Protecting wireless networks

We’re getting requests to install more wireless access at our company. I want to make it as secure as possible without increasing the workload for our Help Desk folks. In researching the options, I’ve read about WEP and WPA. I ‘ve seen references to other options, but I’m not sure which would be the best to go with. Any suggestions?

– Via the Internet

Welcome to the world of alphabet soup – Wi-Fi and security. Before looking at any particular option – disable the broadcasting of the SSID from all access points, and make sure the access points are on their vendor’s latest version of the firmware. Using Wired Equivalent Privacy (WEP) is better than nothing, although not by much. There are tools readily available that given enough time will give you the WEP keys being used and get the party using these tools one step closer to getting on your network. Wi-Fi Protected Access (WPA) is the next step beyond WEP but isn’t without its problems. It is also prone to dictionary attacks, as is WEP. WPA may have another problem for some companies with existing Wi-Fi setups such as you. WPA became a standard only recently, so it is up to the vendor that made the equipment you’re using to release updated firmware for the access points and wireless cards in order to be able to implement WPA.

In your research, you may have read something about 802.1x. I recently set up Wi-Fi configuration using EAP-TLS. While based on WEP (I could have used WPA but was trying for a simple/quick setup), it does have several things that make it easy to use and offer a degree of security. It uses two WEP keys – one for broadcast traffic and one for regular network traffic. You can set the WEP key for broadcast traffic to be renegotiated at a certain interval, making it a little harder to look at that part of the traffic. The WEP key used for the network traffic is dynamically generated each time the user signs on. With EPA-TLS, you will need to set up a RADIUS server and a certificate authority (both included with either Microsoft or NetWare. The RADIUS server authenticates the user back against your network directory service. The certificate authority generates a certificate that the user can install from a Web site. Using Cisco access points, you can configure them to only announce the SID if you have authenticated to the access points but remain silent otherwise. You can do PEAP-TLs, but this requires specialized software from Cisco that may cost more than you can spend.

I don’t see a way you can avoid some additional calls to the Help Desk, but I think you can keep it under control. The bad thing to do in this case is nothing at all. Using WEP for security is better than nothing, but it only delays the inevitable situation in which someone breaks into your network. The key will be to find the highest level of security you can get while minimizing the amount of configuration changes required to the wireless workstations and money you have to spend for any additional software to get the security you’re setting up. Another suggestion: Put the access points in separate virtual LANs and implement some type of intrusion detection to help identify when something is going on that shouldn’t be.