Networking / Beginners

Wireless Network

Ripe with security holes for some time, wireless network equipment is just now starting to incorporate needed security technologies that at least allow secure configuration. The following checklist reflects the current state of wireless technologies, but many improvements are right around the corner in this fast-evolving area. Additional technologies will allow you to negate or at least mitigate most of the issues addressed in this list. For additional wireless security configuration and deployment guidelines, check out a new Microsoft publication "Microsoft Solution for Securing Wireless LANs" at http://microsoft .com/downloads/ and a Cisco publication at http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.pdf.

  • Ensure that any updates from the vendor are applied.
  • Ensure that access points are connected to switched networks.
  • Configure wireless networks as an untrusted DMZ off the regular network.
  • Ensure that WEP encryption is enabled and that the highest encryption level is chosen.
  • Change the WEP encryption key periodically as appropriate.
  • Do not rely on built-in encryption mechanisms for security.
    Instead, implement VPNs over wireless for all traffic, if possible. They are more robust, extensible, and manageable.
  • Disable SSID broadcasts as able, but do not rely on this as a strong security measure.
  • Ensure that the default SSID has been changed from default, and periodically change it if possible.
  • Ensure that the SSID does not describe the network owner or function.
  • Ensure that any web administration interfaces are disabled or tightly controlled.
  • Ensure that the default administrator password is changed to a very strong password.
  • Ensure that MAC address filtering and control measures are enabled if appropriate.
  • Implement static IP addressing if possible, and avoid DHCP.
  • Ensure that SNMP settings are disabled or that strong community strings are enabled.
  • Ensure that any TFTP service is disabled.
  • Ensure that the access point does not answer on any unknown ports (through 65,000).
  • Implement advanced encryption and authentication mechanisms as soon as possible with upgrades such as WPA, 802.1x, and 802.11i.
  • Ensure that the radio dispersion from all antennas is appropriate.
[Previous] [Contents] [Next]