Prevent viruses on enterprise WLANs: security gateways provide protection from within the network perimeter

Communications News, Feb, 2004 by Doug Klein

Before wireless LANs (WLANs) became popular, the only way viruses and worms could reach an organization's computers was through portable media, such as floppy disks, or through the network perimeter, which was secured by an increasingly complex battery of defenses, including firewalls, e-mail filters and antivirus engines. The use of floppies and other portable media is declining. E-mail attachments have become the preferred channel for transferring files. As a result, on a wired network, just about all potentially malicious data enters an enterprise through the network perimeter, where it will likely be detected and blocked.

WLANs undermine perimeter defenses. Wireless users are mobile. They take their computers to other networks. Some of these networks are se cure and well managed; others are not. Computers on these networks may become infected without their users knowing it.

When these users reconnect to the enterprise network-inside the perimeter-they bring their viruses and worms with them. Once loose on the network, viruses and worms can launch attacks against internal IT systems and the network itself, bypassing the network's perimeter defenses.

Viruses and worms typically use TCP/IP traffic to replicate themselves on a network and to unleash their attacks. Many send flurries of Internet control message protocol messages to locate other local devices that may be vulnerable to attack. Standard WLAN infrastructures (access points, network cards, RADIUS servers) have no means of identifying and stopping this traffic; wireless traffic, malicious or not, from authenticated users is simply passed through to the wired network.

THE NEED FOR INTERNAL SECURITY

To thwart viruses and worms, security controls need to be instituted at the wireless edge, so malicious TCP/IP traffic can be stopped before it spreads to other devices. Complementing the external security perimeter that protects wired networks, enterprises need to create an internal security perimeter to secure their WLANs.

One solution is to deploy WLAN security gateways, which are network appliances designed to secure, manage and power WLANs. Operating at the wireless edge, between access points and other devices upstream, WI,AN security gateways protect networks from security attacks launched from wireless devices.

These gateways should meet three key requirements:

1. Precise packet-filtering controls for blocking or redirecting traffic. The gateway should include precise packet-filtering controls that can distinguish malicious traffic from legitimate traffic, and take action to block or redirect malicious traffic. A network administrator should be able to read a security bulletin describing the characteristics of a virus or worm and then precisely define a filter that targets the traffic of that virus or worm. The filter should block malicious traffic without interfering with legitimate traffic. By detecting and blocking the traffic that viruses and worms depend on, the filtering capabilities of a WLAN security gateway contain airborne attacks.

2. Filtering at the wireless edge to manage traffic among devices. To contain an attack, packet filtering must occur at the wireless edge, as close as possible to the access point. For optimal protection of the network, WLAN security gateways should be installed between the access point and the next upstream network device.

3. Session logging and audit tools for identifying infected computers and accelerating repairs. WLAN security gateways should provide logging and audit tools to help administrators remediate an attack, once it is contained. By maintaining full session logs of network traffic and tracking Layer 3 traffic data, WEAN security" gateways facilitate the identification of users with infected computers and the MAC addresses of the computers themselves. Using this information, administrators can contact users directly and begin cleaning up any infected computers.

CENTRALIZED POLICY MANAGEMENT

A tiered solution that combines WLAN security gateways at the wireless edge with a centrally located policy server provides additional advantages for network administrators combating viruses and worms. By providing centralized control over filters, the central policy server allows administrators to define a policy that immediately takes effect across the network. The policy server automatically distributes filters to all the WLAN security gateways, providing immediate protection at every access point on the network. This centralization also reduces manual labor and the risk of error.

The central policy server can manage user accounts and user groups for wireless users. Administrators can use the server's group-management features to define a special user group for users with infected computers. The group characteristics would include redirecting users to a Web page with information about how to install security patches and clean up infections.

By temporarily assigning users with infected computers to this group, administrators can ensure that users with infected computers receive the information they need the next time they log in. Once administrators have verified that the infected computers have been cleaned, they can remove users from this group and restore their normal access rights.