Tips for securing wireless networks.
Tips for securing wireless networks.
Michael Otey,
Senior Technical Editor for Windows & .NET Magazine and
President of TECA.
Source—
Wireless is the fastest growing area of LAN technology, and for good reason. The ability to move around your work environment while still having access to your local network and even the Internet is a huge productivity booster. However, wireless LANs (WLANs) have a number of drawbacks, the most significant of which is security. Many organizations allow departmental wireless networks to be deployed without any security measures at all. When someone combines these wireless networks with a corporate network, they risk creating a huge security hole in that network. Here are 10 tips to help make 802.11b networks more secure.
10. Secure your access station (AP). Network security starts with physical security: you can’t put your wireless AP out in the open and expect it to be safe. Treat your APs like hubs — restrict physical access to them by keeping them locked away from prying eyes. To reduce the chances of outside eavesdroppers, try to locate your APs closer to the inside of your building.
9. Place wireless APs outside the main firewall. When an AP is placed outside the firewall, the network gains an additional layer of security by treating wireless users as «foreigners.» If you can only place a WLAN inside the firewall, you should use a demilitarized zone (DMZ), a screened subnet, or a virtual local area network (VLAN) to isolate WLAN traffic.
8. Change the default Service Set Identifier (SSID). The SSID setting is a naming mechanism for wireless devices. It is not a foolproof security measure, but discovering the SSID of a WLAN is the first task of a hacker when breaking into a network. To make it more difficult, change the default SSID and choose an SSID name that is difficult to guess.
7. Disable automatic SSID broadcasting. By default, many APs broadcast the SSID to make it easier for wireless devices to connect. However, this also makes it easier for hackers to discover the SSID. Disabling SSID broadcasting is supported by most APs, although older devices may require a firmware upgrade.
6. Enable MAC address restrictions. Like standard network cards, each wireless card has a unique MAC address. Configuring your AP to allow only devices with registered MAC addresses to access your network will further protect your network.
5. Enable Wired Equivalent Privacy (WEP) encryption. Although the WEP standard is known for its flaws that can be exploited by a skilled hacker, it will prevent unauthorized users from accessing your WLAN.
4. Change the default WEP cipher. One common mistake many administrators make when enabling WEP is to use the default cipher set by the provider. The secret cipher is the basis of WEP security, and the default WEP ciphers are well known. By changing the cipher, you can be sure that it is unique.
3. Change WEP encryption regularly. Some expensive 802.11 devices can automatically manage the WEP encryption used across the entire WLAN, but most solutions require manual encryption changes. To reduce encryption vulnerabilities, create a schedule to regularly change the WEP encryption encryption used in your organization.
2. Monitor for rogue networks. Use tools like AirMagnet Laptop and Marius Milner’s NetStambler to find unaccounted-for networks. Departments that don’t have security measures in place can build WLANs and inadvertently compromise the security of the entire organization’s network.
1. For added security, use a virtual private network (VPN). WEP security is better than nothing, but it’s not foolproof: several well-known worms can crack WEP. To get the best possible security from modern 802.11 devices, implement a VPN connection between your wireless devices and your network. VPN allows you to create an encrypted channel for wireless traffic that is highly resistant to external intrusions.