Chapter 7: Security and Wireless LANs

Cisco Press

1 2 3 4 5 Page 4
Page 4 of 5
  1. Create a management VLAN—The management VLAN should be created on the wired interface of the access point. It is used to separate management traffic, such as SNMP and SSH, from data traffic. By limiting management to a particular VLAN, you can provide a more secure path for critical traffic to prevent it from being "overheard."

  2. Disable non-secure protocols—Specifically, disable the following protocols:

    • Telnet—Although Telnet allows for remote administrative logon to the access point, it is not a secure protocol as it transmits all—including password—data in clear text. Disable Telnet on all VLANs, including the management VLAN.

      HTTP access—HTTP access to the access point provides users and operational staff with the ability to configure the device through a web browser. Once again, this is typically an insecure feature and should be disabled if at all possible. If your support staff absolutely must have HTTP access to the access points, then it should be limited to the wired management VLAN only. However, because the risk of transmission in clear text, we strongly recommend that HTTP access be disabled altogether.

    • Other non-essential management protocols—Nonessential management protocols should be disabled. For example, if you are not using SNMP, RMON, or CDP in your existing network management framework, disable the protocols on the access points.

  3. Enable secure protocols—Enable the following protocols:

    • Secure Shell Protocol (SSH)—Provides the same functionality as Telnet (remote access to a command-line interface on the access point) but provides communication over a secure channel.

    • TACACS or RADIUS—Use TACACS or RADIUS to provide a centralized authentication framework for device administration. This will mean you do not have to manage individual admin accounts on each access point and will ensure that you can easily update and control all administrative access to the wireless devices.

    • SNMP—Simple Network Management Protocol (SNMP) is a set of protocols commonly used to manage network devices. If you use SNMP, you should configure strong and complex community strings and change them often. Additionally, you might want to consider using SNMP Read Only if possible because it will prevent SNMP devices from changing access point configuration; however, this might not be possible depending upon how you manage your network.

      SNMP traffic should be limited to a particular list of host devices (SNMP network management tools) or subnets. IP address filtering (also known as Access Control Lists, or ACLs) is a common security feature, and in this circumstance, it allows you to limit the devices that will send and receive SNMP traffic.

Prevent Layer 2 MAC Address Spoofing

Many access points and network devices allow you to configure Layer 2 MAC address spoofing prevention. This step prevents devices from using a MAC address other than their own. Many attacks are based upon spoofing a different MAC address, and this step will help mitigate that risk.

Note - Publicly Secure Packet Forwarding (PSPF) is a Cisco feature that allows you to prevent inter-client communication on WLANs. This means that two stations cannot consciously or, more importantly, inadvertently share files with others that use the same AP. PSPF allows network access to client devices without providing other capabilities of a LAN, such as peer-to-peer. This feature is especially useful for public wireless networks like those installed in airports or on college campuses.

Reduce Transmit Power to Only That Required for Coverage

Access points can transmit at various signal strengths. The higher the signal strength, the greater the distance that RF propagates, and therefore the greater the covered area. To avoid the risk of unauthorized users connecting to your WLAN, it is important not to let your radio signal "bleed" uncontrolably into the surrounding area.

By reducing the transmit power, you can more carefully manage your cell size and design, controlling the degree to which your WLAN extends outside of your physical building or office space.

Managing the power and range improves security by reducing the potential threats to your WLAN. Although this technique reduces the footprint that an attacker can use to exploit the network, it only prevents casual discovery. DoS attacks are still a possibility as an attacker can still transmit into your network causing radio interference.

Consider Directional Antennas

Directional antennas allow you to shape the coverage area of your WLAN. Although not a security setting per se, directional antennas can, like reducing transmit power, help ensure that wireless coverage does not bleed into areas that you do not want to cover. Even when physical and logical security are tight, there is no reason to extend your footprint into uncontrolled areas.

Note - Directional antennas can also be used to provide more accurate coverage in problematic deployment spaces, such as large factory floors, hallways, and operating rooms.

Physically Secure APs

You should physically secure the access points. Many manufacturers provide mounting brackets that allow you to physically lock down access points. This is important because access points can contain information on the configuration of your network. Ensuring physical security of the device not only protects your capital assets but also removes one more potential area where attackers can target your deployment.


The authentication, authorization, and accounting (AAA) architecture you use is important for all network security, and WLANs are no different. WLANs require a method to authenticate users and to manage an encryption key exchange. AAA systems provide the industrial strength authentication management system needed to support this in a scalable and resilient fashion. As a backbone service, the AAA systems need to have a breadth of support for EAP types and must be scalable.


Remembering that EAP is the recommended method for securing the radio transmissions of your WLAN, you should ensure that your AAA service can support an EAP type. The EAP family of protocols is "extensible," meaning many varieties are available, including several proprietary versions. Some AAA servers do not support all EAP mechanisms. If you already have an existing AAA server in your infrastructure, it is crucial that you ensure that it supports the EAP mechanism you choose for your WLAN. Alternatively, you could install a dedicated AAA server or servers for WLAN use only. However, this is likely to be cost-prohibitive because more devices need to not be acquired but also managed on an ongoing basis.

AAA Scalability and Availability

Like all centralized services on a network, it is important that your AAA infrastructure is scalable and stable. Because AAA servers are fundamental to a secure network, their availability and reliability are essential for a secure network. If you are deploying a large-scale or global network, it's important to plan your AAA architecture accordingly. Centralizing all authentication on a single system is not good practice; it's better to use a distributed system with several AAA servers to avoid a single point of failure. A distributed AAA architecture not only has better resilience and disaster recovery capabilities but also provides the added benefit of load-balancing among available AAA servers. In global deployments, for example, it's common to have AAA servers regionally dispersed. Not only does this ensure that you have a resilient system, but it also keeps authentication traffic regional.

Some solutions allow AAA services to reside locally, which means that the authentication is performed on the AP or switch servicing that WLAN. This solution can be attractive for very large-scale deployments where you might have hundreds or thousands of local WLANs (for example, small retail stores or bank branches).

Remember that losing connectivity to your AAA server means that users cannot authenticate; therefore, the WLAN—as a transport medium to the network as a whole—is unavailable. As such, a robust AAA architecture is essential.

Physically Secure the Office Space

A necessity of any network is ensuring physical security of the environment. Your wireless network is no different and in some cases can be considered more susceptible to attacks by intruders because APs are typically not placed in secured wiring closets, but rather in open areas. It is therefore essential, for many reasons, that you have good physical security in your office space and adjacent areas.

Note - Many large corporations have sizeable parking lots or public areas that surround their office buildings. It is prudent to make your security staff aware that uninvited or "suspicious" visitors might be attempting to eavesdrop on your WLAN. Educate them to be aware of potential war walkers and war drivers.

Communicate with Your Users

A robust wireless security posture, a strong wireless security policy, and comprehensive security procedures are all devalued if your user population is unaware of them or ignorant of the risks of poor behavior. As such, communication with your users about security is a fundamental aspect of securing your WLAN. The vast majority of your users will be welcome partners in your ongoing security efforts if they are engaged successfully and educated on how to help.

Consider using multiple communications methods to provide your user community with a comprehensive source for information about the wireless network. Include FAQs, user education documents, WLAN news bulletins, deployment updates, and even links to software and external resources. We recommend that, at the very minimum, you engage in communications with your WLAN users regarding the following three topics:

  • WLAN security policy—Your wireless security policy should be clear and concise when communicated to your users. Make the policy easy to understand and free from as much technical jargon as possible.

  • Fundamentals of wireless—Educate your users about the benefits and the fundamentals of wireless networking. The vast majority of users will work with you to secure your network through responsible actions. For example, when people understand the risks associated with rogue access points, most will refrain from installing them. Treat your users as partners, and they will greatly assist you in securing your network.

  • Updates on security developments—Your network users are best served when they know what developments happen in the wireless security world, including current risks, common types of attack, and possible intrusion efforts (hacks). Network security is a constantly evolving area with new attacks and tools being developed continuously. It is important to remain aware of developments in this area and pass that information on to the user community in a timely manner.

Secure Wireless at Home

If your company provides remote access services to your users, then a home wireless networking policies and guidelines are recommended. Many large enterprises allow their users to connect to the corporate network from home. In many circumstances, these remote access services are provided not only by standard analog modems but also by "always on" high-speed connections, such as cable modems, xDSL, ISDN, and even dedicated Frame Relay or WAN links. In all cases, it is very important to publish strict guidelines on the acceptable use of wireless devices at the home. Consider that these services effectively extend the corporate network to your users' homes. The WLAN access point that is installed at the home is no different than a rogue AP and hence brings along the same risks.

The different strategies for mitigating these threats are discussed next. Note that not all the solutions enable the full extension of the corporate network to the WLAN-enabled home.

Ban Home Wireless on Corporate Remote-Access Equipment

A policy decision could be made simply to ban the use of wireless access points on corporate equipment at users' homes. This is in some ways the easiest solution but the one that has the most negative impact on the user. However, any such ban needs to be preceded with education on the merits of such a position.

Provide Corporate Support for Home Access Points

A list of recommended or supported WLAN devices can be created, with specific configuration guidelines for each. Your users can then configure their access points using the instructions provided to conform with corporate security requirements.

Provide Home Wireless Recommended Practices

A list of recommended practices specifically for home wireless networking can be provided for your users. These best practices might not provide detailed configuration guidelines for every make and model of access point, but they should provide the users with advice on the "high-level" concepts of configuring their devices securely.

Provide a simple step-by-step guide such as the sample presented here._ A dual approach consisting of a "quick setup" as well as a more comprehensive and detailed version is ideal:

1 2 3 4 5 Page 4
Page 4 of 5
The 10 most powerful companies in enterprise networking 2022