Secure your WLAN (wireless security tutorial - part 4)
Secure your WLAN (wireless security tutorial - part 4)
Implementing the proper wireless security standard, devising a sound wireless architecture plan, and setting up a VPN and tunneling protocols is a very good way to tackle the task of keeping your wireless network and data secure.
There are even more wireless security configurations that can be done to strengthen your security even further.
Now let's take a look at other options dealing with wireless security. Some of the listed options are weak when implemented alone and individual users need to determine how applicable and beneficial they are to their infrastructure; however, it is also important to note that although some of these options are weak when implemented by themselves alone, their security impact greatly improves when implemented jointly.
Hide network name SSID
One way to further improve the security of a WEP enabled (or any) network is to take advantage of Closed Network Access Control. In an open network, anyone is permitted to join the network. In a closed network, only those clients with knowledge of the network name (SSID) can join. SSID in this case is hidden from being broadcasted visibly to everyone. Unfortunately, there are applications that can display even hidden network names (Kismet, NetStumbler, Airmon-ng, etc.), so this will protect the network from some eyes but not from everyone.
See the following picture to find out how this can be set up:
Change wireless broadcast channel
Wireless routers and clients can broadcast on several different channels similarly to the way radio stations use different channels. If your access point is set up to communicate using the 802.11b and/or 802.11g standards then it uses the 2.4 GHz ISM radio frequency band. This band is divided in US-licensed devices into 11 non-overlapping channels and into 13 non-overlapping channels in Europe-licensed devices. Most devices are set up by the manufacturer to use channel 11 by default. When setting up your wireless network, you can freely change your access point to communicate using one of the other channels. Clients not having their wireless cards set up to communicate on the same frequency as your access point will not be able to connect. However, the channel on which the access point operates can be easily detected even by novice hackers; therefore, this is only a very limited security measure.
Enable firewall on the access point
Although your network is probably already protected by a firewall, and your internal network clients probably run some firewall as well, it does not hurt to enable firewall on the access point as well in case it is available.
Turn off unneeded services and close open ports
When configuring your wireless access point, you can turn off some services and close ports. You should be able to for example block telnet, samba, ftp, and other ports.
Change your router password
Regardless of how secure communication protocols can be, nothing helps when you leave the access point unprotected with the default administrator account and password. Before enabling your router, make sure you change the access password.
Enable network address translation (NAT)
Computers in a network are identified by their IP address and also by their network interface number (MAC address). Some routers can be set up so that they translate these identifiers in network communication packets into some predetermined number. In other words, all your internal network computers can be visible under just one given number when viewed from the outside of the router or firewall.
Prevent stolen wifi cardsIt can take only a few moments to steal existing wireless card from a desktop or laptop. Once a hacker is in possession of your wireless client, he has password to your network; therefore, it is necessary to take proactive measures against this type of risk as well. Desktops should be secured with locks, so that unauthorized personnel cannot easily get hold of the hardware. Laptops are more secure if equipped with internal wireless cards as opposed to PCMCIA or USB cards. Stolen wifi cards need to be blocked and security keys regenerated immediately.
Find unauthorized (rogue) wireless access points
Creating an unauthorized access point is as easy as plugging it into a USB port and hiding it under a calendar. It is important to periodically scan your premises for unauthorized access points that might be installed and waiting to compromise your security. Detecting unauthorized access points is fairly easy with wireless networking tools such as NetStumbler, Kismet, Airmon-ng, and others.
If you are running a small wireless network, simply monitoring who is accessing it can be a great help as well. If you experience slowness and unresponsiveness in your wireless connections, check your wireless router administrator interface for connected clients. This can help to uncover unauthorized users.
We already mentioned the use of authentication services (for example RADIUS or Kerberos) in the WPA section (our wireless tutorial, page 2). The authentication services layer in addition to your access point security can be used together with any protocol, be it WEP or WPA. Authentication services utilizing security certificates together with WPA2 can provide the utmost security making it very hard to get into your network even for a professional hacker. Authentication services means that after the authenticating user associates with the wireless access point, his credentials are also checked against a locally stored database or even external sources (phone number, security phrase, credit card number, etc.). This is however an expensive solution.
Although the following two articles do not necessarily relate to networking, we would like to mention them here as they might help you to improve your overall system security.
And concepts described in these two articles might be worth considering in your system security scheme as well:
If you have any questions about wireless security, about any of the tips provided on this page, check our security discussion forum.
Link to the first page of this tutorial: Wireless Wi-Fi network security tutorial 101 (part 1)
Link to the second page of this tutorial: WPA & WPA2 (Wi-Fi security tutorial - part 2)
Link to the third page of this tutorial: IPSec, VPN, architecture (wireless security tutorial - part 3)