Think your WLAN security is good? Think again.
Last time, Paul Anderson, CEO of IT services firm Novacoast, commented on the incredibly lax security of many of his clients’ wireless networks. Security implementations are so bad now some pundits are calling for regulations that place warning stickers about security on wireless equipment, similar to those on cigarette packs. While wireless won’t kill you, a combination of poor security and malicious outsiders could kill your company.
Think I’m exaggerating? Then tell me, what would happen if a competitor sat outside your building and read your customer list and bid papers for the next contract? What would a burglar do if he grabbed all your blank checks? The same or worse if he grabbed all your online bank account numbers and passwords.
Scared? Good. Fortunately, you can improve your WLAN security in five easy steps.Place your wireless access points carefully. Wireless signals go through walls, even thick ones. Putting an access point near a window gives the radio waves an easy exit, so put it in the middle of the room. And don’t put the access point on the ceiling if you have upstairs neighbors. Walk around with a laptop displaying signal strength to help place your access points.
2. Enable Wireless Encryption Protocol (WEP). WEP typically offers a choice between 40-bit and 128-bit encryption levels. Forty-bit security stops casual eavesdroppers. It’s the equivalent of locking your door to persuade thieves to look for an unlocked one. But if your system leaks outside your walls and you have spies trying to crack your security, even 128-bit won't stop them. Look to securing your network signals within a VPN, and/or upgrade to Wi-Fi Protected Access (WPA) for the next-generation security controls.
3. Change your Service Set Identifier (SSID). Effectively a mini-password between devices, the SSID number is usually set by default using the vendor name or the ever popular “workgroup” setting recommended by Windows. Change this to anything else on all clients and access points immediately.
4. Disable Dynamic Host Configuration Protocol (DHCP). IP address management requires you give each network device a unique IP address. DHCP servers listen for devices connecting to the network looking for network information, including an available IP address. Unfortunately, your DHCP server will also give out an IP address to the hacker sitting in the parking lot hijacking your wireless signal. This will require some extra work on your part, but it is essential for security. Instead of using DHCP, you’ll have to give each device its own static IP address. Remember not to duplicate any.
5. Create your own Access Control List (ACL). Also known as the authorized users or known devices list, vendors typically leave the ACL turned off. Why? Because to use it, you must type in the IP address or the Media Access Control (MAC) address given to each network device by the manufacturer. Sure, it’s a pain, but typing each device into the ACL tells the wireless access point to allow only those devices access to the wireless network, making it a powerful exclusionary tool.
Also, don’t forget to secure any PDAs that have wireless capabilities. If you use your PDA to access public networks, you’ll have some extra work to switch between lax and controlled security, but it’s a necessary evil.
Learn more about this topicSpecial Supplement: Security for today's workforce
Securing wireless LANs, instant messaging, digital identities and more.
Network World, 05/26/03Wireless LAN research center
The latest news, reviews, how-tos and more.