IT Management Daily
Storage Daily
Security Daily

follow us on Twitter

Be a Commerce Partner

Internet News
Small Business
Personal Technology

Corporate Info
Tech Jobs
E-mail Offers

Security Products
 FB Limiter (AxiomCoders)
 Keylogger Free Download (Free keylogger download)
 Software Keylogger (Software keyloggers)
 Facebook Password Recovery (XaviWare Software Ltda.)
 BlockAllow (BlockAllow)
 AW GoOn (AtelierWeb Software)
» Enterprise IT Planet » Security » Security Features

AO Spotlight: Wireless Security Overhaul

June 3, 2005

Email Print Digg This Add to

Wireless, wireless, wireless...

It seems the world is in a mad rush to flee their desks and join the happy, untethered masses. But before experiencing the indulgence of authoring a memo in a sun-filled spot of your office complex (sipping a refreshing drink, of course) there's some work to be done.

Naturally, you'll want to defend against the occasional wardriver, but the real threats you want to keep off your network are data thieves, information brokers and the less-than-ethical competition. To accomplish this, companies need to establish clear and definitive policies and procedures that takes into account hundreds of users, dozens of APs and the impact of wireless access on your existing wired infrastructure.

No need to fret. You're not the first to be charged with a big Wi-Fi implementation, and you surely won't be the last.

This week, AO experts help a member draw up a plan of attack, providing some handy tips that bring security, stability and convenience to the fore, while keeping aggravation at a minimum.

Note: Any opinions expressed below are solely those of the individual posters on the AntiOnline forums.

This Week's Spotlight Thread:
Wireless Security Overhaul

The_Captain writes:

I have the feeling I am going to be asked to perform a major overhaul to the wireless security policy and practices of my company's network. You may, after reading this, find security to be completely an afterthought in my institution and I will readily agree with you.

Here's the overview:

38 Wan sites (hardwired, bandwidth is a commodity)
300+ Cisco 1100b and 1100G access points (all documented and locally manageable)
1000+ laptops (centrally managed)

(If you're wondering, no, my network is not all wireless. This is just the WLAN information.)

I have inherited a wireless network that is "secured" by merely disabling SSID broadcasts. I mentioned to one of the bosses today that it isn't even really a security policy and he told me he'd be calling me tomorrow to talk about changing that. Well, the way I look at it is it eventually needs to be done so I might as well be the one to do it...

XTC46 offers the following advice:

For this I would force authentication via username/password and make all sites authenticate from a central server (or multiple servers that replicate data). There are many ways to do this. It will basically give them a connection to the server that allows the authentication but they get nothing else until they authenticate.

This way no matter what site they use they can authenticate without using MAC filtering. But for this I would make log the MAC address just for record keeping sake and so you can more easily trace problem computers from network to network.

I would defiantly enable WPA if possible. But WEP might only be available to you. Make the key secure, but not so difficult that your help desk will get slammed when people need to get on.

Spyrus says:

I would start with 128-bit encryption and proceed from there. If you have the means, XTC46 is dead on with setting up a server for authentication purposes. I am a bit confused why the access points are going to be being moved around on the switch ports.

In my setup, about the same size as yours, we have the same WEP key setup on all the access points, we have SSID turned on, makes it a tad bit easier for me when I do an audit to see if something popped up that doesn't belong. We have all our WAP's on a separate VLAN and all the wireless uses a different IP range than the rest of our network.

In your situation, as in mine, MAC filtering is ridiculous as there are too many computers for it to be effective, however, as mentioned, you should run a log that grabs the MACs, and if you are doing authentication, the computer name and login name.

What are your pointers for enterprise-class Wi-Fi overhauls and deployments? Discuss them here.

Email Print Digg This Add to

Security Features Archives
The Network for Technology Professionals



Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers