NET.2.1

NET.2.1 WLAN Operation

Q: NET.2.1.A1 Definition of a Strategy for the Use of WLANs (B)

Details zur Anforderung NET.2.1.A1 Definition of a Strategy for the Use of WLANs (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: NET.2.1.A2 Selection of an Appropriate WLAN Standard (B) [Planners]

Details zur Anforderung NET.2.1.A2 Selection of an Appropriate WLAN Standard (B) [Planners] finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: NET.2.1.A3 Selection of Appropriate Cryptographic Methods for WLAN (B) [Planners]

Details zur Anforderung NET.2.1.A3 Selection of Appropriate Cryptographic Methods for WLAN (B) [Planners] finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: NET.2.1.A4 Appropriate Placement of Access Points (B) [Facility Management]

Details zur Anforderung NET.2.1.A4 Appropriate Placement of Access Points (B) [Facility Management] finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: NET.2.1.A5 Secure Basic Configuration of Access Points (B)

Details zur Anforderung NET.2.1.A5 Secure Basic Configuration of Access Points (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: NET.2.1.A6 Secure Configuration of the WLAN Infrastructure (B)

Details zur Anforderung NET.2.1.A6 Secure Configuration of the WLAN Infrastructure (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: NET.2.1.A7 Building a Distribution System (B) [Planners]

Details zur Anforderung NET.2.1.A7 Building a Distribution System (B) [Planners] finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: NET.2.1.A8 Rules of Conduct for WLAN Security Incidents (B)

Details zur Anforderung NET.2.1.A8 Rules of Conduct for WLAN Security Incidents (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: NET.2.1.A9 Secure Connection of WLANs to a LAN (S) [Planners]

Details zur Anforderung NET.2.1.A9 Secure Connection of WLANs to a LAN (S) [Planners] finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: NET.2.1.A10 Creation of a Security Policy for the Operation of WLANs (S)

Details zur Anforderung NET.2.1.A10 Creation of a Security Policy for the Operation of WLANs (S) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Description

Introduction

Wireless LANs (WLANs) can be used to build wireless local area networks or to extend existing wired networks. To this day, almost all WLAN components available on the market are based on the IEEE 802.11 standard and its amendments. A particular role is played by the company consortium “Wi-Fi Alliance,” which has created an industry standard called “Wi-Fi” based on the IEEE 802.11 standard. The Wi-Fi Alliance confirms with the Wi-Fi seal of approval that a device has passed certain interoperability and conformance tests.

Within institutions, WLANs can be used to work flexibly with mobile devices and to provide them with access to the institution’s network. For this purpose, network access points—so-called access points—are set up within the institution. Due to the usually simple and fast installation, WLANs are also used to set up temporary networks, for example at trade fairs or smaller events. In addition, network access can be offered at public locations such as airports or train stations via so-called hotspots. This enables mobile users to connect to the Internet or their institution’s network. Communication then generally takes place between a central access point and the WLAN component of the end device.

Objective

This building block systematically shows how WLANs can be securely built and operated in an institution.

Scope and Modeling

The building block NET.2.1 WLAN Operation is to be applied to all communication networks that are built and operated in accordance with the IEEE 802.11 standard series and its extensions.

The building block contains fundamental requirements that must be observed and fulfilled when WLANs are built and operated in institutions. However, requirements for the secure use of WLANs are not the subject of this building block. The secure use of WLANs is addressed in building block NET.2.2 WLAN Use.

WLANs can be operated in two different modes depending on the needs of the operating institution and the hardware available. In ad-hoc mode, two or more WLAN clients communicate directly with each other. WLANs in ad-hoc mode can set up and configure themselves independently, i.e., without fixed infrastructure. Thus they can establish a fully meshed parallel network infrastructure. For this reason, ad-hoc mode is unsuitable in a protected environment and is therefore not considered further below. In most cases, WLANs are operated in infrastructure mode, i.e., communication between WLAN clients and the connection to wired LAN segments takes place via access points.

