Choosing wireless access points
Wireless access points that have been certified against a Wi-Fi Alliance certification program provide an organisation with the assurance that they conform to wireless standards. Deploying wireless access points that are guaranteed to be interoperable with other wireless access points will prevent any problems on a wireless network.
Security Control: 1314; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
All wireless access points are Wi-Fi Alliance certified.
Wireless networks for public access
When an organisation provides a wireless network for the general public, connecting such a wireless network to, or sharing infrastructure with, any other network creates an additional entry point for an adversary to target connected networks to steal information or disrupt services.
Security Control: 0536; Revision: 6; Updated: Sep-18; Applicability: O, P, S, TS
Wireless networks provided for the general public to access are segregated from all other networks.
Administrative interfaces for wireless access points
Administrative interfaces allow users to modify the configuration and security settings of wireless access points. Often wireless access points, by default, allow users to access the administrative interface over methods such as fixed network connections, wireless network connections and serial connections. Disabling the administrative interface for wireless network connections on wireless access points will assist in preventing unauthorised connections.
Security Control: 1315; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
The administrative interface on wireless access points is disabled for wireless network connections.
Default Service Set Identifiers
Some wireless access points come with a default Service Set Identifier (SSID) which is used to identify a wireless network. As the default SSIDs of wireless access points are often documented in internet forums, along with default accounts and passphrases, it is important to change the default SSID of wireless access points.
When changing the default SSID, it is important that the new SSID does not bring undue attention to an organisation’s wireless network. In doing so, the SSID of a wireless network should not be readily associated with an organisation, the location of their premises or the functionality of the wireless network.
A method commonly recommended to lower the profile of a wireless network is disabling SSID broadcasting. While this ensures that the existence of the wireless networks is not broadcast overtly using beacon frames, the SSID is still broadcast in probe requests, probe responses, association requests and re-association requests. As such, it is easy to determine the SSID of the wireless network by capturing these requests and responses. By disabling SSID broadcasting, organisations will make it more difficult for users to connect to a wireless network. Furthermore, an adversary could configure a malicious wireless access point to broadcast the same SSID as the hidden SSID used by a legitimate wireless network, thereby fooling users or devices into automatically connecting to the adversary’s malicious wireless access point instead. In doing so, the adversary could steal authentication credentials in order to gain access to the legitimate wireless network. For these reasons, it is recommended organisations enable SSID broadcasting.
Security Control: 1316; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
The default SSID of wireless access points is changed.
Security Control: 1317; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network.
Security Control: 1318; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
SSID broadcasting is enabled on wireless networks.
Assigning static IP addresses for devices accessing wireless networks can prevent a rogue device when connecting to a wireless network from being assigned a routable IP address. However, some adversaries will be able to determine IP addresses of legitimate users and use this information to guess or spoof valid IP address ranges for wireless networks. Configuring devices to use static IP addresses introduces a management overhead without any tangible security benefit.
Security Control: 1319; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Static addressing is not used for assigning IP addresses on wireless networks.
Media Access Control address filtering
Devices that connect to wireless networks generally have a unique Media Access Control (MAC) address. As such, it is possible to use MAC address filtering on wireless access points to restrict which devices can connect to a wireless network. While this approach will introduce a management overhead, it can prevent rogue devices from connecting to a wireless network. However, some adversaries will be able to determine valid MAC addresses of legitimate users already on a wireless network. Adversaries can then use this information to spoof valid MAC addresses and gain access to the wireless network. MAC address filtering introduces a management overhead without any tangible security benefit.
Security Control: 1320; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
MAC address filtering is not used to restrict which devices can connect to wireless networks.
When an organisation chooses to deploy a wireless network, a number of Extensible Authentication Protocol (EAP) methods that are supported by the Wi-Fi Protected Access 2 (WPA2) protocol can be chosen. These EAP methods include WPA2-Enterprise with Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), WPA2-Enterprise with Extensible Authentication Protocol-Tunnelled Transport Layer Security or WPA2-Enterprise with Protected Extensible Authentication Protocol.
WPA2-Enterprise with EAP-TLS is considered one of the most secure EAP methods. Furthermore, due to its inclusion in the initial release of the WPA2 standard, it enjoys wide support in wireless access points and operating systems. EAP-TLS uses a public key infrastructure (PKI) to secure communications between devices and a Remote Access Dial-In User Service (RADIUS) server through the use of x.509 certificates. While EAP-TLS provides strong mutual authentication, it requires an organisation to have established a PKI. This involves deploying their own certificate authority and issuing certificates, or purchasing certificates from a commercial certificate authority, for every device that accesses the wireless network. While this introduces additional costs and management overheads, the security advantages are significant.
Security Control: 1321; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks.
Evaluation of 802.1X authentication implementation
The security of 802.1X authentication is dependent on three main elements and how they interact with each other. These three elements include supplicants (clients) that support the 802.1X authentication protocol; authenticators (wireless access points) that facilitate communication between supplicants and the authentication server; and the RADIUS server that is used for authentication, authorisation and accounting purposes. To provide assurance that these elements have been implemented correctly, supplicants, authenticators and the authentication server should have completed an evaluation.
Security Control: 1322; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS
Evaluated supplicants, authenticators and authentication servers are used in wireless networks.
