Improving wireless security
- 08 May, 2007 14:16
Partially for cost reasons (less money to spend versus regular wiring) and partially for convenience (users don't have to be close to a network jack), more wireless is starting to be deployed at my company. After reading about all of the security problems that come along with the benefits of having wireless as a part of the network, I am concerned about having enough protection in place will still having the wireless network being convenient to use. What do you suggest as possibilities for doing this?-- Via the Internet.
There are several things to look at.
The first is to do an inventory of all the wireless devices that you have. Most important, note whether the wireless device is mode B, mode G, etc. While not a big deal in the grand scheme of things, it will dictate, in part, the type of encryption that you are able to use and how sophisticated you can get.
Regardless, if you have to use WEP and/or WPA in your wireless encryption, I would suggest going to Steve Gibson's Web site to get the best possible source of encryption keys to use. A common mistake is to use the most difficult encryption key for the encryption being used. Steve has gone to great pains to come up with the easiest way for a wireless admin to have a as good a key source as possible. I havent heard of anyone being able to crack an wireless encryption that has been setup using a key from his site. Another important step is to not use a SSID that readily identifies where the wireless is or the company that it belongs to.
While, in an ideal world, it would be nice to say only mode G devices could be used on your network, in reality, you may have some devices, such as those used in warehouse or security environments, that may still only support mode B wireless configurations. In such cases, multiple SSIDs can come in handy. You could have one setup handle the WPA devices and another to handle the WEP-only devices. Disabling the broadcasting of SSIDs is another important step to take as this adds one more hurdle to allowing someone to drive by and help themselves to your network.
While having a Wireless Access Controller appliance would make administering and supporting a multiple Access Point network easier, the ones I've seen aren't really that practical or affordable unless you are dealing with the 25 or more access points.
If you have the time, enabling MAC Address Filtering so that only those devices who are on the "allowed" list can see the wireless network. This is different from MAC-based authentication, which may not work with all vendors' access points with WPA enabled. If your access points and network will support it, another step to consider is separating SSIDs onto different networks or VLANs.
All of this should give you a rough idea of some of the questions you need ask yourself and your wireless vendor(s). This is something that should be revisited on a periodic basis as new technology is released and existing technology is improved.