Virus.Org Wireless LAN Security Tips
Wireless LAN security has been getting a significant amount of press, with the weaknesses of 801.11b Wireless LAN security being well known, concern of those with Wireless LAN installations has been raised. However many of the issues are being addressed in new standards, however these have not been implemented yet by many vendors.
Wireless LAN security has been given a siginificant amount of bad press. There are a number weakness that can be applied to the 802.11b Wireless LAN standard that are well documented. As a result many with Wireless LAN implementations have become concerned that their networks and data can be compromised by external attackers. All of the this issues are being addressed in new standards and vendor specific extensions to the existing standards, however some of these features have not been implemented by vendors, plus there is a installed user base with equipment that is still vulnerable to attack.
The question is what can be done mitigate the risk of using unsecure Wireless LANs. In some cases these new fixes will require new hardware, which for those with existing Wireless installations it may result in extra cost. This article covers some existing techniques, features and protocols that can be used to add security to existing Wireless networks.
Location.
The location of your access point is important, there are two ways to think of the location, the physical and the logical. The Physical location is of the access point is important, as Wireless networks have a limited range it can be used used to an avantage. The site choosen for an access point if done well can reduce the amount of RF radiation that extends past the borders of the premises therefore people outside of a building would not be able to connect to the access point as easily. The Logical location is also important, always ensure that the Wireless Access Points are either outside the perimeter firewall or within an 'untrusted' DMZ off the firewall. This will provide an extra layer of defence to the network, working on the premise that all users are untrusted, if out side the firewall the AP may still be useful to external parties, i.e. getting Internet connectivity, so it is important to ensure that this secured as such, placing the AP on a untrusted DMZ where you can control the access from the Wireless LAN is more useful.
Manage your ID
All Wireless LAN access points come with a default SSID (Service Set Identifier) or network name. This should be changed to and alphanumeric name, ideally something long. If possible have this SSID changed on regular basis, however this in some organisations will not be practical as the overhead of applying the change to the users could be a burden. Also disable the automatic SSID broadcast feature.
WEP
For all it's faults WEP (Wired Equivalent Privacy) is still useful, it still remains the standard 802.11b wireless security protocol. It was designed to provide wired-like protection by encrypting wireless data as it transmits information. Enable it, and then change the WEP key from the default. In an ideal world, have your WEP keys generated dynamically when a user logs on, making access to wireless data a moving target for hackers. Session-based and user-based WEP keys offer the best protection and add another layer of deterrence. Also make use of features if availble for enhancing WEP security such as the Cisco Per Packet Keying WEP enhancement.
Remember the WEP faults
WEP isn't the most robust of protocols, so don't put all your eggs in one basket. WEP should be considered as one of many layers of security and should not be relied upon as the sole security measure.
Ban Rogue Networks
The process of setting up an Wireless LAN is so simple most anyone can do it, in as much as many non-technical staff can install thier own Wireless Access Points. These are often not secured and can present an open door for attackers. Ensure a policy exists that restricts the implementation of Wireless LANs to only those that are formally approved and have had been deployed securely.
Add Personal Authentication
Use authentication techniques such as MAC addresses or Username and Password based access control lists to only allow registered devices to connect to the Wireless Network. Such as using 802.1x or implementating EAP (Extensible Authentication Protocol) or vendor specific solutions such as Cisco LEAP. Also make use of existing authentication infrastructure such as RADIUS and TACACS to integrate them with the wireless infrastructure.
Not all Wireless LANs are Equal.
While 802.11b is the standard for Wireless LANs and all (most) equipment carrying the trademarked WiFi logo will operate with atleast the same base functionalilty, not all Wireless LAN kit is created equal. WiFi ensure that the cards and access points will interoperate without issues, many manufacturers have included extensions to their hardware to add security, for instance Cisco have four additional features to improve the security of a Wireless LAN, including features to attempt to mitigation some of the well know flaws within the existing standards and hardware. Research your features, where possible implement the security features.
VPN
Where ever possible use a VPN over the top of the Wireless LAN. Virtual Private Networks (VPNs) have been used over the Internet for a number of years, the technologies for doing so are well proven and tested. They add Layer 3 protection to the communcations over Wireless networks and using a VPN over the Wireless LAN can often be implemented in conjunction with an existing VPN implementation with little modification. Doing so would help provide a secure end-to-end tunnel between the user and your network.
Conclusion
Multiple layers of security are key to ensuring that your Wireless Networks stay secure. Just in the same way as securing a network from attacks from the Internet, multiple layers of security and trust, from completely untrusted users over an untrusted transmission medium to trusted users over a trusted transmission medium.