Previous Section  < Day Day Up >  Next Section

Steps for More Secure Wireless LANs

The chances are that eventually you will have to implement wireless technology. Even if you don't, you should still occasionally audit your network and make sure someone isn't running a rogue wireless access point. While running any wireless access is a risk, you can lessen your exposure by taking the following preventative measures.

Turn On WEP

By encrypting your data you are requiring hackers to spent a lot more time and effort to get to your wireless data and network. This will discourage casual hackers and make the serious ones have to hang around your area for a day or so, increasing the chances that they will be noticed by security personnel or vigilant employees.

Use Wireless Equipment with an Improved Encryption Protocol

As mentioned earlier, Cisco equipment uses an improved version of WEP call LEAP, which so far has proven impervious to cracking attempts. There is also a new standard, 802.11i, which permanently fixes the problems with WEP. Unfortunately, 802.11i has only recently been approved as a standard and equipment based on it should be available soon. If you can get them, do so. The pricing shouldn't be any different than the older 802.11a and 802.11b gear.

Require Wireless Users to Come in Via a VPN Tunnel

This step adds a mostly insurmountable hurdle for would-be wireless intruders. Even if they manage to crack your WEP encryption, they then have to tackle the VPN encryption. Some vendors (such as SonicWALL with its Wi-FiSec feature) have added this capability into their equipment. The downsides are that there is an additional layer of complexity for your users and this makes it harder to support "guest" users, as they would need VPN client software loaded as well as the WEP key to access the WLAN.

Treat Your Wireless Network as Untrusted

Since you cannot control what traffic is coming across the air to access points, you shouldn't treat it any differently than the public side of your firewall. If you can afford it, place a firewall between your wireless network and your LAN (see Chapter 3 for some open source options) or place it on your DMZ. Then you can filter certain kinds of attack packets, limit types of traffic, and track any activity coming from that interface.

Audit Your Wireless Perimeter on a Regular Basis

This is especially important if you are in one of those dense areas mentioned earlier. Test to see how far away your signal can be picked up and if your network is overlapping nearby ones. Even if you don't officially allow wireless access, you should do this periodically to locate any rogue or "unofficial" access points. Wireless has become so cheap and easy to set up that unthinking or uncaring managers will often go to the local electronics store and set up an access point for some temporary purpose, such as a demo in an unwired conference room, opening up your network to wireless attack. Additionally, remember that a lot of new PCs, especially laptops, are coming with Wi-Fi cards built-in, and enabling them is easy to do. You may be running wireless on your network without realizing it. A wireless audit is the only way to find out.

Move Your Access Points

Sometimes just by moving the base station into an interior room you can decrease the broadcast of your wireless network signal considerably. Use your wireless audit results to figure out which access points are problematic. Play around with placement so you get optimal reception inside the building but minimal reception outside the building. For example, if your building has a large parking lot in front and a wooded lot in back, moving the base station to the back of the building will probably still allow most internal people to reach it, but will limit the radiation of the signal to an area that is not easily accessible by war drivers.

Configure Your Wireless Network Properly

There are many features and settings you can use to increase your security considerably. Not all equipment supports these options, but here are some things you can do.

  • Turn off the SSID broadcast. Doing this requires a user to know the SSID to establish a session with the base station. This acts as a weak password. However, if an eavesdropper manages to crack your encryption, he or she will be able to gain the SSID easily.

  • Restrict access by MAC address. This makes it more difficult for someone to gain access to your network via a wireless base station. In most access points, you can restrict access to certain hardware MAC addresses. This is a fairly strong method of authentication, since only people with the correct serialized network card can gain access. However, it may be cumbersome for administrators to keep track of authorized NIC cards and it doesn't allow for instant access for a new user in your office. Also, if the attacker knows one of the authorized MAC addresses, it is possible to forge this address on his or her card and masquerade as that user.

Train Your Staff

As with all computer security, the human element can be your weakest or strongest point. Make sure security guards, receptionists, and other personnel know how to look for suspicious behavior associated with war driving. For example, if they see someone sitting in your parking lot for long periods of time, possibly with a strange antenna on their roof, then it might be likely he or she is targeting your wireless network.

Also, develop and get approval on a company-wide policy for deploying wireless LANs. Make sure managers know that they can't set up a wireless LAN themselves; that they need to go through you for an official connection. Make them understand how they are putting the whole company at risk with this behavior. Sometimes a demonstration is the best way to get the danger of this across. An informed workforce can be your best defense.

    Previous Section  < Day Day Up >  Next Section