Security Basics mailing list archives
Re: WLAN Security, Authentication, and more...
From: Sandy Carr <sandra.carr1 () jsc nasa gov>
Date: 11 May 2004 14:29:26 -0000
In-Reply-To: <20040510010228.16779.qmail () web61108 mail yahoo com> Tom, The issues you mention have been on my mind, too. Recently I wrote a paper on securing wireless devices. I read about a hundred articles and here are the recommendations I gleaned from them. Hope it is useful. Sandy Although it represents another expense, it makes sense to use dedicated applications or hardware to protect the WLAN if it prevents penetration of the network. Depending on just one method or device for security is a well known mistake. A layered approach, also known as defense-in-depth, should be used when securing wireless devices. All networks, wired or wireless, must be designed and maintained following best practices guidelines. The following list is not all inclusive but represents an additional list of best practices specifically addressing securing wireless devices. [These are in addition to changing the SSID, etc.. you mentioned in your post.] 1)Develop security policies and treat them as requirements for network access. If a device does not use an anti-virus and is not patched, deny access. At a minimum, use anti-virus software to scan all devices prior to permitting access to the network. 2)Use permanently assigned IP addresses if possible. 3)Encrypt all transmissions. (If the access point is smart, employ layer 2 encryption over the layer 3 VPN. This will prevent exposure of the IP address to an attacker.) 4)Implement access controllers which require mutual authentication of the user to the AP and the AP to the user. Most APs use the MAC address for authentication but MAC addresses are easily spoofed. Use encrypted mutual authentication. 5)Disable all ports on the access points and access controllers that are not being used, such as serial ports, HTTP (80), SNMP. If SNMP is being used, use authentication and encryption to control access to that port and disable it when not is use. 6)Ensure that the access point does not have a hardware reset switch. (Once an AP is reset, either via hardware or software, all security settings are lost and default settings are enabled.) 7)If possible use power-over-Ethernet (PoE) access points. Using management software, they can be automatically turned off when not in use or after business hours. 8)Make sure all access points in use can be upgraded. Management software can facilitate this operation. Keep patches up to date to prevent known holes from being exploited. 9)Conceal location of access points to prevent tampering or resets. 10)To prevent signal bleed, use directional antennas and lower the transmission power levels on access points. Test your transmission ranges. 11)Use management tools to continually monitor for rogue access points. [Administrators of wired networks would never consider using spot monitoring to look for intruders, so why would it be considered adequate for wireless networks?] 12)Develop instructions for implementing the built-in security features on as many wireless devices as possible. Put the instructions on the intranet. Make sure the instructions are user friendly by employing lots of screen shots and easily understandable instructions. Put links to the instructions in numerous places on the intranet. 13)Purchase or extend the site licenses for firewall, anti-virus, and encryption software for mobile devices. Try for as broad a coverage of device types as possible. Make sure users know it is available and required for network access. 14)Make wireless security awareness training a mandatory part of IT training. [Studies show that an employee needs to be exposed to a issue in a company policy five times before it becomes part of their knowledge base.] 15)Use innovative means to raise employee awareness of the security breach they may be causing. Try posters, seminars, free configuration help days, pop-up questions during login, notices in the newsletter, whatever it takes. In conclusion, it is possible to operate a secure wireless network. If these additional recommendations are implemented, operation of a WLAN should not present any greater threat to information assets than a regular LAN.
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- WLAN Security, Authentication, and more... tom jones (May 10)
- Re: WLAN Security, Authentication, and more... James Kelly (May 10)
- ssh - AN Security, Authentication, and more... Alvin Oga (May 11)
- Re: ssh - AN Security, Authentication, and more... James Kelly (May 11)
- ssh - AN Security, Authentication, and more... Alvin Oga (May 11)
- <Possible follow-ups>
- RE: WLAN Security, Authentication, and more... Giddens, Robert (May 10)
- RE: WLAN Security, Authentication, and more... Josh Mills (May 10)
- RE: WLAN Security, Authentication, and more... Joerg Over Dexia (May 11)
- Re: WLAN Security, Authentication, and more... Sandy Carr (May 11)
- Re: WLAN Security, Authentication, and more... James Kelly (May 10)