Protecting 802.11b Wireless Networks

[DVNT1]

Over a year old, but still a good start for learning how to secure your home wireless network:

Quote:

Keeping your wireless network safe

Enable WEP. Yes, WEP isn't secure as by now virtually everyone knows, but at least it's a first barrier. And best of all, it's free. Nearly all Wi-Fi certified product ships with basic encryption capabilities. (40-bit key WEP). It's just disabled. As we discovered from our war driving, in excess of 50% of our data sample wasn't even using WEP. It's an invitation for someone to pay you a visit anytime. Granted, we did log some number of wireless access points that didn't use WEP because they were either public access networks, or access points in Starbuck's coffee shops. But even if you back those access points out of our data sample, non-WEP access points still comprised over 50% of our sample.


Change the default SSID of your product. We were surprised how many access points/wireless routers we found that had the manufacturer's default SSID. We figured, correctly, that if it still had the manufacturer's default SSID, that the owner probably hadn't bothered to change the default password, either.


Don't change the SSID to reflect your company's main names, divisions, or products. It just makes you too easy to target. If your naming is enticing enough, it may attract hackers who are willing to put in the additional effort with tools like AirSnort to break your WEP encryption keys.


Don't change the SSID to your street address. Surprisingly, we found a number of SSIDs that used the company's street address. It sure does make it easier to zero in on your location if you broadcast it.


If your access point supports it, disable "broadcast SSID". As you take your access point out of the box, broadcast SSID is enabled which means that it will accept any SSID. By disabling that feature, the SSID configured in the client must match the SSID of the access point.


Change the default password on your access point or wireless router. Any hacker worth his salt knows the manufacturers' default passwords, and will try them first. Since programs like NetStumbler identify the manufacturer based on the MAC address, it doesn't take much work to figure out what type of device it is even if you do change the SSID.


As you do your site survey for access point deployment, think about locating the access points toward the center of your building rather than near the windows. Plan your coverage to radiate out to the windows, but not beyond. If the access points are located near the windows, a stronger signal will be radiated outside your building making it easier for people to find you.


As a network administrator, you should periodically survey your site using a tool like NetStumbler to see if any "rogue" access points pop up. With the declining pricing of access points, it's not hard to imagine that a department might run out to Best Buy, buy a couple of NICs and an AP, and plug it into your corporate network. All of your hard work to "harden" your wireless network could be wasted if a rogue AP were plugged into you network behind your firewall.


Take a notebook equipped with NetStumbler and an external antenna outside your office building and survey what someone parked in your parking lot might "see". You'll be surprised how far the signal radiates. You might only associate at 1-2 Mbps, but it's still a security breach.


Many access points allow you to control access based on the MAC address of the NIC attempting to associate with it. If the MAC address of your NIC isn't in the table of the access point, you won't associate with it. And while it's true that there are ways of spoofing a MAC address that's been sniffed out of the air, it takes an additional level of sophistication to spoof a MAC address. The downside of deploying MAC address tables is that if you have a lot of access points, maintaining the tables in each access point could be time consuming. Some higher-end, enterprise-level access points have mechanisms for updating these tables across multiple access points of the same brand.


Consider using an additional level of authentication, such as RADIUS, before you permit an association with your access points. While it's not part of the 802.11b standard, a number of companies are optionally including some provision for RADIUS authentication. Orinoco access points, for example, can enforce RADIUS authentication of MAC addresses to an external RADIUS server. Intermec access points include a built-in RADIUS server for up to 128 MAC addresses.


If you're deploying a wireless router, think about assigning static IP addresses for your wireless NICs and turn off DHCP. It's true that it's more of an administrative overhead to manage, but we found a number of wireless networks that passed out IP addresses to us once we associated with the AP. Although a wireless sniffer could easily pick out IP addresses, by not passing them out, it just adds another barrier. It makes it tougher for the casual "drive by" to use your network.


If you're using a wireless router and have decided to turn off DHCP, also consider changing the IP subnet. Many wireless routers default to the 192.168.1.0 network and use 192.168.1.1 as the default router. We discovered one network that didn't give us an IP address, but we assumed that they were using the defaults. We were right. We configured our notebook with an IP address in the 192.168.1.0 network using 192.168.1.1 as the router address, and we had access to the Internet through their network.


Don't buy access points or NICs that only support 64-bit WEP. Some low-end products only support 64-bit (40 bit key) WEP, and as you know by now, even 128-bit WEP is universally considered not very secure. Note that some NICs may only require a driver upgrade to attain 128-bit WEP capability.


Only purchase access points that have flashable firmware. There are a number of security enhancements that are being developed, and you want to be sure that you can upgrade your access point.


Some products support additional security features that are either not defined by the 802.11b standard, or not mandated by the standard. For example Agere Systems' Orinoco access points include a feature called "closed network". This is proprietary, and not part of the 802.11b standard, but if you're in a corporation and deploying one vendor's solution throughout, it really wouldn't matter. With Orinoco's closed network, the AP doesn't broadcast the SSID, so someone using NetStumbler won't see it. The client workstation must be configured with a matching SSID to associate with the AP. The default "ANY" configuration wouldn't associate with a closed network.


Most people agree that the best method of securing your wireless network is by using a combination of the suggestions above. However, the most effective strategy would be to put your wireless access points into a DMZ, and have your wireless users tunnel into your network using a VPN. (See PC Magazine's VPN story titled "Safe Passage".) If your corporation doesn't already have a VPN infrastructure in place, it's going to cost you some money to implement. Even if you do have a VPN in place, and all of your clients already have the VPN software, there's going to be an extra effort associated with setting up a VLAN for your DMZ. But this solution adds a layer of encryption and authentication that could make a wireless network suitable for sensitive data.

from http://www.extremetech.com/article2/0,3973,11388,00.asp

excellent post DVNT1! this has been asked plenty of times.
good info since wireless is so vunerable!

Jason