Best Practices for Wireless Network Security

Computerworld - Wireless technology is dramatically changing the world of computing, creating new business opportunities but also increasing security risks.

Wireless LANs, which use radio frequencies to broadcast in the unlicensed 2.4-GHz frequency band, can be as simple as two computers equipped with wireless network interface cards or as complex as hundreds of computers outfitted with cards communicating through access points. They're relatively inexpensive and easy to install.

But they also introduce a number of critical security risks and challenges, and it's important to implement strong security measures to mitigate these risks. What follows are potential risks and associated best practices to help you secure your network and understand WLAN characteristics:

Risk No. 1: Insufficient policies, training and awareness

Though establishing policies to govern wireless networks would appear to be a basic requirement, institutions often fail to take this step or to inform employees of the risks associated with not using a wireless network in accordance with the policies. Once policies are implemented, it's critical to communicate them to increase users' awareness and understanding.

How to mitigate:
Develop institutionwide policies with detailed procedures regarding wireless devices and usage. Maintain these policies and procedures to keep current with technology and trends. While each institution will have specific requirements, at a minimum require the registration of all WLANs as part of overall security strategy. And because a policy isn't effective if users aren't in compliance, monitor the network to ensure that users are following the policy as intended.

Conduct regular security awareness and training sessions for both systems administrators and users. It's important to keep systems administrators informed of technical advances and protocols, but it's equally important for users to understand the reasons for the protocols. An educated user will more likely be a compliant one, without as much protest. These education sessions should stress the importance of vigilance.

Risk No. 2: Access constraints

Wireless access points repeatedly send out signals to announce themselves so that users can find them to initiate connectivity. This signal transmission occurs when 802.11 beacon frames containing the access points' Service Set Identifier are sent unencrypted. (SSIDs are names or descriptions used to differentiate networks from one another.) This could make it easy for unauthorized users to learn the network name and attempt an attack or intrusion.

How to mitigate:

1. Enable available security features. Embedded security features are disabled by default.


2. Change the default settings. Default SSIDs are set by the manufacturer. For example, Cisco's default SSID is "tsunami," and Linksys' is "linksys." Not changing these makes it easier for an unauthorized user to gain access. Define a complex SSID naming convention. Don't change the SSID to reflect identifiable information, since this too could make it easy for an unauthorized user to gain access. Instead, use long, nonmeaningful strings of characters, including letters, numbers and symbols.



3. Disable Dynamic Host Configuration Protocol and use static IP addresses instead. Using DHCP automatically provides an IP address to anyone, authorized or not, attempting to gain access to your wireless network, again making it just that much easier for unauthorized penetration.



4. Move or encrypt the SSID and the Wired Equivalent Privacy (WEP) key that are typically stored in the Windows registry file. Moving these privileged files makes it more difficult for a hacker to acquire privileged information. This step could either prevent an unauthorized intrusion or delay the intrusion until detection occurs.



5. Use a closed network. With a closed network, users type the SSID into the client application instead of selecting the SSID from a list. This feature makes it slightly more difficult for the user to gain access, but education on this risk-mitigation strategy can reduce potential resistance.
   
   To gain maximum advantage of a closed network, change the SSID regularly so that terminated employees can't gain access to the network. Develop and implement an SSID management process to change the SSID regularly and to inform authorized employees of the new SSID.


6. Track employees who have WLANs at home or at a remote site. Require that wireless networks are placed behind the main routed interface so the institution can shut them off if necessary. If WLANs are being used at home, require specific security configurations, including encryption and virtual private network (VPN) tunneling.