Protect your WLAN from 802.11b's deficiencies
Wireless is the hottest new LAN technology going, and with good reason. The ability to roam the workplace while remaining connected to the network and even the Internet can aid productivity. However, wireless LANs (WLANs) have shortcomings, the biggest of which is security. Many organizations allow wireless networks to be implemented at the department level with no security whatsoever. If someone bridges these WLANs into the corporate network, the result can be a Grand Canyon–sized hole in your network's security. To make your 802.11b networks more secure until the next generation of 802.1x wireless devices arrive, implement these 10 tips.
10. Secure your Access Points (APs)—Network security starts with physical security: You can't place your wireless AP on a countertop and expect it to be secure. Treat your APs like hubs—restrict physical access by keeping them locked up and out of sight. In some cases, the ceiling can be a good location for devices that have drop-down antennas. Also, to reduce the possibility that a war driver will intercept your signal, try to put your APs close to the building's core.
9. Implement wireless APs outside the perimeter firewall—Putting your APs outside your firewall gives your network an extra layer of defense by treating all wireless users as untrusted users. If you must deploy your WLAN within the firewall, consider using a demilitarized zone (DMZ), screened subnet, or Virtual LAN (VLAN) to isolate your WLAN traffic.
8. Change the default Service Set Identifier (SSID)—The SSID is essentially a mechanism for naming wireless devices. It's not a strong security measure, but discovering your WLAN's SSID is an intruder's first step toward breaking into your network. To make that step a little more difficult, change the default SSID value and choose an SSID name that isn't easy to guess.
7. Disable the automatic SSID broadcast feature—By default, many APs broadcast the SSID to make connecting easy for wireless devices. However, broadcasting the SSID lets intruders more easily discover your SSID. Most APs support disabling SSID broadcasts, although a firmware update might be necessary for older devices.
6. Use media access control (MAC) address restrictions—Like standard NICs, each wireless card has a unique MAC address. Configuring your AP to allow only devices that have registered MAC addresses to access the network will go a long way toward securing your WLAN.
5. Enable the Wired Equivalent Privacy (WEP) standard—A shocking number of organizations implement wireless networks without security. Although WEP has known flaws that a determined attacker can exploit, it will prevent casual unauthorized users from accessing your WLAN.
4. Change the WEP key from its default value—One common mistake that many organizations make when implementing WEP is using the default vendor-supplied key. WEP security relies on a secret key, and the default WEP keys are well known. Change the WEP key to ensure that it's unique to your implementation.
3. Change the WEP key regularly—Some high-end 802.11 devices can automatically manage the WEP keys used throughout the WLAN, but most devices require manual updating. To reduce key-related vulnerability, set up and adhere to a schedule to regularly update the WEP keys that your organization uses.
2. Regularly sniff out rogue networks—Use a tool such as AirMagnet Laptop or Marius Milner's NetStumbler to monitor your premises for rogue networks. Well-meaning but unsecured departments can set up WLANs and inadvertently undermine your network security.
1. Use VPNs for better security—Although WEP is better than no security at all, several well-known exploits can crack WEP. To get the best possible security with the current crop of 802.11 devices, implement a VPN connection from your wireless devices to your network. A VPN lets you create an encrypted tunnel for your wireless traffic that's highly resistant to intrusion. For instructions about how to set up a wireless VPN, see "Securing 802.11 Wireless Networks," June 2002, http://www.winnetmag.com, InstantDoc ID 24873.