Security standards aside, lock down your boxes, boys!

To build a secure wireless network, it's not enough to watch the airwaves. You must lock down the access points, much like the rest of your network infrastructure.

To build a secure wireless network, it's not enough to watch the airwaves. You must lock down the access points, much like the rest of your network infrastructure.

Network World Lab Alliance partner Rodney Thayer of Canola Jones conducted a penetration test on the wireless infrastructure devices (access points and switches) we tested. Particularly, we were looking to assess how the vendors protect the point at which the wireless device hits the wired network. We left the devices as close as possible to the recommended default configuration. In cases where Thayer criticizes a default setting but the vendor offers an option to make conditions more secure (such as changing from HTTP to Secure-HTTP), he noted this in the report.

Wireless Access Point: Wire-side security testing (PDF)

Cracking the wireless security code

Security picks

What we tested

WEP: Stick a fork in it

802.1X: A stepping stone

WPA - An accident waiting to happen

802.11i: The next big thing

How to do it: Securing your wireless LAN

Tools, not standards, that help tie down wireless nets

Glossary of wireless security terms

Explaining TKIP

How we did it

Archive of Network World reviews

Subscribe to the Product Review newsletter

It's clear from this testing that most devices arrive out of the box with a poor set of security defaults. Many access points don't have the option to disable low-security services, such as Telnet and HTTP, and enable higher security services, such as Secure Shell and HTTPS.

Thayer says most vendors opt for simple, rather than secure, defaults. For example, while few people manage wireless access points from a command-line interface, Actiontec ships its access point with Telnet enabled using a default password anyone can guess (it's the same as the username), which cannot be changed or disabled from the user interface. That's a pretty huge hole, even in the relatively low-end market Actiontec targets.

Thayer took steadier aim at enterprise-class access points built on more sophisticated platforms, such as HP and SMC, which left open debug ports from the real-time Wind River VxWorks operating system both use in their shipping products. While there might not be any known VxWorks exploits this week, this doesn't mean there won't be any next week.

Even vendors that have a clear focus on enterprise-class security, such as Aruba with their full stateful firewall, have been sloppy with their management defaults. Trapeze, another security-focused vendor, has a more haphazard take: It forces you into HTTPS management, but still lets you leave the password blank. That just does not follow good security practice, even if it's a default setting.

Copyright © 2004 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022