Dark Reading
Protect The Business - Enable Access
Do more than just cursory scans. Develop
a holistic approach to app security.
Find out how!
Learn to take the ambiguity out of managing IT so you can guide your business forward.
Download now!
Use these tips from Gartner to identify the EPP solution that best suits your business.
Download now!
11 Steps to Safe WiFi
Earlier, I argued that wireless adoption in the enterprise, is, for the most part, a bad idea. I was pleased to get several interesting comments on my post, with a bunch of good critiques. In particular, "edyahoo" raised the point that it is far easier to complain about problems than to present constructive help for people living with the technology. So, thanks to edyahoo for that, and here's a list of my recommendations for using WiFi -- not WiMax, a very different system, thanks to GrendelsTeeth for clarifying that -- in a home or business environment. By Nathan SpandeDark Reading
Earlier, I argued that wireless adoption in the enterprise, is, for the most part, a bad idea. I was pleased to get several interesting comments on my post, with a bunch of good critiques. In particular, "edyahoo" raised the point that it is far easier to complain about problems than to present constructive help for people living with the technology. So, thanks to edyahoo for that, and here's a list of my recommendations for using WiFi -- not WiMax, a very different system, thanks to GrendelsTeeth for clarifying that -- in a home or business environment.1. Change the admin password on your access points to something you wouldn't be ashamed to have printed in an article on Dark Reading. Seriously. This goes for all devices, but if I don't have to be physically connected to start poking and prodding, it is even more important. If your device supports a centralized authentication system, that's great, but still change the local password.
2. Set up your access points (all of them) with a non-default SSID that doesn't broadcast itself, and turn off administrative access from the wireless side. Most access points are Web servers, and even though they are password-protected, Web servers have been known to have a few exploitable vulnerabilities.
3. Use WPA, or better yet, WPA2, to encrypt all your wireless links. WEP stands for wired equivalent privacy, and provides nothing close to that. A switched Ethernet has far more privacy than a WEP-enabled network. Remember that the signal is broadcast, and anybody in range can start trying to crack your keys without you ever knowing. WEP has serious flaws, WPA is significantly better than WEP, and WPA2 is the best of the bunch. If you are using preshared keys, your security is still no better than the key, but at least the protocol isn't making things easier for your opponents.
4. Choose good keys if you are presharing them, and develop a system for changing them periodically. Keys are like passwords, and should be treated as such and changed every few months, if you can do it.
5. Check out your signal's coverage, and the availability of other signals, using a tool like Network Stumbler. This is great for figuring out where you don't have coverage, and even better for figuring out where you do and don't really want it. You can also use a GPS to help make a map of your signal. Now you know where the bad guys are most likely to be able to get at you.
6. Using the map you made, start looking into how you can adjust your antennas to provide better coverage where you want it -- and less where you don't. Adjusting signal strength on access points can help, but remember that your antennas are likely sending the signal out at a right angle to the direction the antenna is pointing. That means that if you need a signal to go up or down very far, you need to point an antenna horizontally. Likewise, adjusting antenna angles can help you eliminate areas that are undesirably hot.
7. In extreme cases, think about shielding walls, ceilings, or floors that are causing problems that can't be addressed in other ways.
8. Establish a clear policy regarding the installation of access points, and make sure that it isn't violated by periodically updating your map of access. Repeaters are cheap and small, and you don't want any you didn't authorize. On the other hand, confiscating and selling rogue access points and repeaters can provide you with a little extra income that can help finance your ongoing efforts to keep the WiFi monster under control.
9. Ensure that the wireless network is on its own subnet. This way you'll at least be able to tell if something bad is coming in from the wired or wireless link.
10. Firewall the wireless network, and provide it only with access to strictly necessary resources. Think about using a VPN for access to resources that are sensitive but still need to be available over wireless.
11. Put in place the same restrictions for wireless that you have for home users connecting over a VPN. (You do have restrictions for home users - or at least really strong authentication, right?)
Finally, remember that you don't necessarily need all these things for every network. As DragonCoding pointed out, a warehouse and a boardroom are very different animals, yet both are enterprise systems.
As usual, feel free to complain about any of the items on my list.
- Nathan Spande has implemented security in medical systems during the dotcom boom and bust and suffered through federal government security implementations. Special to Dark Reading
 |
To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy. |
Subscribe to RSSSecurity Leaders Urged To Take Action, Responsibility
Obama Cybersecurity Czar Schmidt Steps Down
Threat Intelligence Becoming A Do-It-Yourself Project For Enterprises
MORE KEYHOLE
