The Real Deal on Wireless
Sure, WLANs are scary. But since you're stuck with them, you might as well try to secure them.
BY Fred Avolio
You've heard about the problems with wireless networks (WLANs). You've read about how the main security protocol--Wired Equivalent Privacy (WEP)--is flawed. You know that the best thing is never allowing WLANs on your network.
But WLANs remain tempting. For less than $200, you get to carry your computer around the building while remaining connected to the network or the Internet. Security always loses to cool, desirable technology. Given these realities, there are some practical measures to take to permit wireless usage while providing "better than nothing" security. Some of us might even achieve "good enough" security.
When deploying a WLAN, the first thing you should do is identify probable threats. Who is most likely to attack your enterprise? If you have a proper security policy, you've already accomplished this. If you're concerned about attacks from business competitors looking for trade secrets, or agents of foreign governments looking for defense secrets, consider your task completed: There is no way you should allow WLANs.
Those who don't fall in these two categories should add a "WLAN Acceptable Use Policy" to your security policy, only allowing wireless usage under certain conditions.
These may include:
Finally, you need to verify these security measures. Plug in a wireless card and use the utility that came with it to search for APs. Or use products such as AirMagnet on a PocketPC, Network Associates' Sniffer Wireless, NetStumbler or WildPackets' AiroPeek to locate and catalog APs on your network.
Yes, wireless networks are difficult
to secure. They're also very enticing to the end user. Since you probably can't
prevent them from appearing on your network, take control of them, imposing the
best possible service while protecting the network. Put the APs outside the
firewall; allow only "VPN'd" packets through. Secure the APs as best you can:
disable broadcast probe responses, change default values, giving the APs
non-descriptive names, and only talk to registered MAC addresses. And make sure
that as the security options for WLAN improve, you upgrade.
Columnist FRED AVOLIO (firstname.lastname@example.org) is president and founder of Avolio Consulting, a Maryland-based computer and network security consulting firm.
Copyright 2002 TechTarget