Saturday, May 2, 2009

Defense in Depth – Example of Wireless Network

From Wikipedia, Defense in depth has the definition of “multiple layers of defense are placed throughout an Information Technology (IT) system”. In short, that means multiple protection strategy to protect an information asset or an infrastructure component.
Have you ever think of the security features of your wireless router? Usually a wireless router supports at lease the following

  • Encryption between router and endpoint device (WEP, WPA or WPA2)
  • MAC address filtering (a kind of ACL)

Did you implement all of them? Or you just implemented some of them? This article aimed to tell the readers why they need a mix of these security features to form a defense in depth protection strategy.

Most wireless network nowadays only implemented encryption between router and endpoint device. Some of them may even using weak encryption (WEP). The author does not aimed to tell why WEP should not be used, because there are many good articles for the purpose. One of them is from Wikipedia. Even wireless network implemented strong encryption like WPA2, the network should not solely rely on encryption. Additional ACL should also be implemented.

For example, a company would like to limit wireless network usage to its owned laptops only and secure the transport layer. The company implemented WPA2 in the wireless network in one of their local offices without additional ACL. The IT Manager distributes laptop computers for the staff members. The laptops are preconfigured with the WPA2 pre-share key. With tools like WirelessKeyView, it is too easy to view or clone the pre-share key. After copying the key to another device (like a Wi-Fi enabled phone), additional device is now allowed to access the wireless network.

For this simple scenario, it can demonstrate the need for defense in depth. Applying encryption alone can prevent data leakage; however it is not a protection scheme for access control. So in order to achieve the original security requirements – limit wireless network usage to its owned laptops, applying encryption alone cannot fit the requirement. In this situation, adding ACL (in terms of MAC filtering) can help achieving the access control requirement.

So, the first thing in security is to define the objectives. Afterwards, selecting applicable controls and implementation to achieve the goals. Finally, having reviews to see if the controls can really meet the defined control objectives.