If services are used for authentication on the WLAN (e.g., RADIUS), the corresponding IT systems on which the services are operated must be separately secured. For this purpose, the building blocks in layer SYS.1—such as SYS.1.1 General Server—can be applied.

If a WLAN is operated, it SHOULD generally be taken into account when the building blocks NET.1.1 Network Architecture and Design, NET.1.2 Network Management, and DER.2.1 Handling of Security Incidents are implemented.

Threat Landscape

Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for building block NET.2.1 WLAN Operation.

Failure or Disruption of a Wireless Network

In wireless networks, information is transmitted using electromagnetic radio waves. If other electromagnetic sources radiate energy in the same frequency spectrum, they can disrupt the wireless communication and, in extreme cases, prevent WLAN operation. This can be caused by other radio systems and devices such as Bluetooth devices, microwave ovens, or other WLAN networks. Denial-of-service attacks are also possible. For example, if certain control and management signals are repeatedly sent, this can cause the wireless network to become unavailable.

Missing or Insufficient Planning of WLAN Deployment

Planning errors are often particularly serious because they can easily create widespread security vulnerabilities. If the deployment of WLANs is not planned, or is planned insufficiently, a variety of problems can arise, for example:

Confidential data could be intercepted, e.g., if WLAN standards are used that no longer correspond to the state of the art (e.g., WEP for encryption).
Transmission capacity may be insufficient. As a result, bandwidth-intensive applications cannot be used with the required quality of service.
The WLAN coverage may not be sufficient so that no network is available at certain locations.

Missing or Insufficient Regulations for WLAN Deployment

In a WLAN infrastructure that is not centrally administered, access points are usually preconfigured in their default settings with no or only insufficient security mechanisms. If employees connect an unauthorized or unsecured access point to the institution’s internal network due to missing regulations, this can lead to serious problems. Because this practically undermines all security measures taken within the LAN, such as the firewall to protect against unauthorized external access.

Inappropriate Selection of Authentication Methods

If authentication methods and mechanisms are missing or insufficient, security vulnerabilities can arise. For example, the Extensible Authentication Protocol (EAP) is defined in IEEE 802.1X (Port Based Network Access Control). However, some of the EAP methods described contain vulnerabilities. EAP-MD5, for example, is susceptible to man-in-the-middle and dictionary attacks. If EAP-MD5 is used, passwords can be guessed. Communication can also be intercepted.

Incorrect Configuration of the WLAN Infrastructure

Access points and other WLAN components (e.g., WLAN controllers) offer a wide variety of configuration settings, which in particular also concern security functions. If these are incorrectly configured, either no communication is possible via an access point or communication takes place unprotected or at an insufficient protection level.

Insufficient or Missing WLAN Security Mechanisms

In the delivery state, WLAN components are frequently configured so that no or only few security mechanisms are activated. Some of the mechanisms are also insufficient and therefore do not provide adequate protection. Even today, various WLAN components are still used that support only inadequate security mechanisms such as WEP. In some cases, these devices cannot even be upgraded to stronger security mechanisms. If such devices are used, attackers can easily intercept the entire communication and thus access confidential information.

Interception of WLAN Communication

Since radio is a medium that several users can share (“shared medium”), the data transmitted over WLANs can easily be intercepted and recorded. If the data is not encrypted or only inadequately encrypted, the transmitted user data can easily be read. In addition, wireless networks or the transmitted radio waves frequently extend beyond the boundaries of the premises used. Data is thus also broadcast into areas that cannot be controlled and secured by users or an institution.

Spoofing a Valid Access Point (Rogue Access Point)

Attackers can impersonate part of the WLAN infrastructure by installing their own access point with a suitably chosen name (SSID) near a WLAN client. This spoofed access point is called a “rogue access point.” If this offers the WLAN client a stronger signal than the real access point, the client will use it as a base station if they do not mutually authenticate each other. Additionally, the real access point could be disabled by a denial-of-service attack. Users connect to a network that only pretends to be the target network. This enables attackers to intercept communication. Attackers can also use poisoning or spoofing methods to impersonate a false identity or redirect network traffic to their own IT systems. In this way, they can eavesdrop on and control communication. A rogue access point is a particularly popular attack tool in public wireless networks (so-called hotspots).

