‫ Wi-Fi security do's and don'ts – 1st Section

Date: 2011-11-21
Wi-Fi is inherently susceptible to hacking and eavesdropping, but it can be secure if you use the right security measures. Unfortunately, the Web is full of outdated advice and myths. But here are some do's and don'ts of Wi-Fi security, addressing some of these myths.
1. Don't use WEP
WEP (wired equivalent privacy) security is long dead. Its underlying encryption can be broken quickly and easily by the most inexperienced of hackers. Thus you shouldn't use WEP at all. If you are, immediately upgrade to WPA2 (Wi-Fi protected access) with 802.1X authentication 802.11i. If you have legacy clients or access points that don't support WPA2, try firmware upgrades or simply replace the equipment.
2. Don't use WPA/WPA2-PSK
The pre-shared key (PSK) mode of WPA and WPA2 security isn't secure for business or enterprise environments. When using this mode, the same pre-shared key must be entered into each client. Thus the PSK would need to be changed each time an employee leaves and when a client is lost or stolen unpractical for most environments.
3. Do implement 802.11i
The EAP (extensible authentication protocol) mode of WPA and WPA2 security uses 802.1X authentication instead of PSKs, providing the ability to offer each user or client their own login credentials: username and password and/or a digital certificate.
The actual encryption keys are regularly changed and exchanged silently in the background. Thus to change or revoke user access all you have to do is modify the login credentials on a central server, rather than having change the PSK on each client. The unique per-session keys also prevent users from eavesdropping on each other's traffic which is now easy with some various tools.
Keep in mind, for the best security possible you should use WPA2 with 802.1X, also known as 802.11i.
To enable the 802.1X authentication, you need to have a RADIUS/AAA server. If you're running Windows Server 2008 and later, consider using the Network Policy Server (NPS), or the Internet Authenticate Service (IAS) of earlier server versions. If you aren't running a Windows Server, consider the open source FreeRADIUS server.
You can push the 802.1X settings to domain-joined clients via Group Policy if you're running Windows Server 2008 R2 or later. Otherwise, you may consider a third-party solution to help configure the clients.
4. Do secure 802.1X client settings
The EAP mode of WPA/WPA2 is still vulnerable to man-in-the-middle attacks. However, you can help prevent these attacks by securing the EAP settings of the client. For instance, in the EAP settings of Windows you can enable server certificate validation by selecting the CA certificate, specify the server address, and disable it from prompting users to trust new servers or CA certificates.
You can also push these 802.1X settings to domain-joined clients via Group Policy or use a third-party solution.
5. Do use a wireless intrusion prevention system
There's more to Wi-Fi security than combating those directly trying to gain access to the network. For instance, hackers could setup rogue access points or perform denial-of-service attacks. To help detect and combat these, you should implement a wireless intrusion prevention system (WIPS). The design and approaches of WIPSs vary among vendors, but generally they monitor the airwaves looking for, alerting you to, and possibly stopping rogue access points or malicious activity.
There are many commercial vendors offering WIPS solutions. There are also open source options, such as Snort.
We will provide some other dos and don’ts in the next section.


بدون نظر
شما برای نظر دادن باید وارد شوید


تاریخ ایجاد: 18 مرداد 1393



امتیاز شما
تعداد امتیازها:0