PeakMaven

DE Book a Consultation
NET.2.2

NET.2.2 WLAN Use

Wireless LANs (WLANs) can be used to build wireless local area networks or to extend existing wired networks. To this day, almost all WLAN components available on the market are based on the IEEE 802.11 standard and its amendments...

Layer: NET — Networks and Communication
Level: Basic Standard
Roles: Users IT Operations Vorgesetzte
Keywords: NET WLAN-Nutzung

Description

Introduction

Wireless LANs (WLANs) can be used to build wireless local area networks or to extend existing wired networks. To this day, almost all WLAN components available on the market are based on the IEEE 802.11 standard and its amendments. A particular role is played by the company consortium “Wi-Fi Alliance,” which has created an industry standard called “Wi-Fi” based on the IEEE 802.11 standard. The Wi-Fi Alliance confirms with the Wi-Fi seal of approval that a device has passed certain interoperability and conformance tests.

WLANs offer gains in convenience and mobility. However, their use also brings additional threat potential for the security of information, since communication is wireless. It is therefore important that in addition to IT Operations, users are also sensitized to the possible risks that can arise when WLANs are used improperly. Users must therefore possess the necessary knowledge to properly understand and apply security measures. In particular, they must know what is expected of them with regard to information security and how they should react in certain situations when using WLANs.

Objective

This building block aims to show how WLANs can be used securely.

Scope and Modeling

The building block NET.2.2 WLAN Use is to be applied to all IT systems (WLAN clients) that use WLANs.

The building block contains fundamental requirements that must be observed and fulfilled when using WLANs in order to be able to counter the specific threats. Requirements that help to securely operate WLANs, on the other hand, are not the subject of this building block but are described in building block NET.2.1 WLAN Operation. Furthermore, the building block does not address general aspects of clients. Such aspects are addressed in building block SYS.2.1 General Client as well as in the operating system-specific building blocks of layer SYS IT Systems. The building block NET.2.2 WLAN Use SHOULD generally be taken into account when the building blocks ORP.3 Sensitization and Training on Information Security and DER.2.1 Handling of Security Incidents are implemented.

Threat Landscape

Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for building block NET.2.2 WLAN Use.

Insufficient Knowledge of Regulations

If users do not know the regulations for the correct handling of WLANs, or do not know them well enough, they cannot comply with them either. If clients are carelessly connected to foreign wireless networks, for example, unencrypted information transmitted over them can be intercepted. In addition, the operator of the wireless network can collect information about the users, such as websites visited.

Non-Observance of Security Measures

Due to negligence and lack of controls, it repeatedly happens that people do not or only partially implement the security measures recommended or mandated to them. If, for example, a WLAN client is used in ad-hoc mode even though this is expressly prohibited in the usage policy, another client can communicate directly with the WLAN client. It can then, for example, gain unauthorized access to confidential documents that may be shared on the client.

Interception of WLAN Communication

Since radio is a medium that several users can share (“shared medium”), the data transmitted over WLANs can easily be intercepted and recorded. If the data is not encrypted or only inadequately encrypted, the transmitted user data can easily be read. In addition, wireless networks or the transmitted radio waves not infrequently extend beyond the boundaries of the premises used. Data is thus also broadcast into areas that cannot be controlled and secured by users or the institution.

Evaluation of Connection Data in Wireless Communication

In WLANs based on IEEE 802.11, the MAC address of a WLAN card is transmitted with every data transfer. Since it is transmitted unencrypted, movement profiles can be created for mobile users—e.g., when they connect to public hotspots.

Spoofing a Valid Access Point (Rogue Access Point)

Attackers can impersonate part of the WLAN infrastructure by installing their own access point with a suitably chosen WLAN name (SSID) near a WLAN client. This spoofed access point is called a “rogue access point.” If this offers the WLAN client a stronger signal than the real access point, the client will use it as a base station if they do not mutually authenticate each other. Additionally, the real access point could be disabled by a denial-of-service attack. Users connect to a network that only pretends to be the target network. This enables attackers to intercept communication. Attackers can also use poisoning or spoofing methods to impersonate a false identity or redirect network traffic to their own IT systems. In this way, they can eavesdrop on and control communication. A rogue access point is a particularly popular attack tool in public wireless networks (so-called hotspots).

Requirements

The following are the specific requirements of building block NET.2.2 WLAN Use. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.

Additional roles are defined in the IT-Grundschutz Compendium. They SHOULD be filled insofar as this is sensible and appropriate.

ResponsibilitiesRoles
Primarily responsibleUsers
Additional responsibilitiesIT Operations, Supervisors

Exactly one role SHOULD be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.

