Top five don'ts in wireless security

by Scott Robinson | Jul 26, 2004 7:00:00 AM

Tags: Wi-Fi, Network security, Scott Robinson, wireless, MAC, WEP, network, wireless network, security, access point, wireless security

11 comment(s)

Takeaway: Securing the enterprise is more important than ever when building wireless networks. Here are the top five things not to do to ensure your networks are secure.

Wireless networks require the same security measures as conventional networks, and then some. The same issues that concerned you in the non-wireless realm should still concern you with wireless networks and devices: Keep the encryption strong, keep the certificates in place, and keep doing security.

Wireless security isn't a matter of different security, it's a matter of more security.

Here are the most common security oversights and how you can avoid them.

1. Don't breach your own firewall

You've almost certainly firewalled the network, wireless or not, and rightly so. However, you've done yourself no good if your configuration doesn't place your wireless system's access points outside the firewall. Make sure it does�otherwise you're not only failing to create a necessary barrier, you're creating a convenient tunnel through one that was already there.

2. Don't spurn Media Access Control

Media Access Control (MAC) is often ignored because it's not spoof-proof. But it is another brick in the wall: It's essentially another address filter, and it clogs up the works for the potential hacker. What it does is limit network access to registered devices that you identify on address-based access control rosters.

MAC also gives you an opportunity to turn the tables on the potential intruder. Consider that the intruder must knock on the door before being denied.

If you have MAC in place, the intruder must bump into it before realizing it's there, and then must regroup to get past it. And now your network knows what the intruder looks like. So think of your MAC list as creating three classes of visitors: first, friendly entities that are on the MAC list; second, unknown entities that are not on the list and who knock by mistake; and third, entities who aren't on the list but are known because they've tried to get in before, uninvited, and are now instantly identifiable if they approach again.

In short, if you monitor your wireless network and watch for multiple attempts at access by entities not on the MAC list, you've spotted a potential intruder, and he won't know you've seen him.

3. Don't spurn WEP

The Wired Equivalent Privacy (WEP) is a protocol specific to wireless security, conforming to the 802.11b standard. It encrypts data as it goes wireless, over and above anything else you're using. Use it. But remember that it is key-based, so don't stay with the default key. You may even wish to create a unique WEP key for individual users when they first access the system. Yet don't rely on WEP alone. Even multiple layers of encryption don't make you hack-proof so use WEP in combination with other wireless-specific security measures. (For more insight on WEP, check out this TechRepublic article, "Use WEP to improve security on your wireless network."

4. Don't allow unauthorized access points

Access points are so incredibly easy to set up, and an over-burdened IT department might easily simply loosen the rules to allow them to be set up on an as-needed basis by anyone smart enough to run a VCR. But don't succumb to this temptation. The access point is a primary target for an intruder. Implement a deployment strategy and procedure, and stick to them.

What's involved in such a strategy and procedure? First, you must carefully outline the correct guidelines for positioning an access point and be certain that anyone deploying an AP has those guidelines on hand. Second, you must have a procedure in place for noting the presence of the AP in your wireless network configuration for future reference, and appropriately distributing or making available the revised configuration. And regardless of who sets up the AP, have another person double-check the installation as soon as it's convenient. Is this a lot of trouble to go to? Yes. And security penetrations due to rogue APs or leaky ones are even more trouble.

5. Don't permit ad-hoc laptop communication

This is a tough one to enforce in any enterprise. Ad-hoc mode lets Wi-Fi clients link directly to another nearby laptop, which is so darned convenient, you just can't imagine not using it.

As part of the 802.11 standard, ad hoc mode permits your laptop's network interface card to operate in an independent basic service set configuration. This means that it can go peer-to-peer with another laptop via RF. When you're in ad hoc mode, you can spontaneously form a wireless LAN with other laptops. At face value, this is such a cool trick that none of us can resist trying it out. But understand up front that it permits access to the entire hard drive of the laptop; if you enable it and forget that it's enabled, your fly is open for all the world to see.

And the danger isn't only to your open machine. An intruder can also use the networked laptop as a doorway into the network itself. If you leave your machine in ad hoc mode and somebody sneaks in, you haven't just exposed your personal machine, you've exposed the entire network.

Avoid this risky habit by never letting it develop in the first place. Just accept that it isn't worth the risk.

If you've got more questions about wireless security, visit the TechRepublic's Spotlight on Mobile Wireless Security.

11 comment(s)