Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:48 AM

11 Steps to Safe WiFi

Earlier, I argued that wireless adoption in the enterprise, is, for the most part, a bad idea. I was pleased to get several interesting comments on my post, with a bunch of good critiques. In particular, "edyahoo" raised the point that it is far easier to complain about problems than to present constructive help for people living with the technology. So, thanks to edyahoo for that, and here's a list of my re

Earlier, I argued that wireless adoption in the enterprise, is, for the most part, a bad idea. I was pleased to get several interesting comments on my post, with a bunch of good critiques. In particular, "edyahoo" raised the point that it is far easier to complain about problems than to present constructive help for people living with the technology. So, thanks to edyahoo for that, and here's a list of my recommendations for using WiFi -- not WiMax, a very different system, thanks to GrendelsTeeth for clarifying that -- in a home or business environment.1. Change the admin password on your access points to something you wouldn't be ashamed to have printed in an article on Dark Reading. Seriously. This goes for all devices, but if I don't have to be physically connected to start poking and prodding, it is even more important. If your device supports a centralized authentication system, that's great, but still change the local password.

2. Set up your access points (all of them) with a non-default SSID that doesn't broadcast itself, and turn off administrative access from the wireless side. Most access points are Web servers, and even though they are password-protected, Web servers have been known to have a few exploitable vulnerabilities.

3. Use WPA, or better yet, WPA2, to encrypt all your wireless links. WEP stands for wired equivalent privacy, and provides nothing close to that. A switched Ethernet has far more privacy than a WEP-enabled network. Remember that the signal is broadcast, and anybody in range can start trying to crack your keys without you ever knowing. WEP has serious flaws, WPA is significantly better than WEP, and WPA2 is the best of the bunch. If you are using preshared keys, your security is still no better than the key, but at least the protocol isn't making things easier for your opponents.

4. Choose good keys if you are presharing them, and develop a system for changing them periodically. Keys are like passwords, and should be treated as such and changed every few months, if you can do it.

5. Check out your signal's coverage, and the availability of other signals, using a tool like Network Stumbler. This is great for figuring out where you don't have coverage, and even better for figuring out where you do and don't really want it. You can also use a GPS to help make a map of your signal. Now you know where the bad guys are most likely to be able to get at you.

6. Using the map you made, start looking into how you can adjust your antennas to provide better coverage where you want it -- and less where you don't. Adjusting signal strength on access points can help, but remember that your antennas are likely sending the signal out at a right angle to the direction the antenna is pointing. That means that if you need a signal to go up or down very far, you need to point an antenna horizontally. Likewise, adjusting antenna angles can help you eliminate areas that are undesirably hot.

7. In extreme cases, think about shielding walls, ceilings, or floors that are causing problems that can't be addressed in other ways.

8. Establish a clear policy regarding the installation of access points, and make sure that it isn't violated by periodically updating your map of access. Repeaters are cheap and small, and you don't want any you didn't authorize. On the other hand, confiscating and selling rogue access points and repeaters can provide you with a little extra income that can help finance your ongoing efforts to keep the WiFi monster under control.

9. Ensure that the wireless network is on its own subnet. This way you'll at least be able to tell if something bad is coming in from the wired or wireless link.

10. Firewall the wireless network, and provide it only with access to strictly necessary resources. Think about using a VPN for access to resources that are sensitive but still need to be available over wireless.

11. Put in place the same restrictions for wireless that you have for home users connecting over a VPN. (You do have restrictions for home users - or at least really strong authentication, right?)

Finally, remember that you don't necessarily need all these things for every network. As DragonCoding pointed out, a warehouse and a boardroom are very different animals, yet both are enterprise systems.

As usual, feel free to complain about any of the items on my list.

- Nathan Spande has implemented security in medical systems during the dotcom boom and bust and suffered through federal government security implementations. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...