Unprotected LAN Access at the Access Point

If access points are visibly mounted without physical protection, attackers can place themselves between the access points and the switch infrastructure to intercept all network traffic. Even if wireless communication is encrypted with WPA2, this represents a threat because these methods only secure the air interface and do not further consider the Ethernet connection.

Hardware Damage

Hardware damage can cause wireless traffic to be disrupted. In the worst case, the WLAN can fail completely. This particularly affects WLAN devices mounted outside of protected spaces, e.g., to cover open areas. They are exposed to additional threats such as deliberate damage by attackers or environmental damage due to weather or lightning strikes.

Theft of an Access Point

If WLAN access points are installed unsecured in public areas, they can be stolen. This can allow, for example, a shared secret key for authentication on the RADIUS server or the key used (e.g., for WPA2-Personal) to be read out. Using this information, unauthorized access to the WLAN can then be obtained.

Requirements

The following are the specific requirements of building block NET.2.1 WLAN Operation. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.

Additional roles are defined in the IT-Grundschutz Compendium. They SHOULD be filled insofar as this is sensible and appropriate.

Responsibilities	Roles
Primarily responsible	IT Operations
Additional responsibilities	Planners, Facility Management

Exactly one role SHOULD be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.

Basic Requirements

The following requirements MUST be fulfilled with priority for this building block.

NET.2.1.A1 Definition of a Strategy for the Use of WLANs (B)

Before WLANs are used in an institution, it MUST be established what general strategy the institution plans with regard to communication via WLANs. In particular, it MUST be clarified and established in which organizational units, for which applications, and for what purpose WLANs are to be used and what information may be transmitted over them. Likewise, the coverage area of the WLAN MUST be established.

Furthermore, it MUST already be established in the planning phase who is responsible for the administration of the various WLAN components, what interfaces exist between the parties involved in operations, and when what information must be exchanged between those responsible.

NET.2.1.A2 Selection of an Appropriate WLAN Standard (B) [Planners]

As part of WLAN planning, it MUST first be determined which devices operated by the institution (e.g., microwave devices, Bluetooth devices) radiate into the ISM band at 2.4 GHz as well as into the 5 GHz band.

Furthermore, the existing security mechanisms of the individual WLAN standards MUST be weighed against each other. In general, it MUST be ensured that only methods recognized as generally secure are used for authentication and encryption. The reasons for the decision MUST be documented.

Devices that must fall back on insecure methods from recognized secure methods MUST NO LONGER be used.

NET.2.1.A3 Selection of Appropriate Cryptographic Methods for WLAN (B) [Planners]

Communication over the air interface MUST be fully cryptographically secured. Cryptographic methods that are less secure than WPA2 MUST NO LONGER be used.

If WPA2 with Pre-Shared Keys (WPA2-PSK) is used, a complex key with a minimum length of 20 characters MUST be used.

NET.2.1.A4 Appropriate Placement of Access Points (B) [Facility Management]

Access points MUST be mounted securely against access and theft. When they are placed, the required areas MUST be adequately covered. Furthermore, care MUST be taken that radio waves spread as little as possible in areas that are not to be served by the WLAN. Outdoor installations MUST be appropriately protected against weather effects and electrical discharges.

NET.2.1.A5 Secure Basic Configuration of Access Points (B)

Access points MUST NOT be used in the configuration of the delivery state. Default SSIDs (Service Set Identifiers), access passwords, or cryptographic keys MUST be changed before productive use. In addition, insecure administration access MUST be disabled. Access points MUST ONLY be administered via an appropriately encrypted connection.

NET.2.1.A6 Secure Configuration of the WLAN Infrastructure (B)

It MUST be ensured that WLAN communication does not couple security zones and thereby bypass established protective measures.

NET.2.1.A7 Building a Distribution System (B) [Planners]

Before a wired distribution system is built, a decision MUST in principle be made as to whether physical or logical separation via VLANs on the access switches of the cable-based LAN is used.

