Originally posted by Merciless_Mike
Is there anything that you guys might think I missed?

Originally posted by Thorn
Just as a followup to the above exchange, the completed checklist is now available in the NetStumbler FAQ Forums. Specificly, the FAQ: WiFi Security thread.

FAQ: WiFi Security
Wireless Networking Basic Security Checklist

Written with the help and co-operation of the Members and Moderators of the NetStumbler forums. Compiled from the original thread at: http://forums.netstumbler.com/showth...&threadid=2920


1. WLAN isolation: Treat all APs as UNTRUSTED and as such, locate the wired network connection of any AP outside a Firewall.
2. Use proven security measures such as VPN, SSL, etc.
3. Design the WLAN to limit RF propagation to only those areas needed for coverage. Choosing the correct antenna and RF power levels can also help limit the RF footprint. Limiting the RF footprint to only needed areas will help minimize access to the WLAN by unauthorized persons who are outside the building or grounds.
4. Change ALL default AP settings such as SSID, Administrative and User passwords.
5. Choose an SSID that will not attract unwanted attention. For example, an SSID of “Rm125” is less apt to attract criminals as opposed to “AccountingDept”.
6. Disable Automatic SSID Broadcast.
7. Use WEP encryption. If possible, used a 128-bit variation.
8. Change the WEP key on a periodic basis.
9. Run the systems as an Open Key WEP rather than Shared Key. While this seems counterintuitive, Open Key systems are actually the more secure of the two types of key systems.
10. Restrict wireless usage to only the minimum TCP and UPD ports needed by the users to meet job requirements. Disable all other ports. For example, you may wish to enable TCP Port 80 (HTTP), and TCP Port 110 (POP) yet disable TCP Port 25 (SMTP) to prevent becoming a wireless mail relay, and TCP Ports 20,21 (FTP) to prevent unauthorized file transfers.
11. Use a MAC based ACL. Maintain an updated list of current MAC addresses.
12. Restrict the use of wireless NICs to authorized personnel only.
13. If a fixed number of mobile devices are connecting to the AP(s), disable DHCP and use static IP addresses. If a floating number of devices will be on the wireless network segment, limit the size of the DHCP pool to the absolute maximum number of needed addresses. DO not just assign a full Class C network address space. Additionally, limit the DHCP lease time to the minimum time required.
14. Authenticate users via a system such as RADIUS or NoCat. Restrict access to the network until the user is authenticated.
15. Perform regular network scans on both the LAN and WLAN for “rogue” APs.
16. Perform regular audits and review LAN and WLAN logs:
·Check the DHCP logs for rogue APs.
·Check the DHCP logs for rogue clients; odd MAC addresses that have associated and de-associated.
·Maintain and regularly audit AP access logs
·AP logs for exception alarm (SNMP) messages.
17. Integrate the Wireless and Wired Network User/Security Policies.

Not all of the above may apply to your situation, depending on the systems and network. For example, the hand-held wireless terminals used by many popular warehouse management systems are incapable of several of using Virtual Private Networking. The hardware used by these systems only has enough processing power to run the built-in firmware.


Glossary:
ACL - Access Control List
AP - Access Point
FTP – File Transfer Protocol
HTTP – HyperText Transfer Protocol
MAC – Machine Address Code
NIC – Network Interface Cards
POP – Post Office Protocol
RF - Radio Frequency
SMTP – Simple Mail Transfer Protocol
SSID – Service Set Identifier
SSL - Secure Socket Layer
VPN - Virtual Private Networks
WEP - Wired Equivalent Privacy
WLAN – Wireless Local Area Network

Originally posted by Merciless_Mike
Thanks for the post and link... I have learned a few things tonight.... I am liking the the forums here and at NS. :)

Thanks bw