Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/26/2008
10:48 AM
Commentary
Commentary
Commentary
50%
50%

11 Steps to Safe WiFi

Earlier, I argued that wireless adoption in the enterprise, is, for the most part, a bad idea. I was pleased to get several interesting comments on my post, with a bunch of good critiques. In particular, "edyahoo" raised the point that it is far easier to complain about problems than to present constructive help for people living with the technology. So, thanks to edyahoo for that, and here's a list of my re

Earlier, I argued that wireless adoption in the enterprise, is, for the most part, a bad idea. I was pleased to get several interesting comments on my post, with a bunch of good critiques. In particular, "edyahoo" raised the point that it is far easier to complain about problems than to present constructive help for people living with the technology. So, thanks to edyahoo for that, and here's a list of my recommendations for using WiFi -- not WiMax, a very different system, thanks to GrendelsTeeth for clarifying that -- in a home or business environment.1. Change the admin password on your access points to something you wouldn't be ashamed to have printed in an article on Dark Reading. Seriously. This goes for all devices, but if I don't have to be physically connected to start poking and prodding, it is even more important. If your device supports a centralized authentication system, that's great, but still change the local password.

2. Set up your access points (all of them) with a non-default SSID that doesn't broadcast itself, and turn off administrative access from the wireless side. Most access points are Web servers, and even though they are password-protected, Web servers have been known to have a few exploitable vulnerabilities.

3. Use WPA, or better yet, WPA2, to encrypt all your wireless links. WEP stands for wired equivalent privacy, and provides nothing close to that. A switched Ethernet has far more privacy than a WEP-enabled network. Remember that the signal is broadcast, and anybody in range can start trying to crack your keys without you ever knowing. WEP has serious flaws, WPA is significantly better than WEP, and WPA2 is the best of the bunch. If you are using preshared keys, your security is still no better than the key, but at least the protocol isn't making things easier for your opponents.

4. Choose good keys if you are presharing them, and develop a system for changing them periodically. Keys are like passwords, and should be treated as such and changed every few months, if you can do it.

5. Check out your signal's coverage, and the availability of other signals, using a tool like Network Stumbler. This is great for figuring out where you don't have coverage, and even better for figuring out where you do and don't really want it. You can also use a GPS to help make a map of your signal. Now you know where the bad guys are most likely to be able to get at you.

6. Using the map you made, start looking into how you can adjust your antennas to provide better coverage where you want it -- and less where you don't. Adjusting signal strength on access points can help, but remember that your antennas are likely sending the signal out at a right angle to the direction the antenna is pointing. That means that if you need a signal to go up or down very far, you need to point an antenna horizontally. Likewise, adjusting antenna angles can help you eliminate areas that are undesirably hot.

7. In extreme cases, think about shielding walls, ceilings, or floors that are causing problems that can't be addressed in other ways.

8. Establish a clear policy regarding the installation of access points, and make sure that it isn't violated by periodically updating your map of access. Repeaters are cheap and small, and you don't want any you didn't authorize. On the other hand, confiscating and selling rogue access points and repeaters can provide you with a little extra income that can help finance your ongoing efforts to keep the WiFi monster under control.

9. Ensure that the wireless network is on its own subnet. This way you'll at least be able to tell if something bad is coming in from the wired or wireless link.

10. Firewall the wireless network, and provide it only with access to strictly necessary resources. Think about using a VPN for access to resources that are sensitive but still need to be available over wireless.

11. Put in place the same restrictions for wireless that you have for home users connecting over a VPN. (You do have restrictions for home users - or at least really strong authentication, right?)

Finally, remember that you don't necessarily need all these things for every network. As DragonCoding pointed out, a warehouse and a boardroom are very different animals, yet both are enterprise systems.

As usual, feel free to complain about any of the items on my list.

- Nathan Spande has implemented security in medical systems during the dotcom boom and bust and suffered through federal government security implementations. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29367
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
CVE-2020-26245
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
CVE-2017-15682
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
CVE-2017-15683
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
CVE-2017-15684
PUBLISHED: 2020-11-27
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.