Find out more about how CACI Information Assurance can help you!

WLAN Security Tips

WLAN security tips fall into two categories

  1. Those that work on the enterprise network side
  2. Those that work on the wireless LAN side

Enterprise Network Side

  • Firewall
    Put wireless access points outside the enterprise firewall and set up rules that let in only the IP and/or MAC addresses of legitimate users. This is by no means a final or perfect solution because MAC and IP addresses can be spoofed or cloned. It's analogous to the anti-auto theft device, The Club, which locks your steering wheel. The Club will not stop a determined car thief, but it is a deterrent. It slows him down and it may be enough to send him off looking for easier prey.

  • Radius
    Along the same lines, and still on the enterprise side, install a radius server to authenticate WLAN users, forcing them to enter a login ID and password when they want to come inside the enterprise LAN. This is not a perfect solution either. It is inconvenient for users and does add some network overhead. If you only have a few users you are not going to have any problems. But, if you have 1000 users on the wireless side you are going to start having congestion problems.

  • Encryption
    One refinement on this idea is encrypting the radius ID and password, making them more difficult for eavesdroppers to intercept.

  • VPN
    A much more comprehensive solution, though one with some cost attached, is to use some kind of third party encryption mechanism for all data on the WLAN. Best is a virtual private network (VPN). A VPN can be implemented for a local area link as easily as for a wide area link. And it will support up to 3DES (triple Data Encryption Standard) - meaning the data is encrypted three times before transmission.

WLAN Side

  • WEP
    Implement 802.11(b) wired equivalent protocol (WEP) encryption - even though it can be compromised. WEP is another example of "The Club Syndrome." It will not stop a determined hacker, but it is a deterrent.

  • SSIDs
    One of the most common security mistakes made by WLAN administrators is to not change the default Service Set Identifier (SSID), the network ID attached to packets sent over WLANs. This is equivalent to leaving a default password in place. And some organizations that do change the default SSID sometimes inadvertently help hackers by using SSIDs that offer clues on where to find data.

For example, a company might use SSIDs for the WLAN segments on successive floors that include the floor numbers - kakhi1, kakhi2, kakhi3, etc. A "war driver," a hacker who drives around looking for susceptible WLANs to infiltrate, can look at the directory in the building lobby to see which floor houses departments with sensitive data - like financial services - and then target that LAN segment by configuring his client adapter with the appropriate SSID. Use a password generation program to produce new SSIDs on a regular basis and change all client devices - although this can be an intensive network administration task.

  • Broadcast
    One technique he believes can be very effective is disabling regular broadcast of SSIDs, but only some vendors' systems allow it. In a normally configured WLAN, access points broadcast the SSID of the local segment with every second packet to make it easier for client machines to associate with the WLAN on startup. If you turn off SSID broadcasting, client machines must send out a probe asking if the SSID they want is available. So the only time the SSID is broadcast now is when a client adapter is associating, and chances are that is not going to happen very often. All in all, it is a very good deterrent for keeping eavesdroppers from picking off SSIDs.

  • Access Points
    Place access points away from windows. The closer to the perimeter of the facility access points are located, the further coverage will extend beyond that perimeter. If you place access points well away from walls and windows, chances are the signal will be degraded enough to make intercepting packets outside tediously slow and unreliable.

  • Intrusion Detection
    Use intrusion detection tools to periodically scan the network for rogue users. This is more a deterrent for illegal internal users - rogue departments that unilaterally decide to hook up an access point to the wired LAN and provision their own LAN extension services. Use wireless packet sniffer programs. Some are available as freeware from the web, though they're a key tool for hackers as well. Transmitted packet headers include MAC and IP addresses. If you know the MAC and IP addresses of all legal users, scanning with a sniffer will expose illegal users.

  • DHCP
    Use static IP addresses rather than a Dynamic Host Configuration Protocol (DHCP) server. If you use DHCP the network will automatically give a hacker configured with a stolen SSID a legal IP address. If you use static IP addresses the intruder must make the additional effort of figuring out the legal range for IP addresses in your network. To make the network even more secure keep the range of legal IP addresses small.

Implementing all of these techniques will not guarantee 100% protection. But, 100% is a big number in the security business. Any protection is better than none.