No announcement yet.

Wireless Security

  • Filter
  • Time
  • Show
Clear All
new posts

  • Wireless Security

    I know... 802.11's are not so secure. I am very aware of the risks of using wireless, but if anyone is interested, here is what I do...
    On home network: Laptop throgh AP with gre tunnel to wired server, and I use that to proxy into net.
    Cisco Aironet 350 as base with propietary protocol on [ keeps non Cisco wireless out... so they say ;) ]
    WEP changed monthly
    I also locked the base to only my MAC.

    Ideas covered in this scheme:
    1) packet sniffing simi defeated with gre tunnel
    2) rouge access with MAC lock down and Cisco's "neat little propietary" protcol.

    Is there anything that you guys might think I missed?
    rootin shootin & tootin

  • #2
    Re: Wireless Security

    Originally posted by Merciless_Mike
    Is there anything that you guys might think I missed?
    you certainly want to check this out:

    Originally posted by Thorn
    Just as a followup to the above exchange, the completed checklist is now available in the NetStumbler FAQ Forums. Specificly, the FAQ: WiFi Security thread.
    FAQ: WiFi Security
    Wireless Networking Basic Security Checklist

    Written with the help and co-operation of the Members and Moderators of the NetStumbler forums. Compiled from the original thread at:

    1. WLAN isolation: Treat all APs as UNTRUSTED and as such, locate the wired network connection of any AP outside a Firewall.
    2. Use proven security measures such as VPN, SSL, etc.
    3. Design the WLAN to limit RF propagation to only those areas needed for coverage. Choosing the correct antenna and RF power levels can also help limit the RF footprint. Limiting the RF footprint to only needed areas will help minimize access to the WLAN by unauthorized persons who are outside the building or grounds.
    4. Change ALL default AP settings such as SSID, Administrative and User passwords.
    5. Choose an SSID that will not attract unwanted attention. For example, an SSID of “Rm125” is less apt to attract criminals as opposed to “AccountingDept”.
    6. Disable Automatic SSID Broadcast.
    7. Use WEP encryption. If possible, used a 128-bit variation.
    8. Change the WEP key on a periodic basis.
    9. Run the systems as an Open Key WEP rather than Shared Key. While this seems counterintuitive, Open Key systems are actually the more secure of the two types of key systems.
    10. Restrict wireless usage to only the minimum TCP and UPD ports needed by the users to meet job requirements. Disable all other ports. For example, you may wish to enable TCP Port 80 (HTTP), and TCP Port 110 (POP) yet disable TCP Port 25 (SMTP) to prevent becoming a wireless mail relay, and TCP Ports 20,21 (FTP) to prevent unauthorized file transfers.
    11. Use a MAC based ACL. Maintain an updated list of current MAC addresses.
    12. Restrict the use of wireless NICs to authorized personnel only.
    13. If a fixed number of mobile devices are connecting to the AP(s), disable DHCP and use static IP addresses. If a floating number of devices will be on the wireless network segment, limit the size of the DHCP pool to the absolute maximum number of needed addresses. DO not just assign a full Class C network address space. Additionally, limit the DHCP lease time to the minimum time required.
    14. Authenticate users via a system such as RADIUS or NoCat. Restrict access to the network until the user is authenticated.
    15. Perform regular network scans on both the LAN and WLAN for “rogue” APs.
    16. Perform regular audits and review LAN and WLAN logs:
    ·Check the DHCP logs for rogue APs.
    ·Check the DHCP logs for rogue clients; odd MAC addresses that have associated and de-associated.
    ·Maintain and regularly audit AP access logs
    ·AP logs for exception alarm (SNMP) messages.
    17. Integrate the Wireless and Wired Network User/Security Policies.

    Not all of the above may apply to your situation, depending on the systems and network. For example, the hand-held wireless terminals used by many popular warehouse management systems are incapable of several of using Virtual Private Networking. The hardware used by these systems only has enough processing power to run the built-in firmware.

    ACL - Access Control List
    AP - Access Point
    FTP – File Transfer Protocol
    HTTP – HyperText Transfer Protocol
    MAC – Machine Address Code
    NIC – Network Interface Cards
    POP – Post Office Protocol
    RF - Radio Frequency
    SMTP – Simple Mail Transfer Protocol
    SSID – Service Set Identifier
    SSL - Secure Socket Layer
    VPN - Virtual Private Networks
    WEP - Wired Equivalent Privacy
    WLAN – Wireless Local Area Network


    • #3
      I have learned a few things

      Thanks for the post and link... I have learned a few things tonight.... I am liking the the forums here and at NS. :)

      Thanks bw
      rootin shootin & tootin


      • #4
        Re: I have learned a few things

        Originally posted by Merciless_Mike
        Thanks for the post and link... I have learned a few things tonight.... I am liking the the forums here and at NS. :)

        Thanks bw
        you are certainly quite welcome :D