Re: WLAN Security, Authentication, and more...

[Sandy Carr <sandra.carr1 () jsc nasa gov>]

In-Reply-To: <20040510010228.16779.qmail () web61108 mail yahoo com>

Tom,
The issues you mention have been on my mind, too. Recently I wrote a paper on securing wireless devices. I read about a 
hundred articles and here are the recommendations I gleaned from them. Hope it is useful.
Sandy


Although it represents another expense, it makes sense to use dedicated applications or hardware to protect the WLAN if 
it prevents penetration of the network. 

Depending on just one method or device for security is a well known mistake. A layered approach, also known as 
defense-in-depth, should be used when securing wireless devices. All networks, wired or wireless, must be designed and 
maintained following best practices guidelines. The following list is not all inclusive but represents an additional 
list of best practices specifically addressing securing wireless devices. [These are in addition to changing the SSID, 
etc.. you mentioned in your post.]

1)Develop security policies and treat them as requirements for network access. If a device does not use an anti-virus 
and is not patched, deny access. At a minimum, use anti-virus software to scan all devices prior to permitting access 
to the network. 

2)Use permanently assigned IP addresses if possible. 

3)Encrypt all transmissions. (If the access point is “smart”, employ layer 2 encryption over the layer 3 VPN. This will 
prevent exposure of the IP address to an attacker.)

4)Implement access controllers which require mutual authentication of the user to the AP and the AP to the user. Most 
APs use the MAC address for authentication but MAC addresses are easily spoofed. Use encrypted mutual authentication.

5)Disable all ports on the access points and access controllers that are not being used, such as serial ports, HTTP 
(80), SNMP. If SNMP is being used, use authentication and encryption to control access to that port and disable it when 
not is use.

6)Ensure that the access point does not have a hardware reset switch. (Once an AP is reset, either via hardware or 
software, all security settings are lost and default settings are enabled.)

7)If possible use power-over-Ethernet (PoE) access points. Using management software, they can be automatically turned 
off when not in use or after business hours.

8)Make sure all access points in use can be upgraded. Management software can facilitate this operation. Keep patches 
up to date to prevent known holes from being exploited.

9)Conceal location of access points to prevent tampering or resets.

10)To prevent signal bleed, use directional antennas and lower the transmission power levels on access points. Test 
your transmission ranges.

11)Use management tools to continually monitor for rogue access points. [Administrators of wired networks would never 
consider using spot monitoring to look for intruders, so why would it be considered adequate for wireless networks?]

12)Develop instructions for implementing the built-in security features on as many wireless devices as possible. Put 
the instructions on the intranet. Make sure the instructions are user friendly by employing lots of screen shots and 
easily understandable instructions. Put links to the instructions in numerous places on the intranet. 

13)Purchase or extend the site licenses for firewall, anti-virus, and encryption software for mobile devices. Try for 
as broad a coverage of device types as possible. Make sure users know it is available and required for network access.

14)Make wireless security awareness training a mandatory part of IT training. [Studies show that an employee needs to 
be exposed to a issue in a company policy five times before it becomes part of their knowledge base.] 

15)Use innovative means to raise employee awareness of the security breach they may be causing. Try posters, seminars, 
free configuration help days, pop-up questions during login, notices in the newsletter, whatever it takes.

In conclusion, it is possible to operate a secure wireless network. If these additional recommendations are 
implemented, operation of a WLAN should not present any greater threat to information assets than a regular LAN. 

>

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------