Securing wireless Local Area Network - Checks & Controls

Blog for Information Technology, Information Security and Digital Marketing Enthusiasts.

Tuesday, May 12, 2020

Securing wireless Local Area Network

Securing wireless Local Area Network


Wireless technologies enable military and civilian government and corporate houses as well operations to dynamically interconnect Local Area Networks (LANs) quickly and reliably in environments where wired connections are impractical and cost-prohibitive. This connection of LANs over the air without the use of a fixed, wired medium is typically referred to as wireless interconnectivity. Under this infrastructure, a number of specific connection technologies are used including radio frequency, microwave, and free-space optics.
While popular from an operational perspective, wireless LAN interconnections suffer significant drawbacks when it comes to security. As with any open medium, ensuring the confidentiality and integrity of sensitive data traveling across these networks is of paramount importance. These security challenges incurred by transmission of sensitive information over the airwaves include both passive and active attacks. Passive attacks occur when perpetrators collect and read sensitive data, whereas active attacks occur when perpetrators inject new traffic and network integrity is breached.
To provide insight into remedying these challenges in a connected and operational arena, the following discussion examines LAN operational advantages and associated vulnerabilities – and explores Layer 2 versus Layer 3 alternatives for enhanced security.
The expansion of wireless LAN interconnections within government and enterprise has come as a result of LAN flexibility, ease of deployment, and cost savings. As alluded to previously, outdoor wireless interconnections over radio frequency, microwave, and free-space optic mediums allow system architects to connect LANs dynamically without having to physically lay cable or provision a service. In military environments in particular, wireless LAN interconnections can be established and dismantled at a moment’s notice in accordance with changing tactical and strategic battlefield conditions. Examples of this include forward-deployed tactical units and strategic intra-base virtual campus topologies such as military clinics and hospitals. A schematic representation of this environment is shown in Figure 1.

FIGURE-1

Figure 1: Wireless LAN interconnection in a forward-deployed tactical battlefield environment
While providing quick setup and complete ownership of the backbone wireless LAN links, the connections offer no inherent level of security. Wireless LAN interconnections are vulnerable to interception, and therefore, must be secured to ensure the confidentiality and integrity of the data traveling across them. As a result of this vulnerability, the U.S. government has developed regulations to mitigate the threat of interception and specifies encryption as the preferred mechanism for protecting sensitive data. Within the Department of Defense (DoD), directives DoDD 8500.2 and DoDD 8100.2 mandate that Sensitive But Unclassified (SBU) data be encrypted using FIPS 140-2 approved equipment employing the Advanced Encryption Standard (AES) algorithm when employing wireless systems.
In theory, encryption across LANs can be done at any of the seven layers defined by the Open System Interconnection (OSI) model for data networking (Figure 2). The OSI architecture model defines the functions and components that establish a data connection. Depending on where encryption is employed in the layered model, the more transparent and therefore effective it can become. Higher in the model (at Layer 7), specific applications are considered, while at the bottom (Layer 1), the general physical medium is addressed. Data encryption is generally done at the frame (Ethernet Layer 2) or packet (IP Layer 3) levels.
Securing wireless Local Area Network
FIGURE-2
Figure 2: OSI reference model for data networking

Layer 2 versus Layer 3: Advantages and vulnerabilities
While the application of encryption technologies to protect LAN interconnections can thus be made at either Layer 2 or Layer 3, with the proliferation of the Internet, most encryption devices available in the market until just recently were packet encryptors operating strictly at IP Layer 3 using the IP Security (IPsec) encryption standard. However, with increased traffic volumes and growing use of latency-sensitive applications such as voice, video, and multimedia, IPsec has shown significant limitations that impact operational performance. Given the nature of deployed battlefield communications, Layer 3 interconnections using IPsec encryption have proven impractical.
Additionally, Layer 2 establishes the physical connection between the local telecommunication devices and remote destinations, and defines the data frame as the physical transmission medium between nodes. Layer 2 connections are primarily used for high-speed/high-data throughput applications between telecommunication facilities. When this layer is used to connect telecommunications facilities on high-speed lines, encryption mechanisms encapsulate all higher-level protocols crossing the link.

Enhancing LAN security
LANs are known for their ease-of-use and quick setup. However, LAN security is only as good as the weakest links that tie the wireless network together. Numerous protection challenges including strong access control mechanisms, intrusion detection and prevention systems, firewalls, malware removal, and encryption are often tested and deployed within LANs. However, if these methodologies are not connected securely, tremendous data compromise and interception vulnerabilities will result.

No comments: