Wireless technology is inherently insecure. But you can plug many of its security holes. Though not entirely foolproof, when used in unison the following corrective actions act as a "defense in depth" and should close the majority of security flaws in your wireless network.
Create a wireless network policy. Think about what your staff is trying to do when using the 802.11b network. Do they need Internet access? Do they need access to services on the local wired LAN? In short, plan your use of your wireless network and be as restrictive as possible without interfering with your users' requirements.
Educate users about the possible dangers of using wireless network technology. Hold training sessions periodically to review their understanding of the security risks and the how to use the network properly.
Avoid default configurations. Never rely on the basic configuration that's given you for the base station if you're connecting to a wireless LAN. Default installations and configurations are the security professional's worst nightmare. That's an open invitation to a wardriver. Don't use the default service set identifier (SSID)the identifier that designates a particular network. You can better secure your wireless network by creating a unique SSID. WEP currently exists in 64-bit (40-bit key) and 128-bit (104-bit key) modes. Finally, don't make your WEP key identical to your SSID.
Avoid using Dynamic Host Configuration Protocol (DHCP) with wireless networks. Having a static network address will slow down the hacker, although he can still get on your network using a sniffer program.
Drop unencrypted packets. Don't let unencrypted data pass through your wireless network. Access points for your wireless network can be configured to drop packets that aren't encrypted using the right WEP key.
Use access control lists. Configure your internal network to allow access only to known and trusted NICs. The problem here is your MAC address. The only authentication that identifies your NIC is transmitted unencrypted, and a lot of wireless cards allow the MAC address to be changed. Filtering MAC addresses will stop the casual "snooper" but not the skilled cracker. This makes the use of access control lists somewhat limited, but it's another barrier the intruder will have to get through to reach your network.
Place the wireless network behind a firewall in a DMZ. Isolate access points so they're placed on their own segment or virtual LAN (VLAN). Use a stateful IP-filtering firewall separating the restricted wireless LAN and unrestricted "internal" wired LAN.
Use VPN technology and strong authentication. If you want a wireless user to be able to use protected services on the internal network, a virtual private network (VPN) can be the best solution to the problem. However, because VPN depends on trusting the IP address of the connecting host alone, a compromised machine on the restricted network would be given access to the unrestricted network as well. Thus, username and password authentication should be required to gain access to the unrestricted LAN. In addition to an IPSec-based VPN, use tools like SSH and PGP to encrypt messaging and/or traffic that contains sensitive information to further prevent compromise.
Place wireless access points physically inside buildings, but outside corporate firewalls. Keep the company VPN behind the firewall. If you have meeting rooms or conference rooms that sit along the perimeter of your building, consider using Tempest-rated glass.
Turn down the gain. If you set up an access point near an exterior wall, turn down the gain. Gain is what controls the signal strength and how far that signal will travel. This could curb the use of your network by someone sitting in their car on the street or in the park across the street from your building.
Implement port security on your LAN switches and hubs: 802.11b access points are relatively inexpensive now. You don't want any employee buying a base station and plugging into your corporate network.
Test your network. Use tools like NetStumbler to test your network, to know the potential risks to your wireless network and where they may come from.
Because of the insecurity of wireless technology, administrators and IT security professionals are challenged to build secure foundations for 802.11b wireless technologies without limiting the beneficial functionality it provides. But help is on the way. In Summer 2002 Netsec will release intrusion detection system (IDS) boxes that will help system administrators identify outside users quickly. Each box is about the size of a 3x5 index card box. An organization can place these IDS boxes on the four corners of their building and keep the network secure.
In the meantime, network administrators should always know the five "W's" of their network:
- What was accessed?
- Who accessed it?
- When did they access it?
- Why did they access it?
- Where did they access it from?