Standards for Technology in Automotive Retail
There are several different options when it comes to wireless security. The two main formats are WPA and WEP. Previously WEP was the industry standard; however with new technologies and stronger requirements a new standard has emerged. WPA is a stronger and more effective format. It is strongly recommended that all security settings be update to utilize the new standard. Note: some legacy devices may not be able to update to WPA or WEP.
Because security is ever changing and more robust tools are introduce to combat hackers it is important that a dealership be diligent with staying informed of new technologies to help protect vital infrastructure and data.
WPA is the new standard for wireless security. It secures many of the significant holes that are in the Wired Equivalent Privacy (WEP) standard where programs like AirSnort and WEPcrack were used to capture data and generate the WEP code. Although WEP is still a viable option for the home network, WPA should really be used for the business environment.
WPA is a subset of the 802.11i standard. It is also expected to maintain forward compatibility with the specification. It changes the length of the initialization vector (IV) for encrypting data to 48 bits which expands the possibilities to over 500 trillion possible combinations. It also integrates Message Integrity Code (MIC) which has built in counter measure components. The final integration point is using Temporal Key Integrity Protocol (TKIP) which works to generate pre-packet keys. All these new security features help to make WPA the choice for secure networks.
WPA (now WPA2) runs in two modes: Enterprise or Personal mode. Enterprise requires an authentication server and uses RADIUS protocols for authentication and key distribution which centralizes the user credentials. This setup takes more time to complete and a higher skill set, but offers the most secure installation.
The standard length of the initialization vector for encrypting data The Personal or Pre-Shared Key or K (PSK) mode operates much the way that the existing WEP implementation works. It used a â€œShared Secretâ€ key to generate the encryption packet. Where it differs from WEP is the added security that is mentioned above with the 48 bit IV code, the MIC, and the TKIP implementation. The biggest security concern with this implementation is that if the "Shared Secret" is compromised, the network admin has to physically touch each wireless network node (access points, client PCs, etc.) to change the secret. It is also important to note that 802.11n requires WPA not WEP.
WEP is the popular standard for WLAN security. However this is now the legacy version of security. Most wired LANs do not use encryption to prevent eavesdropping. It is assumed that controlling physical access alone is prevention enough. WEP was developed to make 802.11b WLANs equally as secure as wired LANs by using 40-bit or 128-bit encryption methods to prevent eavesdropping. The OEMs recommend that WEP alone is not secure enough for protecting a dealership's private network.
Some 802.11b WLAN vendors are addressing the problems with WEP by enhancing their products to offer some additional security features. Devices that issue keys dynamically instead of statically have less risk of those keys being recovered by an attacker. Two-way authentication between wireless devices provides additional protection from certain attacks as well. These features offer a work-around to shortcomings of WEP; however they will not inter-operate with devices from different vendors.
User authentication is a core component of any network security solution. Authentication will prevent unauthorized access to valuable data and resources. The solution is two fold. First, requiring a user name and password in order to gain access to the LAN itself and second, to require a user name and password to log on to resources such as servers, applications and Internet access. User authentication is critical, without it networks and data are extremely vulnerable.
Virtual Private Networking (VPN) and data encryption technology, such as the secure sockets layer, offer an alternative to WEP. Steps should be taken to protect data from eavesdropping. This can be achieved by encrypting the data before it is transmitted and decrypting the data after it arrives to the user. The exchange of electronic keys allows the encryption and decryption to take place. When the user tries to access the network he will be issued a key, this key enables the user to read the data when he receives it. If another party intercepts the data he will not be able to read it because he does not have the key that was issued to the legitimate user.
VPNs provide protection against eavesdropping by using encryption and allow access from trusted entities exclusively. A VPN device installed behind the access point will allow users to create secure connections via software loaded on wireless workstations (client VPN). Secure building-to-building connectivity can be achieved by installing VPN devices behind access points in both buildings (gateway to gateway VPN). VPNs are typically used to provide remote LAN access via the Internet. Some parallels exist between Internet VPNs and Wireless VPNs. See Private and Virtual Private Networks for more information.
Likewise, the secure socket layer (SSL) is typically used to encrypt data transferred between a secure Internet website and a browser on a client device. Some website URLs will transition from "http" to "https" (as indicated by browsers in the address window) or the browser will show a padlock symbol once SSL is encrypting the data. The beauty of either the SSL or TLS is their simplicity for the client device most, if not all, browsers have it built-in without the need for software to be loaded. The real challenge for using the SSL resides on the server side which needs to supply a digital certificate authenticated by a Certification Authority and encrypt interactions with usually more than one client device. Of course, not all computer-to-computer interactions are browser-based, so the SSL has been incorporated in other applications as their economics permit.
There are many steps that can be taken to avoid the possibility of access to the network from an unauthorized individual or device. While there are no procedures that will completely safeguard any network from unauthorized access, abiding by these recommendations whenever a wireless network is in place in a dealership reduces the ability of an unauthorized person to access, steal or otherwise corrupt data.
Implementing the minimum security measures stops the average person driving or walking by from attempting to get into a network, but it does not stop a skilled hacker who wants to get into your network. To stop this type of attack, additional security measures are needed, and these are documented below as well.
The minimum and additional recommendations are broken into two categories, the first one for legacy private wireless LANs and the second one for new private wireless LANs. The recommendations for legacy WLANs should be considered interim solutions and phased out in preference of the recommendations for new WLANs as new hardware is added and older equipment is replaced. Some older equipment may have firmware updates available allowing it to support WPA of new WLANs. Older or legacy equipment that does not support at least WPA and cannot be updated should be replaced altogether.
It is also recommended that on either LAN the dealership segment any guest user access completely from the main network or create a separate connection. It is also important to utilize the minimum safety measures of a firewall or MAC addressing.
Table 6.2. Minimum Recommendations for Private Wireless LANs
|Legacy Wireless LAN|
|- 128-bit WEP (Wired Equivalent Privacy) key must be enabled|
|- Enable MAC (Media Access Control) filtering into each access point|
|- Change the WEP key and MAC filtering whenever an authorized user becomes unauthorized|
|- Turn off SSID broadcasting|
|- Change the manufacturer's default SSID to unique ID on the access point|
|- Enable user authentication for the access point management interface, i.e. change the manufacturer's default usernames and passwords|
|- Occasionally check for rogue (or unauthorized) wireless access points, for channel conflicts, and for client devices that permit ad hoc wireless connections|
|- Turn off ad hoc wireless connections|
|New Wireless LAN -Contract with a qualified wireless vendor for recommendations|
|- Same last 5 recommendations listed above for Legacy WLAN|
|- Change the WPA key whenever an authorized user becomes unauthorized|
|- WPA should be used whenever possible. This could include one of two methods:|
|1 - Enterprise - Uses a server and needs more administration|
|2 - Pre-Shared Key - easier to set up, but still covers the security holes in WEP|
As noted in the previous section, configuring the wireless network to the requirements listed above should stop the transient person attempting to get into a wireless network fairly easily; it will not keep a person with the proper tools who wants to get into your network. While no set of security measures is ever foolproof, the following recommendations should stop even the most serious hacker.
Table 6.3. Additional Recommendations for Private Wireless
|Legacy Wireless LAN|
|- Create a VPN tunnel by installing a VPN client on each client device and configuring the VPN device, which is placed behind the access point. Note: not all VPN client software is compatible and/or interoperable with other VPN products. Consult a qualified professional before installing any VPN client software.|
|- Configure the firewall, which is placed between the access point and the wired LAN, to allow only VPN traffic and deny all other traffic|
|- Install a server-based user authentication system, which requires a user name and password for any device to access the network as well as applications, servers, etc and confirms it with a secure user directory|
|- Attach access point to a VLAN capable switch â€“ allows for multiple VLANs to be defined for specific user groups and OEMs|
|- Install uni-directional vs. omni-directional antenna where appropriate|
|- Automatically detect and report rogue wireless access points and client devices that permit ad hoc wireless connections|
|New Wireless LAN - Contract with a qualified wireless vendor for recommendations|
|- Same last 4 recommendations listed above for Legacy WLAN|
|- IEEE802.11i or WPA2 in Enterprise mode|
Network access for guest use can be made available via wireless connectivity. However it is important that the dealership keep the guest access separate from the main network. This can be accomplished through segmenting or through a completely separate connection. See figure 5.2.1-2 Access Point. The security recommendations for wireless guest access do not need to be nearly as protective as they need to be for a dealership's private wireless LAN there is much less at stake plus guests should be accustomed to accepting and guarding against the risks of connecting to a public network.
The overall goal of a guest WLAN is guest satisfaction at a cost justifiable for the dealership. Therefore, the guest WLAN, unlike the dealership private WLAN, should be devised to make it easy for guests to gain access without excessive dealership cost. The complexities associated with MAC filtering and WEP or WPA tend to discourage guest use and will unreasonably increase administrative overhead for the dealership. As discussed earlier, wireless simplicity tends to increase security risks. For instance, the lack of WEP or WPA makes a guest wireless LAN susceptible to man-in-the-middle attacks and eavesdropping. If guests do not use VPNs, secure sockets, or some other form of end-to-end encryption, they are vulnerable to disclosing private information to unauthorized parties who intercept their wireless communications. Not preventing the use of ad hoc WLANs or wireless connections directly between guest computing devices also increases security risks. Guest computers may still be configured with their in-home or in-office settings to share built-in data storage devices with connecting devices; therefore, ad hoc WLAN connections would permit unauthorized access to private information. Implementing the minimum recommendations shown below for a guest WLAN should provide the same levels of administrative overhead and guest satisfaction common to the retail industry.
Minimum Recommendations for Guest Wireless LANs:
Separate the guest network from the dealership's private network.
Adjust wireless access point signal strength to restrict it from unauthorized areas, e.g. across the street.
Activate SSID broadcasting.
Change the manufacturer's default SSID to a unique ID on the access point.
Enable user authentication for the access point management interface, i.e. change the default username and password.
Occasionally check for rogue (or unauthorized) wireless access points and for channel conflicts.