Generating and issuing certificates for authentication
When issuing a certificate to a device in order to access a wireless network, organisations should be aware that it could be stolen by malicious code. Once compromised, the certificate could be used on other devices to gain unauthorised access to the wireless network it was issued for. Organisations should also be aware that in only issuing a certificate to a device, any actions taken by a user will only be attributable to a device and not a specific user.
When issuing a certificate to a user in order to access a wireless network, it can be in the form of a certificate that is stored on a device or a certificate that is stored within a smart card. Issuing certificates on smart cards provides increased security, but at a higher cost. Specifically, a user is more likely to notice a missing smart card and alert their security team, who are then able to revoke the credentials on the RADIUS server, which can minimise the time an adversary has access to the wireless network. In addition, to reduce the likelihood of a stolen smart card from being used to gain unauthorised access to a wireless network, multi-factor authentication can be implemented through the use of personal identification numbers (PINs) on smart cards. This is particularly important when a smart card grants a user any form of administrative access.
Security Control: 1324; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS
Certificates are generated using an evaluated certificate authority solution or hardware security module.
Security Control: 1323; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Both device and user certificates are required for accessing wireless networks.
Security Control: 1325; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Both device and user certificates for accessing wireless networks are not stored on the same device.
Security Control: 1326; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
User certificates for accessing wireless networks are issued on smart cards with access PINs.
Security Control: 1327; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
User or device certificates stored on devices accessing wireless networks are protected by encryption.
Caching 802.1X authentication outcomes
When 802.1X authentication is used, a shared secret key known as the Pairwise Master Key (PMK) is generated. Upon successful authentication of a device, the PMK is capable of being cached to assist with fast roaming between wireless access points. When a device roams away from a wireless access point that it has authenticated to, it will not need to perform a full re-authentication should it roam back while the cached PMK remains valid. To further assist with roaming, wireless access points can be configured to pre-authenticate a device to other neighbouring wireless access points that the device might roam to. Although requiring full authentication for a device each time it roams between wireless access points is ideal, organisations can choose to use PMK caching and pre-authentication if they have a business requirement for fast roaming. If PMK caching is used, the PMK caching period should not be set to greater than 1440 minutes (24 hours).
Security Control: 1330; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
The PMK caching period is not set to greater than 1440 minutes (24 hours).
Remote Authentication Dial-In User Service authentication
Separate to the 802.1X authentication process is the RADIUS authentication process that occurs between wireless access points and a RADIUS server. To protect credentials communicated between wireless access points and a RADIUS server, communications should be encapsulated with an additional layer of encryption.
Security Control: 1454; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption.
Encryption of wireless network traffic
As wireless networks are often capable of being accessed from outside the perimeter of secured spaces, all wireless network traffic should be encrypted. Depending on the sensitivity or classification of information being communicated, this may involve using an Australian Signals Directorate (ASD) Approved Cryptographic Protocol, an evaluated product or High Assurance Cryptographic Equipment.
Security Control: 1332; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS
ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic.
Interference between wireless networks
Where multiple wireless networks are deployed in close proximity, there is the potential for interference to impact the availability of a wireless network, especially when operating on commonly used 802.11b/g (2.4 GHz) default channels of 1 and 11. Sufficiently separating wireless networks through the use of frequency separation can help reduce this security risk. This can be achieved by using wireless networks that are configured to operate on channels that minimise overlapping frequencies or by using both 802.11b/g (2.4 GHz) channels and 802.11n (5 GHz) channels. It is important to note though, if implementing a mix of 2.4 GHz and 5 GHz channels, not all devices may be compatible with 802.11n and able to connect to 5 GHz channels.
Security Control: 1334; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Wireless networks implement sufficient frequency separation from other wireless networks.
Protecting management frames on wireless networks
An effective denial of service can be performed by exploiting unprotected management frames using inexpensive commercial hardware. The 802.11 standard provides no protection for management frames and therefore does not prevent spoofing or denial of service activities. However, the 802.11w amendment specifically addresses the protection of management frames on wireless networks and should be enabled.
Security Control: 1335; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Wireless access points enable the use of the 802.11w amendment to protect management frames.
Wireless network footprint
Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power can be deployed to achieve the desired footprint. This has the benefit of providing service continuity should a wireless access point become unserviceable. In such a case, the output power of nearby wireless access points can be increased to cover the footprint gap until the unserviceable wireless access point can be replaced.
In addition to minimising the output power of wireless access points to reduce the footprint of a wireless network, the use of Radio Frequency (RF) shielding can be used for an organisation’s premises. While expensive, this will limit the wireless communications to areas under the control of an organisation. RF shielding on an organisation’s premises has the added benefit of preventing the jamming of wireless networks from outside of the premises in which wireless networks are operating.
Security Control: 1338; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint.
Security Control: 1013; Revision: 5; Updated: Sep-18; Applicability: S, TS
The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used.
Further information on implementing segregation using VLANs can be found in the network design and configuration section of these guidelines.
Further information on selecting evaluated products can be found in the evaluated product acquisition section of the Guidelines for Evaluated Products.
Further information on encryption for wireless networks can be found in the Guidelines for Cryptography.
Information on Wi-Fi Alliance certification programs can be obtained from https://www.wi-fi.org/certification/programs.
Further information on EAP-TLS can be found in Internet Engineering Task Force Request for Comments 5216, The EAP-TLS Authentication Protocol, at https://tools.ietf.org/html/rfc5216.