How to: Lock down your WLAN

In August, engineers with AirDefense, a wireless LAN security software vendor, made war drives in Atlanta, Chicago and San Francisco, using scanners to find WLAN access points around downtown office buildings.

The drivers discovered more than 1,100 access points. Of these, 57% weren't using any form of data encryption, although most of the actual data traffic in Chicago and San Francisco was encrypted by other means, such as via VPN. Three-quarters of the access points were broadcasting their Service Set Identifier (SSID), which is like hiding in a game of hide-and-seek while carrying a boom box blaring heavy metal.

The WLAN out of the packing boxes is inherently unsecure. But the final WLAN security system you create will hinge on what data you want to protect, how valuable it is and the level of risk to that data. Good WLAN security is expensive: in time, training, maintenance, oversight and in hardware and software costs.

The following recommendations assume an enterprise WLAN of 150 to 500 access points, up to several hundreds of users and a relatively high requirement for protection.

1. Control the wireless clients.
Standardize the WLAN network interface cards (NIC), block user access to them, and register their media access control (MAC) addresses.

Create and enforce procedures and policies for promptly updating clients with software patches and security updates, and for blocking clients running out-of-date software.

Consider disabling NICs' ad hoc or peer-to-peer mode, which lets clients connect to each other without an access point. Attackers can use this feature to lure or force clients to associate with a rogue WLAN.

2. Treat the WLAN as you do the Internet - as untrusted.
Put a firewall between the WLAN and the wired network. This barrier blocks unauthenticated WLAN users from sending Layer 2 packets on to the wired network, for example, as part of an Address Resolution Protocol (ARP) attack. A successful ARP assault lets the attacker route traffic between two computers on your network through his own computer.

3. Protect the access points.
Conceal access points behind ceiling panels or in closets, and secure them to prevent tampering. At one university, someone pulled out the PC Cards from more than 100 access points and tried to sell them on eBay.

Hide access points from attackers by changing the factory default settings for the SSID or IP address information, creating difficult passwords, and turning off SSID broadcasting.

Turn on Access Control Lists for use with client MAC addresses.

Select access points that use flash memory, to simplify future upgrades of security patches and of still-developing security standards.

Consider buying access points that let you create virtual LANs (VLAN). VLANs let you group users and give the groups access to different network resources. VLANs also let you separate management traffic from user traffic.

4. Prevent radio waves from "leaking" out of your site.
You can "shape" radio waves by replacing the standard omni-directional antenna with a directional antenna, especially on the edges of your site.

Another technique is to adjust the power levels of the radios. Using less power means the signal doesn't reach as far.