Netforcement Header
Spacer Services Security Resources Case Studies About Contact Us

33 Steps to Wireless Security

  1. Don't use wireless

  2. Refer back to #1

  3. Treat wireless like it is Internet traffic, DON'T TRUST IT! Ensure the access point (AP) is on a separate network, DMZ or firewalled interface. If anyone compromizes your wireless security they will only have access to the Internet, not your corporate data.

  4. Assume you don't have wireless? How many of you have centrino laptops? They have wireless built right in. Some desktops are also shipping with wireless built into the motherboards. Still think you are safe because you don't have any APs; think again! Windows has bridging and internet sharing which can turn any wireless enabled computer into an AP.

  5. Scan for wireless APs using wireless. Always use multiple tools. I have found that NetStumbler and Kismet will find different APs.

  6. Scan for wireless APs using Nessus on the wired network. Using Nessus to Detect Wireless Access Points

    Linux Bootable CD's with Nessus
    Knoppix STD 0.1
    Local Area Security Linux LiveCD
    F.I.R.E.
    Penguin Sleuth Bootable CD
    PHLAK

  7. Remember walls are no longer boundaries!

  8. Map your wireless footprint

  9. Use directional antennas

  10. Turn down the power

  11. Configure IPSEC VPN tunnels for all wireless network users. If its good enough for the Internet its good enough for wireless.

  12. Enable IPSEC via GPO force all IP network traffic to be encrypted. Link registration required.

  13. Always enable WEP
    It's the "POSTED No Trespassing / Keep Out" sign for your wireless network.

  14. Don't use an identifiable SSD!
    No company names, no street addresses etc.

  15. Disable SSID broadcasting

  16. Restrict access via MAC address

  17. Disable DHCP

  18. If you can't disable DHCP. Limit the scope to the exact number of wireless clients you have.

  19. Change default admin username and password on the AP

  20. Disable management services on the wireless interface: http, https, telnet, snmp, ping

  21. Use a secure wired channel for admin (https)

  22. Install software firewalls on clients. For example XP SP2, ZoneAlarm, BlackIce.

  23. Install active anti-Spyware/Malware on clients. For example Pest Patrol

  24. Use RADIUS or other user authentication

  25. Maintain & review WLAN audit logs

  26. Assess info passing over the WLAN.
    What will be on your wireless network? Will it be covered by the Data Protection Act, HIPPA, GLB, or Sarbanes-Oxley?

  27. Ensure NIC and AP firmware are up-to-date

  28. Avoid using the default network address space.
    Don't use 192.168.0.x, 172.16.0.x or 10.0.0.x. Use something like 192.168.179.x or 172.16.203.x.

  29. Power down APs during non-usage
    Connect conference room APs to the light switch. The only 100% secure wireless network is one that is turned off.

  30. If possible use EAP,CEAP,LEAP,EEE 802.11i or Wi-fi Protected Access (WPA)

  31. Hide your AP in a range of honeypots of Fake APs

  32. Use a wireless gateway
    Blue Socket
    Cisco
    Reef Edge

  33. Use WLAN Intrusion Detection
    Air Magnet
    VigilantMinds


Conclusion
  • Don't use wireless
  • Use multiple layers of protection
  • Trust no one


PDF slide show version of "Wireless Security Tips" presented 4/14/2004 at the Philadelphia Area Network Technologies User Group PANTUG.







Request More Information on wireless security


Netforcement is located in Conshohocken, PA, just outside of Philadelphia. We provide network security services to all of southeastern PA, NJ and DE.

 
610.260.9989 | Request Info Privacy & Security Site Map | © 2006 Netforcement   
Footer1
Home Page Customer Login PGP Keys