Many administrators and managers will likely read this article title and say to themselves: “We don’t have wireless networking here. I don’t need to read this.”
But those same administrators often discover that wireless networking happens, even when “they don’t have any.” That’s because wireless networks exist – even when a particular company hasn’t installed them. For example, your company may not have wireless networking, but maybe the company on the floor above you does.
Windows, by default, will attempt to connect to any wireless network it finds. Could your laptop users inadvertently be connecting to another company’s network, exposing your company’s information?
And if you happen to be in the kind of business where your company’s information includes any kind of confidential client or patient data that’s protected under federal law, you’ll not only have lost data, you may face civil penalties and lawsuits.
Consider this: laptop sales far exceed desktop sales, and ninety percent of laptops sold today have built-in wireless networking. Often, end users who want to make things easier for themselves will hook up their own wireless access points. Why? The cost of wireless access points has dropped so low that many users will simply purchase and install their own onto the corporate network … without telling anybody. Ask them why and you’ll hear “so that I can do my job better.
List of Five Ways to Secure Your Wireless Network:
- Starting With a Practical Wireless Security Policy
- Securing Your Wireless LAN
- Securing Your Wired LAN
- Securing Your Wireless Clients
- Training Your Users
#1: Start With a Practical Wireless Security Policy
The first step is a good wireless security policy – it’s much more than just paperwork. It’s a critical component that spells out what’s allowed and what’s not allowed, and who is responsible for making sure the policy is followed. That’s why it’s vital for companies to have a wireless security policy in place even if the policy simply states “wireless networking will not be used.”
The reason is logical enough: employees need to know what is and isn’t permitted. Your policy should spell out the specific conditions under which wireless networking can be used, as well as spell out the encryption, authentication and protection mechanisms that must be employed. In addition, your policy should clearly prohibit the connection of unauthorized access points to your corporate network.
Remember that the best security policy isn’t worth the paper it’s printed on if it only sits on the shelf. Make sure the details of the policy are a part of your end-user training.
#2: Secure Your Wireless LAN
If you are using wireless, hopefully you are aware that WEP encryption and MAC address filtering are no longer considered adequate security. They are both easily circumvented. You should be using WPA or WPA2 (also called 802.11i) which provides strong encryption and authentication on your wireless LAN. If you are using VPNs, ensure that split tunneling is disabled.
If you allow wireless guest access, make sure you restrict their access to your corporate resources. The best way to do this is with wireless controllers and lightweight access points that segregate and tunnel guest traffic without having to build large guest VLANs throughout your enterprise. Some of these products also provide rogue detection and limited intrusion detection as well.
If possible, use SSH or access lists on the access point management interface to prevent unauthorized modifications to your configurations. And make sure your access points are physically secured out of sight and out of reach.
#3: Secure Your Wired LAN
Whether or not you deploy wireless networking, it’s an unconditional requirement to make detection and prevention of rogue access points a key part of your company’s security plan. The presence of a rogue (i.e., an unauthorized) access point indicates that your network security is being compromised–either unintentionally by a well-meaning employee, or by someone who is actively eavesdropping on your network. Periodic checks for rogue access points need to be part of your regular maintenance or auditing.(Tip: be sure to check at different times of the day.)
A simple check can be performed with a laptop and any number of commercial and freeware applications. In essence, you record the MAC address of every access point you can detect, then loo to see if that MAC address exists on any of your switches. If it does, and you didn’t put it there, then you have a rouge access point on your network. It is usually not necessary to physically locate the access point (although that would be a good idea). Instead, simply disable the switch port that the access point is plugged into.
#4: Secure Your Wireless Clients
A wireless laptop is vulnerable to a whole host of attacks from anyone within range. So it’s an absolute necessity to be sure your laptops are all properly configured with personal firewalls and antivirus software. When connecting from a remote location, use VPNs to connect to your corporate network, and configure them so that all traffic from the laptop uses the VPN tunnel.
In other words, do not allow split tunneling where corporate data uses the VPN tunnel, but Internet traffic goes directly via the wireless provider. If you do, you open up your corporate network to attacks via your remote users.
Consider limiting the ability of your users to associate with the access point of their choosing (especially ad-hoc networks) by applying an appropriate Windows policy. Think what would happen if their home network uses the default SSID “Linksys” and so does that company on the floor above you.
#5: Train Your Users
The best defense against wireless attacks is a well-trained user.
Training is an essential element of your corporate network security. Every company needs to train users on the importance of encryption and strong passwords. Make your users aware of “social engineering” techniques and all the e-mail scams used to trick them out of passwords or other information. Remind them that using a public hotspot has all the safety and appeal of a public restroom. Educate them to notice suspicious people with laptops or antennas near your workplace. And make sure they understand the dangers of connecting their own access points to your corporate network.
As a network administrator or IT manager, you need to be aware of wireless vulnerabilities. Remember that just because you haven’t deployed wireless networking in your enterprise, it doesn’t mean that wireless doesn’t exist. Take steps to secure your enterprise and you will be rewarded with increased security, reliability and user satisfaction.
More Related Wireless Tips:
Access Point Vs. Wireless Bridge
Cisco’s New Aironet Wireless Access Points Make Networks Faster and Steadier