We continue the conversation about methods to improve network security. In this article, we will talk about additional security measures and the organization of more secure wireless networks.
Preface to the second part
In a previous article discussed the security issues of the WiFi network and direct methods of protection against unauthorized access. Obvious measures were considered to prevent traffic interception: encryption, network hiding and MAC filtering, as well as special methods, for example, the fight against Rogue AP. However, in addition to direct methods of protection, there are also indirect ones. These are technologies that not only help improve the quality of communication, but also further improve security.
Two main features of wireless networks: remote contactless access and radio as a broadcast data transmission medium, where any signal receiver can listen to the air, and any transmitter can clog the network with useless transmissions and simply radio interference. This, among other things, does not have the best effect on the overall security of the wireless network.
You will not live by security alone. We hope to work somehow, that is, to exchange data. And from this side, there are many other claims to WiFi:
- gaps in coverage (“white spots”);
- the influence of external sources and neighboring access points on each other.
As a result, due to the problems described above, the signal quality decreases, the connection loses stability, and the data exchange rate drops.
Of course, fans of wired networks will be happy to note that when using cable and, especially, fiber optic connections, there are no such problems.
The question arises: is it possible to somehow solve these issues without resorting to any cardinal means, such as reconnecting all those who are dissatisfied to a wired network?
Where does all the trouble start?
At the time of the birth of office and other WiFi networks, they most often acted according to a simple algorithm: they put a single access point in the center of the perimeter in order to maximize coverage. If the signal strength was not enough for remote areas, an amplifying antenna was added to the access point. Very rarely a second access point was added, for example, for a remote director's office. Here, perhaps, and all the improvements.
This approach had its reasons. First, in the early days of wireless networks, the equipment for them was expensive. Second, installing more hotspots meant asking questions that weren't answered then. For example, how to organize seamless client switching between points? How to deal with mutual interference? How to simplify and streamline the management of points, for example, the simultaneous application of prohibitions / permissions, monitoring, and so on. Therefore, it was much easier to act according to the principle: the fewer devices, the better.
At the same time, the access point, placed under the ceiling, broadcast on a circular (more precisely, rounded) diagram.
However, the shapes of architectural structures do not fit well into rounded signal propagation patterns. Therefore, somewhere the signal almost does not reach, and it needs to be amplified, but somewhere the broadcast goes beyond the perimeter and becomes available to outsiders.
Figure 1. An example of coverage using a single point in the office.
Note. This is a rough approximation, which does not take into account the obstacles to propagation, as well as the directivity of the signal. In practice, the shapes of diagrams for different point models may differ.
The situation can be improved if more access points are used.
Firstly, it will allow more efficient distribution of transmitters over the area of the room.
Secondly, it becomes possible to reduce the signal level, not allowing it to go beyond the perimeter of the office or other object. In this case, in order to read the traffic of the wireless network, you need to get very close to the perimeter or even enter it. Approximately the same acts as an attacker to wedge into an internal wired network.
Figure 2. Increasing the number of access points allows better distribution of coverage.
Let's look at both pictures again. The first clearly shows one of the main vulnerabilities of the wireless network - the signal can be caught at a decent distance.
In the second picture, the situation is not so running. The more access points, the more effective the coverage area, and at the same time, the signal power almost does not go beyond the perimeter, roughly speaking, beyond the office, office, building and other possible objects.
An intruder will have to somehow sneak up unnoticed closer in order to intercept a relatively weak signal "from the street" or "from the corridor" and so on. To do this, you need to get close to the office building, for example, to stand under the windows. Or try to get into the office building itself. In any case, this increases the risk of "lighting up" on video surveillance, getting into the eyes of the guards. This significantly reduces the time interval for an attack. It can hardly be called "ideal conditions for hacking".
Of course, there is one more "original sin": wireless networks broadcast in the available range, which can be intercepted by all clients. Indeed, a WiFi network can be compared to an Ethernet-HUB, where the signal is transmitted to all ports at once. To avoid this, ideally, each pair of devices should communicate on its own frequency channel, in which no one else should interfere.
Here are the main problems in a nutshell. Consider ways to solve them.
Remedies: direct and indirect
As mentioned in the previous article, perfect protection cannot be achieved in any case. But you can make the attack as difficult as possible, making the result unprofitable in relation to the effort expended.
Conventionally, protective equipment can be divided into two main groups:
- direct traffic protection technologies such as encryption or MAC filtering;
- technologies originally intended for other purposes, for example, to increase speed, but at the same time indirectly complicating the life of an attacker.
The first group was described in the first part. But we also have additional indirect measures in our arsenal. As mentioned above, an increase in the number of access points allows you to reduce the signal level and make the coverage area uniform, and this complicates the life of an attacker.
Another nuance is that the increase in data transfer speed simplifies the application of additional security measures. For example, you can install a VPN client on each laptop and transfer data even within the local network via encrypted channels. This will require some resources, including hardware, but the level of protection is significantly increased.
Below we provide a description of technologies that can improve network performance and indirectly increase the degree of protection.
Indirect remedies to improve protection - what can help?
Client Steering
The Client Steering feature prompts client devices to use the 5GHz band first. If this feature is not available to the client, he will still be able to use 2.4GHz. For legacy networks with a small number of access points, the main work is built in the 2.4GHz band. For the 5GHz frequency range, a single access point scheme will be unacceptable in many cases. The fact is that a signal with a higher frequency passes worse through walls and around obstacles. Usual recommendation: to ensure guaranteed communication in the 5GHz band, it is preferable to work in line of sight from the access point.