Basic Requirements

The following requirements MUST be fulfilled with priority for this building block.

NET.2.2.A1 Creation of a Usage Policy for WLAN (B) [IT Operations]

Based on the institution’s general security policy, the essential core aspects for secure WLAN use MUST be specified in concrete terms in a WLAN usage policy. Such a usage policy MUST describe the special features of WLAN use, e.g., whether, how, and with which devices hotspots may be used.

The policy MUST contain information about which data may and may not be used and transmitted in the WLAN.

It MUST describe how to handle client-side security solutions. The usage policy MUST contain a clear prohibition of connecting unauthorized access points to the institution’s network. Furthermore, the policy MUST point out that the WLAN interface must be deactivated when it is not used for an extended period.

It MUST be regularly checked whether the contents required by the policy are correctly implemented. If this is not the case, appropriate action MUST be taken. The results SHOULD be documented in a meaningful manner.

NET.2.2.A2 Sensitization and Training of WLAN Users (B) [Supervisors, IT Operations]

Users of WLAN components, primarily WLAN clients, MUST be sensitized and trained in the measures listed in the usage policy. For this purpose, appropriate training content MUST be identified and defined. Users MUST be precisely explained what the WLAN-specific security settings mean and why they are important. In addition, users MUST be warned about the dangers that threaten if these security settings are bypassed or deactivated.

Training content MUST always be adapted to the respective deployment scenarios. In addition to pure training on WLAN security mechanisms, users MUST also be presented with the WLAN security policy of their institution and the measures it contains. Users MUST also be sensitized to the possible risks posed by foreign WLANs.

NET.2.2.A3 Securing WLAN Use at Hotspots (B) [IT Operations]

If hotspots may be used, the following MUST be implemented:

  • Every user of a hotspot MUST know their own security requirements and use them to decide whether and under what conditions they are permitted to use the hotspot.
  • If hotspots are used, it SHOULD be ensured that the connection between the hotspot access point and the IT systems of the users is cryptographically secured according to the state of the art.
  • WLANs that are only used sporadically SHOULD be deleted from the history by users.
  • Automatic login to WLANs SHOULD be deactivated.
  • If possible, separate accounts with a secure basic configuration and restrictive permissions SHOULD be used.
  • It SHOULD be ensured that no users with administrative permissions can log in to external WLANs from their clients.
  • Sensitive data MUST ONLY be transmitted when all necessary security measures on the clients, especially appropriate encryption, are activated.
  • If the WLAN interface is not used for an extended period, it MUST be deactivated.
  • Via publicly accessible WLANs, users MUST ONLY access internal resources of the institution through a Virtual Private Network (VPN).

Standard Requirements

Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.

NET.2.2.A4 Rules of Conduct for WLAN Security Incidents (S)

In the event of WLAN security incidents, users SHOULD implement the following:

  • They SHOULD save their work results.
  • They SHOULD end WLAN access and deactivate the WLAN interface of their client.
  • Error messages and deviations SHOULD be carefully documented by them. They SHOULD also document what they were doing before or during the security incident.
  • They SHOULD notify IT Operations via an appropriate escalation level (e.g., user help desk).

Requirements for High Protection Needs

No requirements for high protection needs are defined for this building block.

Additional Information

Good to Know

The BSI has published the following further documents on the topic of WLAN:

  • BSI Internet Security Standard (ISi series): Secure connection of local networks to the Internet (ISi-LANA)
  • The National Institute of Standards and Technology (NIST) has published the following further documents on the topic of WLAN:
    • NIST Special Publication 800-153 “Guidelines for Securing Wireless Local Area Network (WLANs)”
    • NIST Special Publication 800-97 “Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11”

Related Building Blocks

DER.2.1 DER.2.1 Security Incident Handling NET.2.1 NET.2.1 WLAN Operation ORP.3 ORP.3 Information Security Awareness and Training SYS.2.1 SYS.2.1 General Client

Referenced by

NET.2.1 NET.2.1 WLAN Operation SYS.2.1 SYS.2.1 General Client SYS.3.1 SYS.3.1 Laptops NET.3.4 NET.3.4 Network Access Control SYS.4.1 SYS.4.1 Printers, Copiers, and Multifunction Devices CON.7 CON.7 Information Security during International Travel

Framework Mappings

ISO 27001
A.6.7 A.8.24 A.8.20 A.8.5
NIST CSF
PR.AA-03 PR.DS-02 PR.IR-01
DORA
Art. 9(2) Art. 9(4)(a)
NIS2
Art. 21(2)(h)

These mappings are provided for reference and do not replace a professional compliance assessment.