|
Recognizing the productiv-ity gains, lower cost structure and convenience
that wireless technology brings to a workplace, many businesses have deployed
wireless local area networks (WLANs). Besides office settings, WLANs are also
being deployed in warehouses, production bays, laboratories, in fact, anywhere
where work is performed.
The value proposition of WLANs is especially attractive to small and
medium-sized businesses (SMBs). WLANs are the most flexible, and most economical
strategies for building or expanding networks. Wireless links eliminate cabling
and permit users to access the network anywhere. Another reason why it becomes
lucrative for SMBs is that many of them do not own their own premises and want
to avoid having to write off fixed network infrastructure when they move. Most
also do not have full-time staff to baby-sit their IT assets, let alone just the
network.
 |
| WLAN
infrastructure must be carefully planned, diligently implemented and
sensibly managed |
Some SMBs, however, have the misconception that WLANs are less secure than
the wired versions. While by their very nature of using radio frequency
transmission, WLANs are somewhat inherently vulnerable; they can be made as
secure as wired ones.
For wired networks, security for WLANs centers on:
Preventing unauthorized parties from connecting to the network to intercept,
read, alter or steal sensitive personal and business information, or introduce
harmful viruses and worms
- Stopping legitimate users from connecting to rogue (unauthorized) access
points set up by unauthorized parties
- Making sure normal transmission is not interfered with
- Keeping out freeloaders intent on hijacking your network bandwidth for their
own use
- Information abo-unds on the world wide web and in publications on how WLANs
can be made secure. Unfortunately, some of these 'advices' are not quite
sound and should be taken with multiple pinches of salt. Here are some examples:
Hide your SSID
Each WLAN has a unique name called the Service Set Identifier (SSID). All
wireless devices (base stations, clients, etc) on a WLAN must use the same SSID
in order to communicate with each other. Some network owners attempt to hide
their SSIDs from intruders by suppressing its broadcast from access points and
routers so their networks do not show up on a list of available networks. SSID,
however, is broadcast over four other mechanisms, so this is akin to plugging
one of five holes in a leaking ship.
Place antenna in center of work zone
Some 'experts' say one way to deny unauthorized parties from accessing your
WLAN is to place the antenna in the middle of the area you want covered and
adjust its power such that the signal does not leak out through walls and
windows. Well, serious intruders almost always have bigger antennae than you. As
for powering down, you may end up with a half-dead zone at the periphery of the
area you wanted covered, which defeats the whole point of having a WLAN in the
first place.
Use WEP
Wired equivalent privacy (WEP) is a standard method to encrypt traffic over a
wireless network. There are, however, known weaknesses in how the encryption is
implemented. So while WEP can stop casual sniffers like freeloaders, it provides
little protection from serious attackers armed with readily available tools that
can crack WEP keys in minutes.
Disable DHCP
Dynamic host configuration protocol (DHCP) is a protocol for automatically
assigning IP addresses to devices on a network. This means that any wireless
device that gets within range of your WLAN equipment may be able to acquire an
IP address from your router and be accepted into the network – without your
knowledge. Disabling DHCP, however, is inadequate protection as committed
hackers can figure out your IP addressing scheme and assign themselves addresses
to gain access to your network in minutes
| Getting
Started |
- Change all default settings for SSID,
administrative passwords and user passwords on routers, access points,
and wireless cards. Default SSIDs and passwords are published by the
manufacturers on the Internet and are meant to speed up installation,
not provide security
- Choose an SSID that is difficult to
guess. Do not use the boss' name or car registration number, office
address, phone or fax number, or the company's name or initials
- Wi-Fi protected access is extremely
complex and difficult to compromise. If your system has WPA and offers
shared key encryption, enable it
- For businesses that have Microsoft
active directory, Microsoft IAS or a Radius server, it is recommended
that you enable 802.1x network login. This enables the wireless access
point to check the user's credentials back with the server before
allowing them access to the network
- If your access point or router came
with a firewall, use it. If it did not, install a hardware firewall
for the entire network and install software firewalls on every
computer that connects to the WLAN
- Most access points have built in
logging. Review the access logs on a regular basis and look for any
abnormalities
- Ensure that employees do not access
unacceptable web sites, which can result in costly legal and social
liabilities. Improper web usage also squanders network bandwidth and
undermines productivity. Enforcement of web usage policies can be
outsourced, by subscribing to a content filtering service
|
Filter MAC addresses
Media access control (MAC) addresses - they have absolutely nothing to do with
burgers - are essentially unique nametags for wireless adaptors. Filtering
ensures that only pre-screened clients are allowed to connect to the network.
The problem is MAC addresses are sent out in the clear, ie not encrypted, and a
network attacker can easily spoof a valid address using a network interface card
and protocol analyzer tools. The other downside: manually configuring every 'allowed'
adaptor takes a lot of technical skill and man-hours resources.
The unsoundness of such 'advice', however well intended, may prompt
businesses to ask if benefiting from the use of WLANs means having to compromise
on security. The answer is no. Both can be attained if the WLAN infrastructure
is carefully planned, diligently implemented and sensibly managed – like the
business itself.
The author is Product Marketing Director - Asia Pacific of 3Com Corporation
and can be contacted at Matthew_Walmsley@3com.com
Page(s) 1
| 
