IS0/<strong>IEC</strong><strong>18028</strong>-1:2006(E)— dual connected sites, using diverse routes,— proactive polling of WAN devices,— network device mapping to identify unauthorized devices,— patch management facility,— encrypted overlays for sensitive data,— obtaining service guarantees from the service provider, such as for latency and jitter,— implementation of auditing and accounting for access to WAN devices,— the use of firewalls that discard any unexpected traffic coming into the network,— making sure that the MPLS structure and addresses are hidden,— assigning IP addresses that cannot be routed over the Internet,— the use of Network address translation that hides internal IP addresses, but allows devices with nonroutableaddresses to make requests from the Internet,— the use of anti virus software to prevent malicious code, such as Trojans, viruses, and worms, fromopening security holes from inside a network,— the use of IDS to identify suspicious traffic,— ensuring that the network management systems are logically secure,— ensuring that the network management locations are physically secure,— ensuring the devices are backed up,— performing reliability checks on network management staff.13.2.4 Wireless Networks13.2.4.1 BackgroundWireless networks are specified as networks covering geographically small areas and using non wire-basedcommunication means such as radio waves or infrared. Typically, wireless networks are used to implementequivalent connectivity as provided in LANs and are therefore also called WLANs. The main technologiesused are standardized in IEEE 802.11 and Bluetooth. It is emphasized that wireless networks constitute adifferent category of network from radio networks, such as GSM, 3G and VHF, as those utilize aerial masts fortransmission (see Clause 13.2.5 below).WLANs suffer from all the vulnerabilities of wired LANs, plus some specific vulnerabilities related to thewireless link characteristics. Some specific technologies (mostly based on encryption) have been developedto address these additional vulnerabilities, although earlier versions of these technologies (e.g. WEP) hadarchitectural weaknesses and thus did not meet the expectations regarding confidentiality requirements.13.2.4.2 Security RisksThe key security risk areas associated with the use of WLANs include:— eavesdropping,— unauthorized access,— interference and jamming,— mis-configuration,— secure access mode is off by default,— flawed WEP or TKIP,32 © <strong>ISO</strong>/<strong>IEC</strong> 2006 - All rights reserved
<strong>ISO</strong>/<strong>IEC</strong> <strong>18028</strong>-1:2006(E)— flawed SNMP used to manage WLANs,— not always possible to see who is using a WLAN.13.2.4.3 ControlsThe controls needed for WLANs include:— firewalling the WLAN from the corporate infrastructure,— implementing an IPsec based VPN over the WLAN between the client and a perimeter firewall,— giving consideration to improving the security of each WLAN device, by configuring personal firewalls andintrusion detection and anti-virus software on the client device,— control of transmission levels to eliminate a spread outside an organization's physical domain,— SNMP configured for read only access,— Out of Band encrypted management, for example using SSH,— maintaining physical security to wireless access points,— hardening of any server components,— system testing,— giving consideration to deploying an IDS between the corporate network and the wireless network.13.2.5 Radio Networks13.2.5.1 BackgroundRadio Networks are specified as networks using radio waves as a connection medium to cover geographicallywide areas. Typical examples of radio networks are mobile phone networks using technologies such as GSMor UMTS and providing public available voice and data services.It is emphasized that networks using radio waves to cover small areas are considered as a different categoryand are referred to in Clause 13.2.4.Examples of radio networks include:— TETRA— GSM— 3G (including UMTS),— GPRS,— CDPD,— CDMA.13.2.5.2 Security RisksThere are a number of general security threat scenarios which can result in risks applicable to radio networks,including:— eavesdropping,— session hijacking,— impersonation,— application level threats, e.g. fraud,— denial of service.© <strong>ISO</strong>/<strong>IEC</strong> 2006 - All rights reserved 33