Wireless Access Control
The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (LANS), access points, and wireless client systems.
Why Is This Control Critical?
Major thefts of data have been initiated by attackers who have gained wireless access to organizations from outside the physical building, bypassing organizations' security perimeters by connecting wirelessly to access points inside the organization. Wireless clients accompanying traveling officials are infected on a regular basis through remote exploitation during air travel or in cyber cafes. Such exploited systems are then used as back doors when they are reconnected to the network of a target organization. Still other organizations have reported the discovery of unauthorized wireless access points on their networks, planted and sometimes hidden for unrestricted access to an internal network. Because they do not require direct physical connections, wireless devices are a convenient vector for attackers to maintain long-term access into a target environment.
How to Implement This Control
|CSC 7-1||Ensure that each wireless device connected to the network matches an authorized configuration and security profile, with a documented owner of the connection and a defined business need. Organizations should deny access to those wireless devices that do not have such a configuration and profile.||Quick win|
|CSC 7-2||Configure network vulnerability scanning tools to detect wireless access points connected to the wired network. Identified devices should be reconciled against a list of authorized wireless access points. Unauthorized (i.e., rogue) access points should be deactivated.||Quick win|
|CSC 7-3||Use wireless intrusion detection systems (WIDS) to identify rogue wireless devices and detect attack attempts and successful compromises. In addition to WIDS, all wireless traffic should be monitored by WIDS as traffic passes into the wired network.||Visibility/Attribution|
|CSC 7-4||Where a specific business need for wireless access has been identified, configure wireless access on client machines to allow access only to authorized wireless networks.||Configuration/Hygiene|
|CSC 7-5||For devices that do not have an essential wireless business purpose, disable wireless access in the hardware configuration (basic input/output system or extensible firmware interface), with password protections to lower the possibility that the user will override such configurations.||Configuration/Hygiene|
|CSC 7-6||Ensure that all wireless traffic leverages at least Advanced Encryption Standard (AES) encryption used with at least Wi-Fi Protected Access 2 (WPA2) protection.||Configuration/Hygiene|
|CSC 7-7||Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS), which provide credential protection and mutual authentication.||Configuration/Hygiene|
|CSC 7-8||Disable peer-to-peer wireless network capabilities on wireless clients, unless such functionality meets a documented business need.||Configuration/Hygiene|
|CSC 7-9||Disable wireless peripheral access of devices (such as Bluetooth), unless such access is required for a documented business need.||Configuration/Hygiene|
|CSC 7-10||Create separate virtual local area networks (VLANs) for BYOD systems or other untrusted devices. Internet access from this VLAN should go through at least the same border as corporate traffic. Enterprise access from this VLAN should be treated as untrusted and filtered and audited accordingly.||Configuration/Hygiene|
CSC 7 Procedures and Tools
Effective organizations run commercial wireless scanning, detection, and discovery tools as well as commercial wireless intrusion detection systems.
Additionally, the security team should periodically capture wireless traffic from within the borders of a facility and use free and commercial analysis tools to determine whether the wireless traffic was transmitted using weaker protocols or encryption than the organization mandates. When devices relying on weak wireless security settings are identified, they should be found within the organization's asset inventory and either reconfigured more securely or denied access to the organization network.
Additionally, the security team should employ remote management tools on the wired network to pull information about the wireless capabilities and devices connected to managed systems.
CSC 7 Effectiveness Metrics
In order to test the effectiveness of the automated implementation of this control, organizations should measure the following:
1. Are systems capable of identifying unauthorized wireless devices or configurations when they are within range of the organization's systems or connected to their networks (yes or no)?
2. How long does it take to generate alerts about unauthorized wireless devices that are detected (time in minutes)?
3. How long does it take for unauthorized wireless devices to be blocked from connecting or isolated from the network (time in minutes)?
4. Are additional alerts generated every 24 hours after the initial alert until the system is isolated or removed from the network (yes or no)?
5. Is the system able to identify the location, department, and other details of where authorized and unauthorized wireless devices are plugged into the network (yes or no)?
CSC 7 Automation Metrics
In order to automate the collection of relevant data from these systems, organizations should gather the following information with automated technical sensors:
1. How many rogue wireless access points have been discovered recently in the organization (by business unit)? This should include non-persistent, temporary and transient access points.
2. What is the average time that it takes to remove rogue access points from the organization's network (by business unit)?
3. How many wireless access points or clients have been discovered using an unauthorized wireless configuration recently in the organization (by business unit)?
CSC 7 Effectiveness Test
To evaluate the implementation of Control 7 on a periodic basis, the evaluation team must configure 10 unauthorized but hardened wireless clients and wireless access points to the organization's network and attempt to connect them to its wireless networks. In the case of wireless access points, these access points must not be directly connected to the organization's trusted network. Instead, they must simply be configured to act as a wireless gateway without physically connecting to a wired network interface. In the case of scanning for wireless access points from a wired interface, the connected access point must have the wireless radio disabled for the duration of the test. These systems must be configured to test each of the following scenarios:
* A wireless client with an unauthorized service set identifier configured on it.
* A wireless client with improper encryption configured.
* A wireless client with improper authentication configured.
* A wireless access point with improper encryption configured.
* A wireless access point with improper authentication configured.
* A completely rogue wireless access point using an unauthorized configuration.
When any of the above-noted systems attempt to connect to the wireless network, an alert must be generated and enterprise staff must respond to the alerts to isolate the detected device or remove the device from the network.
CSC 7 System Entity Relationship Diagram
Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to implement them, test the controls, and identify where potential failures in the system might occur.
A control system is a device or set of devices used to manage, command, direct, or regulate the behavior of other devices or systems. In this case, we are examining the configuration and management of wireless devices, wireless IDS/scanners, wireless device management systems, and vulnerability scanners. The following list of the steps in the above diagram shows how the entities work together to meet the business goal defined in this control. The list also delineates each of the process steps in order to help identify potential failure points in the overall control.
Step 1: Hardened configurations applied to wireless devices
Step 2: Hardened configurations managed by a configuration management system
Step 3: Configuration management system manages the configurations on wireless devices
Step 4: Wireless IDS monitor usage of wireless communications
Step 5: Vulnerability scanners scan wireless devices for potential vulnerabilities
Step 6: Wireless clients utilize wireless infrastructure systems in a secure manner.
Critical Security Controls - Version 5
- 1: Inventory of Authorized and Unauthorized Devices
- 2: Inventory of Authorized and Unauthorized Software
- 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- 4: Continuous Vulnerability Assessment and Remediation
- 5: Malware Defenses
- 6: Application Software Security
- 7: Wireless Access Control
- 8: Data Recovery Capability
- 9: Security Skills Assessment and Appropriate Training to Fill Gaps
- 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- 11: Limitation and Control of Network Ports, Protocols, and Services
- 12: Controlled Use of Administrative Privileges
- 13: Boundary Defense
- 14: Maintenance, Monitoring, and Analysis of Audit Logs
- 15: Controlled Access Based on the Need to Know
- 16: Account Monitoring and Control
- 17: Data Protection
- 18: Incident Response and Management
- 19: Secure Network Engineering
- 20: Penetration Tests and Red Team Exercises
This work is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
To further clarify the Creative Commons license related to the 20 Critical Controls content, (i) All persons are authorized to use the content as a framework in their organization or to sell professional services related to the content (e.g. a consulting engagement to implement the 20 Critical Controls), and (ii) sale of the contents as a framework model is not authorized. Users of the 20 Critical Controls framework are also required to refer to http://www.sans.org/critical-security-controls/ when referring to the 20 Critical Controls in order to ensure that users are employing the most up to date guidance.