Companies need to have authentication in place to control who accesses the corporate network, in addition to using encryption to protect the information which is travelling wirelessly. There are a variety of ways to try and spoil a hacker's attempts to exploit your wireless network:
- Position access points correctly: Start with the basics--within your network configuration ensure wireless access points are outside your perimeter firewall.
- Use MAC: Using MAC address-based ACLs (Access Control Lists) will allow only registered devices to access the network. While it can be spoofed, MAC address-filtering is like adding another lock to your front door--the more obstacles you present, the more likely that hackers will be encouraged to move on to less secure organisations.
- Manage your wireless network ID: All WLANs come with a default SSID (Service Set Identifier) or network name. Change it--immediately--with an alphanumeric name. If your organisation can handle the administrative work, regularly change the SSID. It's also wise to disable the automatic SSID broadcast feature.
- WEP: WEP (Wired Equivalent Privacy) is the standard 802.11b wireless security protocol. It's designed to provide wired-like protection by encrypting wireless data as it transmits information. Enable it and then immediately change the WEP key from the default. Ideally, have your WEP keys generated dynamically when a user logs on, making access to wireless data a moving target for hackers. Session-based and user-based WEP keys offer the best protection and add another layer of deterrence.
- But WEP is not impenetrable: Don't put all your encrypted eggs into the WEP basket. WEP is one security layer of many and should not be the sole security measure, despite its role as the pre-eminent encryption security. Many network administrators have learned this the hard way.
- VPN is one of the best security mechanisms: If each security option is like another locked entrance hackers must penetrate, a Virtual Private Network (VPN) is like a bank vault door. VPNs offer a higher layer of security than WEP and allow a secure end-to-end tunnel between user and network.
- Leverage RADIUS servers: Remote users of larger companies are often authenticated to use the network through a RADIUS (Remote Authentication Dial-In User Service) server. IT managers can integrate wireless LANs into existing RADIUS infrastructure to manage users simply. This enables wireless authentication, and ensures wireless users go through the same authorisation processes as remote users.
- Integrate wireless and wired policies: Wireless security is not a separate network infrastructure. Develop a security policy that combines both wired and wireless security to leverage management and cost advantages. For example, integrate a single user ID and password requirement for users whether they are accessing the network through your wired or wireless infrastructure.
- Ban rogue networks: WLAN set up is now simple enough that non-technical staff are installing their own wireless routers or access points in their office departments, with little thought for security. Regularly scan the network with intrusion detection tools to identify rogue networks that provide a potentially susceptible hacker entry point. Promote a policy that vetos WLANs without formal systems administration approval and deployment.
Mike Clarke is Australasian country manager at networking vendor 3Com. He can be contacted at Mike_Clarke@3com.com.
4%
4%
