Developing Wireless Security Best Practices
You do need to develop policies, standards, and practices for your organization, but you may find it useful to base these on best practices. We state earlier that best practices demonstrate prudence. There is no agreement yet on the required set of standards for secure wireless access points, but you can find agreement on best practices. To protect a WLAN from attack, enterprises need to be up-to-date with their security best practices. These should include the best practices covered in the following sections.
General best practices
- Designate an individual to track the progress of 802.11, 802.15, and 802.16 security products and standards (IETF, IEEE, etc.) and the threats andvulner abilities with the technology.
- Keep your computers and Wi-Fi devices powered up at all times, but power-down your broadband modem afterhours.
- Ensure that wireless networks are not used until they comply with the security policy.
- Complete a site survey to measure and establish the AP coverage for the agency.
- Ensure that the ad hoc mode for 802.11 has been disabled unless the environment is such that the risk is tolerable.
- Enable all security features of the WLAN product.
Access point best practices
- Maintain a complete inventory of all APs and wireless devices.
- Control the broadcast area through cell sizing. Many wireless access points let you adjust the signal strength.
- Place your access points as far away as possible from exterior walls and windows. Place them in the interior of the building where appropriate.
- Place APs in secured areas to prevent unauthorized physical access and user manipulation.
- Mount your access points out of reach and out of plain view. Bolt them down or secure them in locked steel enclosures.
- Test the signal strength.
- Make sure that you use the reset function on APs only when needed and that it can be invoked only by someone in an authorized group of people.
- Restore the APs to the latest security settings when someone uses the reset function.
- For 802.11b and g devices, ensure that AP channels are at least five channels apart from any other nearby wireless networks to prevent interference. Use 802.11a when you need more co-located APs.
- Understand and make sure that all default parameters are changed.
- Disable all nonsecure and nonessential management protocols on the APs. If you have Cisco devices, disable Cisco Discovery Protocol (CDP) when not needed.
- When disposing of access points that will no longer be used by the organization, clear access point configuration to prevent disclosure of network configuration, keys, passwords, and so on.
- If the access point supports logging, turn it on and review the logs on a regular basis.
Password best practices
- Be sure to change the default password on all access points.
- Use a strong password to protect each access point.
- Ensure that all passwords are changed regularly.
SSID best practices
- Use SSID (Service Set Identifier) wisely. Don't use the default and don't use the name of your company as the SSID.
- Buy access points that let you disable SSID broadcasting. This prevents access points from broadcasting the network name and associating with clients that are not configured with your SSID.
- Immediately change an access point's default SSID. (And while you are at it, change the default username and administrator password, too.)
Authentication best practices
- Implement user authentication. Require access point users to authenticate.
- Upgrade access points to use implementations of the WPA and 802.11i standards. Also, as you implement user authentication on the access points, reuse any existing servers that provide authentication for your other network services, such as RADIUS.
- Use MAC (Media Access Control) address authentication where practical. When you have a manageable number of wireless users and just a few access points, MAC addressing lets you restrict connections to your access points by specifying the unique hardware address of each authorized device in an access control list and allowing only those specific devices to connect to the wireless network.
- Enable user authentication mechanisms for the management interfaces of the AP.
Encryption best practices
- Secure the WLAN with IPSec VPN technology or clientless VPN technology.
- Turn on the highest level of security your hardware supports. Even if you have older equipment that supports only WEP, ensure that you enable it. Whenever possible, use at least 128-bit WEP.
- Ensure that encryption key sizes are as long as possible.
- Make sure that default shared keys are periodically replaced by more secure unique keys.
Client best practices
- Deploy personal firewalls and virus protection on all mobile devices.
- Ensure that the client wireless adapter and AP support firmware upgrades so that security patches may be deployed as they become available.
- Ensure that users on the network are fully trained in security awareness and the risks associated with wireless technology.
- Regularly scan for rogue access points on the network by using a wireless scanner or a packet analyzer.
- Use antivirus software on all wireless clients.
- Use personal firewall software on all wireless clients.
- Use a secure transport for wireless communications: for example, IPSec, SSL, or SH.
- Disable WNIC when not used.
- Update and enable client security software and patch OS.
- Take regular backups.
Network best practices
- Deploy enterprise-class protection technologies. This includes employing a firewall on the demilitarized zone and client firewalls on every desktop; VPN services that encrypt all traffic to and from wireless devices; wireless and network intrusion detection systems; antivirus software for the network, server, and desktop; regular vulnerability assessments of the WLAN; and policy compliance tools.
- Install a properly configured firewall between the wired infrastructure and the wireless network.
- Use bridges, switches and gateways to segment the network.
- Use Layer 2 switches in lieu of hubs for AP connectivity.
- Do not connect wireless access points to hubs.
- Disable DHCP.
- Ensure that management traffic destined for APs is on a dedicated wired subnet.
- Configure SNMP settings on APs for least privilege (that is, read only).
- Disable SNMP if it is not used. SNMPv1 and SNMPv2 are not recommended. Use SNMPv3 and/or SSL/TLS for Web-based management of APs.
- Use a local serial port interface for AP configuration to minimize the exposure of sensitive management information.
- Deploy intrusion detection agents on the wireless part of the network to detect suspicious behavior or unauthorized access and activity.
- Use static IP addressing on the network.
- Perform comprehensive security assessments at regular and random intervals (including validating that rogue APs do not exist in the 802.11 WLAN) to fully understand the wireless network security posture.
- Turn off communication ports during periods of inactivity when possible.
Ensure that all users on the network are fully trained in computer security awareness and the risks associated with wireless technology. A security awareness program helps users establish good security practices to prevent inadvertent or malicious intrusions into an organization's information systems.
In this tutorial:
- Designing a Secure Network
- Security as Cost of Doing Business
- Developing a Security Architecture
- Developing a Wireless Security Policy
- Developing Wireless Security Standards
- Developing Wireless Security Best Practice
- Managing Your Wireless Security Policy
- Designing a Secure Network
- Performing a Risk Analysis