Wireless- Private Network Pattern
Security controls and architecture for a managed wireless private network as an extension of trusted network
Click on controls in the diagram to view details. Download SVG
When to Use
You should apply this pattern when providing Wireless Access to your private corporate or organisation network from clearly defined locations. This pattern does not cover Bluetooth or Infrared.
When NOT to Use
Environments where you need to provide guest access to a wide range of users and do not manage the endpoints. Any environment where security outweigh usability considerations, where you should still look to exclusive used of wired access to minimise denial of service, or the remote possibility that encryption may be broken, or that endpoint vulnerabilities will allow the attacker to piggyback onto an existing session.
Typical Challenges
Authentication should be seamless if possible, which is why certificates offer a useful mechanism. Most operating systems will support the use of 802.1x challenges, and can integrate certificate issuance, renewal and revocation.
Where possible you should use WPA-2 encryption since this has a much stronger form of encryption between the client and access point (AES rather than RC4 with frequent session key renewal), however this is not supported by all access points or wireless cards, and you may need to fall back to WPA. WEP should be treated as an unencrypted channel since there are well publicised attacks, and should be supplemented by use of a VPN which naturally decreases usability since it tends towards the Wireless Public Hotspot pattern.
Try to ensure that the placement of Wireless Access points minimises the spread of signals beyond the perimter of the building or location to be covered.
Threat Resistance
Spoofing, eavesdropping, impersonation, unathorised access to computing resources.
Assumptions
There is little value in utilising SSID hiding, obscure SSID names, or MAC layer controls, as to a determined attacker these strategies provide little protection. Instead all security should be provided by the appropriate level of authentication and encryption.
Frequent scans for unauthorised access should be made, via automated mechanism where possible. Ensure that Network Intrusion Detection and Protection devices are deployed to cover traffic from Wireless network segments.
Mapped Controls (19)
- AC-18 Wireless Access Restrictions
- AC-19 Access Control For Portable And Mobile Devices
- AT-01 Security Awareness And Training Policy And Procedures
- AT-03 Security Training
- AT-04 Security Training Records
- AU-02 Auditable Events
- CA-02 Security Assessments
- CA-07 Continuous Monitoring
- IA-02 User Identification And Authentication
- IA-03 Device Identification And Authentication
- IR-02 Incident Response Training
- IR-04 Incident Handling
- IR-05 Incident Monitoring
- IR-06 Incident Reporting
- IR-07 Incident Response Assistance
- RA-05 Vulnerability Scanning
- SC-08 Transmission Integrity
- SC-09 Transmission Confidentiality
- SC-13 Use Of Cryptography