Tips on locking down your WLAN

Network World - In August, engineers with AirDefense Inc., a wireless LAN security software vendor, made war drives in Atlanta, Chicago and San Francisco, using scanners to find WLAN access points around downtown office buildings.
The drivers discovered more than 1,100 access points. Of these, 57% weren't using any form of data encryption, although most of the actual data traffic in Chicago and San Francisco was encrypted by other means, such as a VPN. Three-quarters of the access points were broadcasting their Service Set Identifier (SSID), which is like hiding in a game of hide-and-seek while carrying a boom box blaring heavy metal.
The WLAN out of the packing boxes is inherently unsecure. But the final WLAN security system you create will hinge on what data you want to protect, how valuable it is and the level of risk to that data. Good WLAN security is expensive: in time, training, maintenance, oversight and in hardware and software costs.
The following recommendations assume an enterprise WLAN of 150 to 500 access points, up to several hundreds of users and a relatively high requirement for protection.

1. Control the wireless clients.
Standardize the WLAN network interface cards (NIC), block user access to them, and register their media access control (MAC) addresses.
Create and enforce procedures and policies for promptly updating clients with software patches and security updates, and for blocking clients running out-of-date software.
Consider disabling NICs' ad hoc or peer-to-peer mode, which lets clients connect to each other without an access point. Attackers can use this feature to lure or force clients to associate with a rogue WLAN.

2. Treat the WLAN as you do the Internet - as untrusted.
Put a firewall between the WLAN and the wired network. This barrier blocks unauthenticated WLAN users from sending Layer 2 packets on to the wired network, for example, as part of an Address Resolution Protocol (ARP) attack. A successful ARP assault lets the attacker route traffic between two computers on your network through his own computer.

3. Protect the access points.
Conceal access points behind ceiling panels or in closets, and secure them to prevent tampering. At one university, someone pulled out the PC cards from more than 100 access points and tried to sell them on eBay.
Hide access points from attackers by changing the factory default settings for the SSID or IP address information, creating difficult passwords, and turning off SSID broadcasting.
Turn on Access Control Lists for use with client MAC addresses.
Select access points that use flash memory, to simplify

Reprinted with permission from

For more information about enterprise networking, go to NetworkWorld.com
Story copyright 2009 Network World, Inc. All rights reserved.