? Is there a Dynamic Host Configuration Protocol (DHCP) in use? The answers to these and other questions determine what hackers can do, see, and learn.
If it's a trunk port, there might be several VLANs going into a given AP, and each one of those can lead to all kinds of places in the network. If the network is flat and everything is on one VLAN, then that port could be everything. Hackers could get to routers, cameras, network storage, and more. Depending on the equipment and configuration, there are many potential risks to consider.
It’s wise to put 802.1x on wired ports and to alert unrecognized LAN devices that they shouldn’t be there. And fundamentally, it’s crucial to understand that the level of sophistication of the network and associated policies, configurations, and security tolerances will all be important factors when an uplink port is exposed.
4. Signal is where it shouldn’t be
There could be risks associated with a Wi-Fi signal that goes where it shouldn’t. For instance, sometimes it doesn’t matter if it bleeds out into the parking lot — but sometimes it does. Scenarios, causes of misplaced signals, and the accompanying issues and security risks vary.
Maybe the stray signal indicates a configuration issue, like too much power. Is there an SSID that shouldn’t be there? Is there a high-gain antenna where it shouldn’t be used? There is sometimes an assumption that thick walls will block a Wi-Fi signal, but that’s not always the case. Another cause of improper signal placement could be that an AP was added without approval from network managers.
Ultimately, WLAN configuration determines the vulnerability caused by stray signals. Managers must question what is going on with the WLAN and its configuration when the signal hits areas where it shouldn’t.
5. A wireless client device is stolen
Even more devices of all types are becoming Wi-Fi enabled, like digital signs, people counters, and time clocks. This equipment is often mounted on walls while connected to the wireless network. If one of those items ‘walks away,’ the administrator likely won’t notice, at least right away. And usually, no one is keeping a reliable inventory of these devices.
Nevertheless, those time clocks and digital signs, for example, are set up so people can learn a lot about the network by digging around in the configuration. Security is basically at the mercy of whoever administered it, and the device may enable access to information that makes the network vulnerable. Even when using 802.1x, individuals can often get to a shared credential that’s on a bunch of devices spread around the environment. And while many smart devices can be locked down with mobile device management (MDM), many can’t, particularly those within the internet of things (IoT).
The theft or loss of many different clients can significantly impact security, even when someone accidentally leaves a laptop in a cab and never sees it again. Network managers and their organizations must consider and plan for this impact. Put a policy in place for what to do, and conduct regular physical security audits.
General physical security tips
The physical security of a WLAN deserves thought and planning, though many organizations continue to overlook these concerns. Here are a few simple physical security steps that you can take:
- Use tamper-proof screws (which vendors give you)
- Use legitimate mounts for APs
- Lock enclosures and cages
- Hide APs
- Ensure AP redundancy in critical areas to avoid signal gaps
- Recognize that more devices are Wi-Fi enabled every day, and plan security steps accordingly
Don’t make creating a policy for physical WLAN security an afterthought!
7SIGNAL® is the leader in wireless experience monitoring, providing insight into wireless networks and control over Wi-Fi performance so businesses and organizations can thrive. Our cloud-based wireless network monitoring platform continually tests and measures Wi-Fi performance at the edges of the network, enabling fast solutions to digital experience issues and stronger connections for mission-critical users, devices, and applications. Learn more at www.7signal.com.