‫ Wi-Fi security do's and don'ts – 2nd Section

Date: 2011-11-21
Wi-Fi is inherently susceptible to hacking and eavesdropping, but it can be secure if you use the right security measures. Unfortunately, the Web is full of outdated advice and myths. But here are some do's and don'ts of Wi-Fi security, addressing some of these myths.
6. Do deploy NAP or NAC
In addition to 802.11i and a WIPS, you should consider deploying a Network Access Protection (NAP) or network access control (NAC) solution. These can provide additional control over network access, based on client identity and compliance with defined policies. They can also include functionality to isolate problematic clients and remediation to get clients back within compliance.
Some NAC solutions may also include network intrusion prevention and detection functionality, but you'd want to make sure it also specifically provides wireless protection.
If you're running Windows Server 2008 or later and Windows Vista or later for the clients, you can use Microsoft's NAP functionality. Otherwise, you may consider third-party solutions, such as the open source PacketFence.
7. Don't trust hidden SSIDs
One myth of wireless security is that disabling the SSID broadcasting of access points will hide your network, or at least the SSID, making it harder for hackers. However, this only removes the SSID from the access point beacons. It's still contained in the 802.11 association request, and in certain instances, the probe request and response packets as well. Thus an eavesdropper can discover a "hidden" SSID fairly quickly especially on a busy network with a legitimate wireless analyzer.
Some might argue disabling SSID broadcasting still provides another layer of security, but also remember it can have a negative impact on the network configuration and performance. You'd have to manually input the SSID into clients, further complicating client configuration. It would also cause an increase in probe request and response packets, decreasing available bandwidth.
8. Don't trust MAC address filtering
Another myth of wireless security is that enabling MAC address filtering adds another layer of security, controlling which clients can connect to the network. This has some truth, but remember that it's very easy for eavesdroppers to monitor the network for authorized MAC addresses and then change their computer's media access control (MAC) address.
Thus you shouldn't implement MAC filtering thinking it will do much for security, but maybe as a way to loosely control which computers and devices end-users bring onto the network. But also consider the management nightmare you might face to keep the MAC list up-to-date.
9. Do limit SSIDs users can connect to
Many network administrators overlook one simple but potentially dangerous security risk: users knowingly or unknowingly connecting to a neighboring or unauthorized wireless network, opening up their computer to possible intrusion. However, filtering the SSIDs is one way to help prevent this. In Windows Vista and later, for example, you can use the netsh wlan commands to add filters to those SSIDs users can see and connect to. For desktops, you could deny all SSIDs except those of your wireless network. For laptops, you could just deny the SSIDs of neighboring networks, enabling them to still connect to hotspots and their home network.
10. Do physically secure network components
Remember, computer security isn't just about the latest technology and encryption. Physically securing your network components can be just as important. Make sure access points are placed out of reach, such as above a false ceiling or even consider mounting access points in a secure location and then run an antenna to an optimum spot. If not secured, someone could easily come by and reset an access point to factory defaults to open access.
11. Don't forget about protecting mobile clients
Your Wi-Fi security concerns shouldn't stop at your network. Users with smartphones, laptops and tablets may be protected onsite, but what about when they connect to Wi-Fi hotspots or to their wireless router at home? You should try to ensure their other Wi-Fi connections are secure as well, to prevent intrusions and eavesdropping.
Unfortunately, it isn't easy to ensure outside Wi-Fi connections are secure. It takes a combination of providing and recommending solutions and educating users on the Wi-Fi security risks and prevention measures.
First, all laptops and netbooks should have a personal firewall (such as Windows Firewall) active to prevent intrusions. You can enforce this via Group Policy if running a Windows Server or use a solution to manage non-domain computers.
Next, you need to make sure the user's Internet traffic is encrypted from local eavesdroppers while on other networks by providing VPN access to your network.
You should also make sure any of your Internet-exposed services are secured, just in case the user doesn't use the VPN while on a public or untrusted networks. For instance, If you offer email access (client or web-based) outside of your LAN, WAN or VPN, ensure you use SSL encryption to prevent any local eavesdroppers at the untrusted network from capturing the user's login credentials or messages.


بدون نظر
شما برای نظر دادن باید وارد شوید


تاریخ ایجاد: 18 مرداد 1393



امتیاز شما
تعداد امتیازها:0