By Bob Herrman, Lance Kurisaki and Anthony Van Damme

Basic Security Measures

With the growth of 802.11b wireless networks, organizations are beginning to realize the advantages of a mobile workforce. This new-found mobility is increasing employee efficiency. For instance, your sales staff can access product inventory during a customer meeting or your software engineer can update the configuration of manufacturing systems while on the production line. Wireless networks have gained so much popularity that PC manufactures are integrating wireless adapters into laptops next to the traditional Ethernet and modem adapters. As wireless networks extend the corporate infrastructure, technology groups are tasked with the security of this new technology. The following paragraphs discuss various security considerations and countermeasures when deploying your wireless infrastructure.

Define a Unique Server Set Identifier

The Server Set Identifier (SSID) is a name used to associate a wireless station with an access point. When deploying your wireless infrastructure select an SSID that is unique to your organization. Avoid using an SSID that identifies your organization or physical location. Selecting a unique SSID reduces the chance of unintentional associations between your access points and unauthorized users and, more importantly, the unintentional association of your wireless stations with an external access point.

Disable Broadcast on the Access Point

Access points typically default to broadcasting the SSID. Broadcasting the SSID allows wireless stations to quickly identify and associate with available access points. While broadcasting the SSID allows your employees to easily connect to your wireless network, it also identifies your access points to unauthorized users. Disabling broadcasting reduces the visibility of your wireless network to unauthorized users that don’t know your SSID.

Enable Wireless Equivalent Privacy (Encryption)

An unauthorized user with a wireless adapter has the ability to eavesdrop on the communication between a wireless station and an access point. In some cases that communication may contain authentication information such as a username and password. That unauthorized user now has the ability to leverage that information to gain access to your corporate resources. Wired Equivalent Privacy (WEP) encrypts communication between a wireless station and the access point using a shared key. An unauthorized user is unable to eavesdrop on your wireless communication without having your shared key when WEP is implemented.

Locking down the MAC Address

Each wireless adapter has a unique identifier defined by the card’s manufacturer. This identifier is considered the adapter’s MAC Address. Wireless access points have the ability to restrict associations to a predetermined list of MAC Addresses. By defining a list of authorized MAC Addresses on your access points you can reduce the chance of unauthorized users gaining access to wireless resources.

Advance Security Measures

While the basic security measures enhance the security of your wireless networks and are useful for home deployments, techniques are available that will easily determine the SSID, crack WEP encryption and spoof your MAC addresses. .

To properly protect your company, a more sophisticated approach is required.

Implement a Wireless Demilitarized Zone

Wireless stations should be considered in the same classification as remote Internet users. Establish a wireless demilitarized zone (WDMZ) that segregates your wireless access points from your infrastructure. Implement a firewall between the WDMZ and your infrastructure that restrict wireless users to authorized systems, requires users to authenticate before allowing access, and terminates Virtual Private Network (VPN) tunnels. On wireless stations configure a VPN client to encrypt network communication to corporate resources, authenticate the WDMZ firewall prior to providing username and password information, and secure the station from exploits launched across the wireless network.