Transcript how to setup a secure wireless network

HOW TO SETUP A SECURE
WIRELESS NETWORK
Presented by Susan H. Borgos, J.D., CNE
Office Technology Solutions, Inc.
Copyright 2006


Setup your wireless access point in a place
where you will get the best coverage. (But
keep in mind security rule no.1)
If you can’t get coverage everywhere you
need, you may need a booster or a second
WAP. (Keep in mind you can only use a
second WAP if you have wired access in
the vicinity.) Place the WAP away from
obstructions – unless, following security
rule no. 1, you are trying to obstruct the
signal.


If you only have one WAP, connect it to
your router or firewall using the WAN
connection.
If you are on a wired network and are
using your WAP to cover a specific limited
area, or if you are plugging in a second
WAP, plug the WAP into the nearest LAN
jack using one of the LAN ports (rather
than the WAN port).


If you have a wired network, you can give
your WAP a static IP address on the same
network or you can create a new separate
network.
You would only want to create a separate
network if users of the wireless LAN do
not need to access the rest of your
network.

If you are in a single user or peer-to-peer
environment, then and only then, have
your WAP assign IP addresses to the PCs
connecting to it. In all other
circumstances, disable the DHCP on
the WAP.
Security for your Wireless Network
1. Control your broadcast area. Many WAPs let you adjust the signal
strength and some let you adjust signal direction as well. Place your WAPs
as far away from exterior walls and windows as possible, then play around
with signal strength so you can just barely get connections near exterior
walls. However, sensitive snooping equipment can pick up wireless signals
from a WAP at distances of several hundred feet or more. So even with
optimal placement and adjustment, the signal may leak.
2. Secure each WAP. Change the default administrator password. If you
leave the defaults, the hackers know what they are and they can just go in
and change the settings on your WAP. Make sure you at least change the
administrator password to something secure- i.e. at least 8 characters using
a combination of letters and numbers.
3. Ban non-approved access points. If a WAP is connected to your home
or office network, make sure you or the network administrator put it there.
Check periodically to see all available wireless networks.
Security cont’d
4. Use WPA. WEP (Wired Equivalent Privacy) can be cracked/hacked. WPA
has more variables and is much more difficult to get through. Personal
WPA is less secure than RADIUS authenticated WPA. If you have a
Windows or Linux server, implement RADIUS. If you are peer-to-peer, use
personal WPA – not WEP.
Security cont’d
5. Rename SSIDS and hide them. Change the default Service Set
Identifiers (SSIDs) for your WAPs, and don't use anything obvious like your
address or company name. Buy WAPs that let you disable broadcast SSID.
While intentional intruders can use programs such as Kismet
(www.kismetwireless.net) to sniff out SSIDs, every bit of inconvenience
helps.
6. Limit access rights. Determine who should have access via the wireless
and set the WAP to allow access by MAC address. Enterprising individuals
can spoof MAC addresses, however, which brings us to the next tip.
7. Limit the number of user addresses. If you don't have too many users,
if your WAP assigns DHCP addresses then consider limiting the maximum
number of DHCP addresses the network can assign, allowing just enough to
cover the users you have. Then if everyone in the group tries to connect
but some can't, you know there are unauthorized users on the network.
Security cont’d
8.
Authenticate users. Use a method of access that requires
authentication, such as VPN or RADIUS. As a side benefit, VPNs help
prevent users from being fooled by malicious association attacks. In this
type of assault, the perpetrator sets up a machine that pretends to be an
authorized WAP, in the hope that someone will be tricked into logging on.
If you connect to a WAP and don't get the VPN log-on prompt you
expect, you know something's amiss.
9.
Other security. If you have an extreme need for security, you should
have wireless-dedicated hardware security in place. For instance,
AirDefense (www.airdefense.net) is a server appliance that connects to
sensors placed near WAPs. The system monitors activity and protects all
traffic on your wireless LAN—but it doesn't come cheap. Prices start at
$10,000 and can reach $100,000 depending on the number of sensors
needed