Wireless networks require the same security measures as conventional networks, and then some. The same issues that concerned you in the non-wireless realm should still concern you with wireless networks and devices: Keep the encryption strong, keep the certificates in place, and keep doing security.
Wireless security isn't a matter of different security, it's a matter of more security.
Here are the most common security oversights and how you can avoid them.
1. Don't breach your own firewallYou've almost certainly firewalled the network, wireless or not, and rightly so. However, you've done yourself no good if your configuration doesn't place your wireless system's access points outside the firewall. Make sure it does -- otherwise you're not only failing to create a necessary barrier, you're creating a convenient tunnel through one that was already there. 2. Don't spurn Media Access Control
Media Access Control (MAC) is often ignored because it's not spoof-proof. But it is another brick in the wall: It's essentially another address filter, and it clogs up the works for the potential hacker. What it does is limit network access to registered devices that you identify on address-based access control rosters.
MAC also gives you an opportunity to turn the tables on the potential intruder. Consider that the intruder must knock on the door before being denied.
If you have MAC in place, the intruder must bump into it before realising it's there, and then must regroup to get past it. And now your network knows what the intruder looks like. So think of your MAC list as creating three classes of visitors: first, friendly entities that are on the MAC list; second, unknown entities that are not on the list and who knock by mistake; and third, entities who aren't on the list but are known because they've tried to get in before, uninvited, and are now instantly identifiable if they approach again.
In short, if you monitor your wireless network and watch for multiple attempts at access by entities not on the MAC list, you've spotted a potential intruder, and he won't know you've seen him.
3. Don't spurn WEPThe Wired Equivalent Privacy (WEP) is a protocol specific to wireless security, conforming to the 802.11b standard. It encrypts data as it goes wireless, over and above anything else you're using. Use it. But remember that it is key-based, so don't stay with the default key. You may even wish to create a unique WEP key for individual users when they first access the system. Yet don't rely on WEP alone. Even multiple layers of encryption don't make you hack-proof so use WEP in combination with other wireless-specific security measures.
4. Don't allow unauthorised access points
Access points are so incredibly easy to set up, and an
over-burdened IT department might easily simply loosen the rules to allow them
to be set up on an as-needed basis by anyone smart enough to run a VCR. But
don't succumb to this temptation. The access point is a primary target for an
intruder. Implement a deployment strategy and procedure, and stick to them.
What's involved in such a strategy and procedure? First, you must carefully outline the correct guidelines for positioning an access point and be certain that anyone deploying an AP has those guidelines on hand. Second, you must have a procedure in place for noting the presence of the AP in your wireless network configuration for future reference, and appropriately distributing or making available the revised configuration. And regardless of who sets up the AP, have another person double-check the installation as soon as it's convenient. Is this a lot of trouble to go to? Yes. And security penetrations due to rogue APs or leaky ones are even more trouble.
5. Don't permit ad-hoc laptop communicationThis is a tough one to enforce in any enterprise. Ad-hoc mode lets Wi-Fi clients link directly to another nearby laptop, which is so darned convenient, you just can't imagine not using it.
As part of the 802.11 standard, ad hoc mode permits your laptop's network interface card to operate in an independent basic service set configuration. This means that it can go peer-to-peer with another laptop via RF. When you're in ad hoc mode, you can spontaneously form a wireless LAN with other laptops. At face value, this is such a cool trick that none of us can resist trying it out. But understand up front that it permits access to the entire hard drive of the laptop; if you enable it and forget that it's enabled, your fly is open for all the world to see.
And the danger isn't only to your open machine. An intruder can also use the networked laptop as a doorway into the network itself. If you leave your machine in ad hoc mode and somebody sneaks in, you haven't just exposed your personal machine, you've exposed the entire network.
Avoid this risky habit by never letting it develop in the first place. Just accept that it isn't worth the risk.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2004 TechRepublic, Inc.
