Use MAC address filtering at the AP: Many APs can be set to use MAC address filtering to restrict AP usage to specific machines.

Implement out-of-band user authentication: Should the security policy demand a stronger authentication scheme, two-factor authentication can be employed using a separate authentication server on a wired segment adjacent to the AP. This measure ensures that only authorized users are granted access to both wired and wireless resources.

Disable AP Dynamic Host Configuration Protocol (DHCP): By default, most APs are set as DHCP servers and will automatically grant a WLAN IP address to any machine that requests one. This makes it very easy for war drivers to gather information and connect to your network. Disabling AP DHCP prevents this action.

Utilize IPSec or VPN: In cases where confidential data must traverse a WLAN, the data can be protected by VPN or IPSec-based encryption to provide the level of confidentiality required.

[an error occurred while processing this directive]

Don't shoot the messenger
The WLAN was only one element of the security vulnerabilities that resulted in the theft of NCTPTI's key customer contact lists. Poor security practices and an improperly hardened IIS server were equally at fault. Additional recommendations were made regarding network architecture, system hardening policies and procedures, and authentication and access control to provide the level of security required for key corporate data.

Within 10 days of the penetration testing that revealed the WLAN vulnerabilities, the client had fully addressed the vulnerability and met the business requirements that dictated WLAN usage while maintaining an appropriate and reasonable level of security.

Final thoughts
Essential to the successful deployment of a WLAN is the proper consideration by senior management of the business requirements and risks associated with their usage. Only after senior management has fully identified the requirements and acceptable levels of risk can an IT organization deploy a WLAN appropriately.

Due to the sheer number of targets available to the casual war driver, even the most basic WLAN precautions are generally sufficient to dissuade a potential hacker. Organizations that believe they could potentially be the targets of a more sophisticated attack (e.g., industrial espionage) should fully consider the risks associated with a WLAN before deployment.

Remember, because WLANs are inherently insecure, you must consider a number of important factors before their deployment:

• Why are we deploying a WLAN?
• Who will be allowed to use the WLAN?
• Where will we allow the WLAN to be deployed?
• Where are we going to position the access points in our infrastructure?
• What data will not be accessible via the WLAN?
• What additional technologies can we use to further secure the WLAN?
• How can we harden the WLAN to make it as difficult as possible to compromise?

It is generally most beneficial to look at this technology decision from a business perspective. For example, if the sole reason for the WLAN is to provide mobile access to the Internet, the risk is minimal.

The worst-case risk scenario with an exploit of a properly segmented network is the unauthorized use of the client's bandwidth for Internet access. Unfortunately, things are generally not that easy. By properly considering the client's organizational assets and the risk relating to their compromise, our policies for the WLAN provided reasonable and appropriate levels of security while allowing NCTPTI to reap a significant percentage of wireless technologies' business benefits.

How easy is it to break into your company's wireless LAN? TalkBack below or e-mail us with your thoughts.
TechRepublic provides insight, advice, and technical information written by IT professionals for IT professionals.
Have the top IT experts by your side today--FREE!

Previous page |   1 2 3

[an error occurred while processing this directive]

[an error occurred while processing this directive]