NET.2.1.A8 Rules of Conduct for WLAN Security Incidents (B)

In the event of a security incident, IT Operations MUST initiate appropriate countermeasures:

At the handover point of WLAN communication to the internal LAN, in the event of an attack on the WLAN, communication SHOULD be blocked selectively per SSID, access point, or even for the entire WLAN infrastructure.
If access points are stolen, defined security measures MUST be implemented so that the access point or information stored on it cannot be misused.
If WLAN clients are stolen and certificate-based authentication is used, the client certificates MUST be revoked.

It MUST be ensured that stolen devices cannot be used unauthorized to access the institution’s network.

Standard Requirements

Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.

NET.2.1.A9 Secure Connection of WLANs to a LAN (S) [Planners]

If WLANs are connected to a LAN, the transition between WLANs and LAN SHOULD be secured, e.g., by a packet filter. The access point SHOULD be integrated in accordance with requirement NET.2.1.A7 Building a Distribution System.

NET.2.1.A10 Creation of a Security Policy for the Operation of WLANs (S)

Based on the institution’s general security policy, the essential core aspects for the secure use of WLANs SHOULD be specified in concrete terms. The policy SHOULD be known to all persons responsible who are involved in the setup and operation of WLANs. It SHOULD also form the basis for their work. Implementation of the contents required by the policy SHOULD be regularly checked. If the contents of the policy are not implemented, appropriate action MUST be taken. The results SHOULD be appropriately documented.

NET.2.1.A11 Appropriate Selection of WLAN Components (S)

Based on the results of the planning phase, a list of requirements SHOULD be created that can be used to evaluate products available on the market. If WLAN components are procured, attention SHOULD be paid not only to security but also to data protection and compatibility of the WLAN components with each other.

NET.2.1.A12 Use of an Appropriate WLAN Management Solution (S)

A central management solution SHOULD be used. The scope of the solution used SHOULD be consistent with the requirements of the WLAN strategy.

NET.2.1.A13 Regular Security Checks in WLANs (S)

WLANs SHOULD be regularly checked for any existing security vulnerabilities. Additionally, regular searches SHOULD be made for unauthorized access points installed within the provided WLANs. Furthermore, performance and coverage SHOULD be measured. The results of security checks SHOULD be documented in a comprehensible manner and compared with the target state. Deviations SHOULD be investigated.

NET.2.1.A14 Regular Audits of WLAN Components (S)

For all components of the WLAN infrastructure, it SHOULD be regularly checked whether all defined security measures have been implemented. It SHOULD also be checked whether all components are correctly configured. Publicly installed access points SHOULD be regularly checked on a spot-check basis for any signs of forced opening or manipulation attempts. Audit results SHOULD be documented in a comprehensible manner and compared with the target state. Deviations SHOULD be investigated.

Requirements for High Protection Needs

The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered when there are high protection needs. The specific determination is made within the framework of an individual risk analysis.

NET.2.1.A15 Use of a VPN to Secure WLANs (H)

A VPN SHOULD be used to additionally secure communication via the WLAN infrastructure.

NET.2.1.A16 Additional Protection When Connecting WLANs to a LAN (H)

If a WLAN infrastructure is connected to a LAN, the transition between WLANs and LAN SHOULD be additionally secured in accordance with the higher protection needs.

NET.2.1.A17 Securing Communication Between Access Points (H)

Communication between the access points via the radio interface and the LAN SHOULD be encrypted.

NET.2.1.A18 Use of Wireless Intrusion Detection/Wireless Intrusion Prevention Systems (H)

Wireless Intrusion Detection Systems or Wireless Intrusion Prevention Systems SHOULD be deployed.

Additional Information

Good to Know

The BSI has published the following further documents on the topic of WLAN:

BSI Internet Security Standard (ISi series): Secure connection of local networks to the Internet (ISi-LANA)

The National Institute of Standards and Technology (NIST) has published the following further documents on the topic of WLAN:

NIST Special Publication 800-153 “Guidelines for Securing Wireless Local Area Network (WLANs)”
NIST Special Publication 800-97 “Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11”