In modern 802.11ac and 802.11ax standards, due to a larger number of channels, you can install several access points at a closer distance, which allows you to reduce power without losing, but even gaining in data transfer speed. As a result, the use of the 5GHz band complicates the life of intruders, but improves the quality of communication for clients who are within reach.
This function is presented:
- in Nebula and NebulaFlex access points;
- in firewalls with controller function.
Auto Healing
As mentioned above, the contours of the perimeter of the room do not fit well with rounded access point diagrams.
To solve this problem, firstly, you need to use the optimal number of access points, and secondly, to reduce the mutual influence. But if you just take it and manually reduce the power of the transmitters, such a straightforward intervention can lead to a deterioration in communication. This will be especially noticeable when one or more access points fail.
Auto Healing allows you to quickly adjust the power without losing reliability and data transfer speed.
When using this function, the controller checks the status and health of the access points. If one of them does not work, then the neighboring ones are instructed to increase the signal strength to fill the “white spot”. Once the access point is up and running again, neighboring access points are instructed to reduce signal strength to reduce mutual interference.
Seamless WiFi roaming
At first glance, this technology can hardly be called a security-enhancing technology, rather, on the contrary, because it makes it easier for a client (including an attacker) to switch between access points on the same network. But if two or more access points are used, you need to ensure convenient operation without unnecessary problems. In addition, if the access point is overloaded, it is less able to cope with security features such as encryption, there are delays in data exchange, and other unpleasant things. In this regard, seamless roaming is a great help to flexibly distribute the load and ensure uninterrupted work in a protected mode.
Setting signal level thresholds for connecting and disconnecting wireless clients (Signal Threshold or Signal Strength Range)
When using a single access point, this function, in principle, does not matter. But under the condition that several points controlled by the controller work, it is possible to organize a mobile distribution of clients to different APs. It is worth recalling that the functions of the access point controller are available in many lines of routers from Zyxel: ATP, USG, USG FLEX, VPN, ZyWALL.
The above devices have a function to disable a client that is connected to an SSID with a weak signal. “Weak” means that the signal is below the threshold set on the controller. After the client has been disconnected, it will send a probe request to look for another access point.
For example, a client connected to an access point with a signal below -65dBm, if the station disconnect threshold is -60dBm, in this case, the access point will disconnect the client with this signal level. Now the client starts the reconnect procedure and will already connect to another access point with a signal greater than or equal to -60dBm (station signal threshold).
This is important when using multiple access points. This prevents a situation where most of the clients accumulate on one point, while other access points are idle.
In addition, it is possible to limit the connection of clients with a weak signal, which are more likely to be outside the perimeter of the premises, for example, behind the wall in a neighboring office, which also allows us to consider this function as an indirect method of protection.
Switching to WiFi 6 as one of the ways to increase the level of security
We already talked about the benefits of direct remedies earlier in the previous article. “Peculiarities of protection of wireless and wired networks. Part 1 - Direct measures of protection".
WiFi 6 networks provide faster data transfer speeds. On the one hand, the new group of standards allows you to increase the speed, on the other hand, to place even more access points in the same area. The new standard allows less power to be used to transmit at a higher speed.
Increasing the speed of data exchange.
The transition to WiFi 6 involves an increase in the exchange rate to 11Gb / s (modulation type 1024-QAM, 160 MHz channels). At the same time, new devices that support WiFi 6 have better performance. One of the main problems when implementing additional security measures, such as a VPN channel for each user, is a drop in speed. With WiFi 6, it will be easier to apply additional security systems.
BSS coloring
Earlier we wrote that a more uniform coverage reduces the penetration of the WiFi signal beyond the perimeter. But with a further increase in the number of access points, even the use of Auto Healing may not be enough, since “foreign” traffic from a neighboring point will still penetrate the reception area.
When using BSS Coloring, the access point leaves special marks (colors) on its data packets. This allows you to ignore the influence of neighboring transmitting devices (access points).
Improved MU-MIMO
802.11ax also has important enhancements to MU-MIMO (Multi-User - Multiple Input Multiple Output) technology. MU-MIMO allows an access point to communicate with multiple devices at the same time. But in the previous standard, this technology could only support groups of four clients on the same frequency. This facilitated transmission, but not reception. WiFi 6 uses 8x8 multi-user MIMO for transmission and reception.
Note. The 802.11ax standard increases the downstream MU-MIMO group size to provide more efficient WiFi network performance. Multi-user outbound MIMO is a new addition to 802.11ax.
OFDMA (Orthogonal frequency division multiple access)
This new channel access and control method is based on technologies that have already been tested in LTE cellular technology.
OFDMA allows more than one signal to be sent on the same line or channel at the same time by assigning a time slot to each transmission and applying frequency division. As a result, not only speed increases due to better channel utilization, but also safety increases.
Summary
WiFi networks are becoming more and more secure every year. The use of modern technologies allows organizing an acceptable level of protection.
Direct methods of protection in the form of traffic encryption have proven themselves quite well. Do not forget about additional measures: MAC filtering, hiding the network ID, Rogue AP Detection (Rogue AP Containment).
But there are also indirect measures that improve the joint operation of wireless devices and increase the speed of data exchange.
The use of new technologies makes it possible to reduce the signal level from points, making the coverage more uniform, which has a good effect on the well-being of the entire wireless network as a whole, including security.
Common sense dictates that all means are good for improving security: both direct and indirect. This combination makes life as difficult as possible for an attacker.
Useful links:
- Features of protection of wireless and wired networks. Part 1 - Direct measures of protection
Source: habr.com