The many risks associated with wireless LANs have made headlines in the last year, but security conscious enterprises are deploying secure wireless LANs by implementing a few practical steps to protect their information assets, identify vulnerabilities and protect the network from wireless-specific attacks.

Headlines from technology magazines can scare anyone from deploying wireless LANs.

	Holes Expose Retail Data … White-hat hackers last week discovered vulnerabilities in the wireless networks of two major retailers-holes that they claimed exposed data that appeared to include customer information.
	— Computerworld, May 2002
	Wireless LAN Install Leaves Corporate Nets Wide Open
	— Computerworld, May 2002
	Networks Without a Safety Net
	— Information Week, June 2002

However, these headlines focus on the basic risks of wireless LANs that enterprises can overcome with diligent execution of practical security measures. Here are five practical steps to secure your wireless LAN:

1. Discovery of Rogue Access Points & Vulnerabilities
The basis for all wireless LAN security should start by understanding the environment in which your wireless LAN operates.

Freeware, such as Netstumbler and Kismet, and other commercial scanners can survey the airwaves for rogue access points and some network vulnerabilities. This process requires a network administrator to physically walk through the wireless LAN coverage area for the scanner to pick up data that the network administrator interprets to identify all access points and wireless LAN traffic.

While this process requires the physical presence and valuable time of a network manager, the effectiveness is limited because it only samples the airwaves for threats. New rogue access points and other vulnerabilities can arise after a scan and will not be detected until the next time a network administrator surveys the network.

Wireless security experts recommend 24x7 monitoring of the airwaves to discover rogues access point and identify network vulnerabilities as they happen. AirDefense's distributed architecture with remote sensors placed in proximity of wireless LANs enables AirDefense to statefully monitor wireless LAN traffic to discover these security risks the minute they arise.

2. Lock Down All Access Points
The next step of wireless LAN security involves the basics of configuring all access points to implement the best practices of wireless LAN security and requires little or no additional cost other than a little time and effort.

Enterprises should change the default Service Set Identifiers (SSIDs), which are essentially the names of each access point. A Cisco access point with the default SSID of "tsunami" alerts hackers to a wide-open network. The SSIDs should be changed to names that are meaningless to outsiders. An SSID of "CEO Office" or "East Cash Register" only calls attention to valuable information that a hacker would like to get into.

Enterprises should also configure access points to disable the broadcast mode where the access point constantly broadcasts its SSID as a beacon in search for stations with which to connect. By turning this default feature off, stations must know the SSID in order to connect to the access point.

Most enterprise-class access points allow you to limit which stations can connect to it based on filtering of Media Access Control (MAC) addresses of authorized stations. While not foolproof, MAC address filtering provides basic control over which stations can connect to your network.

3. Encryption, Authentication and VPN
Encryption and authentication provide the core of security for wireless LANs. However, fail-proof encryption and authentication standards have yet to be implemented. Many published reports have highlighted the vulnerabilities of Wired Equivalency Policy (WEP), but enterprises should at a minimum encrypt their wireless LAN traffic with WEP to protect the network from unsophisticated eavesdroppers.

With authentication vulnerabilities stemming from WEP, the wireless LAN standards group introduced 802.1x as strengthened authentication for all 802.11 networks. However, 802.1x also has shown to be vulnerable to hackers.

Because these encryption and authentication standards are vulnerable, stronger encryption and authentication methods should be deployed to more completely secure a wireless LAN with wireless virtual private networks and RADIUS servers.

VPNs can employ strong authentication and encryption mechanisms between the access points and the network, and RADIUS systems can be used to manage authentication, accounting and access to network resources.

4. Set & Enforce Wireless LAN Policies
Every enterprise network needs a policy for uses and security. Wireless LANs are no different. While policies will vary based on individual security and management requirements of each wireless LAN, a thorough policy - and enforcement of the policy - can protect an enterprise from unnecessary security breaches and performance degradation.
Fundamental policies include:

	Forbidding the installation of unauthorized access points and ad hoc networks
	Mandating the use of WEP or VPNs (Policies should be in place to forbid the reconfiguration of access points and wireless LAN cards to alter these features.)
	Limit wireless LAN traffic to operate on set channels
	Limit wireless LAN connectivity to chosen business hours.

While policies are necessary, a binder of policies can be a useless paperweight without effective enforcement. Similar to the effective discovery of network vulnerabilities, policy enforcement requires 24x7 monitoring of a wireless LAN. AirDefense provides the stateful monitoring to alert you to policy violations that degrade network performance or put your information assets at risk.

5. Intrusion Detection & Protection
Security mangers rely on intrusion detection and protection to ensure that all components of 802.11 wireless LANs are secure and protected from wireless threats and attacks. While many organizations have already deployed intrusion detection systems for their wired networks, only a wireless LAN-focused intrusion detection system can protect your network from attacks in the airwaves before the traffic reaches the wired network.

And as hackers become more familiar with the technology behind 802.11 wireless LANs, enterprises need to be prepared for the new risks and attacks that will be published.

"Wireless LANs are a breeding ground for new attacks because the technology is young and organic growth creates the potential for a huge payoff for hackers," said Pete Lindstrom, a security analyst with the Hurwitz Group.

An effective intrusion detection system is needed to protect wireless LANs from the known and the developing attacks to wireless LANs.

AirDefense’s policy manager allows the network or security administrator to set a “no ad hoc” policy. The State Analysis Engine then powers AirDefense to provide 24x7, real-time tracking of the airwaves to monitor the "state" or status of every access point and station transmitting on the airwaves. AirDefense enforces this policy by first identifying an ad hoc network as a policy violation and reporting it through an alarm on the AirDefense dashboard or an email to a chosen network administrator.

Click here to request the full 5 Practical Steps to Secure Wireless LAN White Paper.

Home | Contact Us | More Info | Careers | Webmaster

Copyright 2001, 2002 AirDefense, Inc. All Rights Reserved.
Privacy Policy | Legal Notice