Wireless Local Area Networks (WLANs) have become extremely convenient methods of accessing network resources. But if they are not properly secured, companies are exposing themselves to myriad threats from hackers, viruses, and other abuses.
Kang Eu Ween, Enterprise Solutions Director for Juniper Networks, presents six questions CIOs should ask themselves about their WLAN infrastructure.
1. Is your wireless LAN encrypted?
If not, it should be, using the latest encryption technologies. An unsecured WLAN is openly accessible by anyone with a Wi-Fi enabled device. WLAN encryption is an evolving field and new methods to secure WLAN traffic are being created. Legacy methods (including WEP) may not be secure enough because exploits and weaknesses are always being discovered. As of this writing, WPA encryption is seen to be superior to WEP encryption, and a second version of WPA is in the works.
Also, always use the highest bit-strength available.
2. Is the encrypted wireless LAN directly connecting to corporate internal network?
It is better not to have the WLAN instantly and directly connect to key network resources, but rather have in place network authentication mechanisms (on top of WLAN encryption and authentication) to check the security clearance of users connecting via the WLAN.
Treat the WLAN the same way you would a wired LAN because a WLAN is essentially the same as the open Internet, as in the Demilitarized Zone (DMZ) in front of a firewall, and open to attack by anyone. The best way to secure the network is to have an SSL VPN run on top of the WLAN. An SSL VPN can allow access to only specific network resources and applications, rather than the entire network by default (as in an IPSec-based VPN).
Client and host checking functionality, such as the Juniper Networks’ Endpoint Defense Initiative, also ensures client machines are checked to be virus-free and fit certain security criteria before connecting to the network.
3. Is there a security policy in place to restrict users to add wireless access point to internal corporate network?
Even the best technical mechanisms will be meaningless if users decide to circumvent them. Security policies must be in place to encourage proper security habits. Users should also be properly trained in security procedures.
4. Is the encrypted wireless LAN being segmented for different groups of users?
There is no need to offer complete and limitless access to all network resources for all users. It is better to segment the network so that specific user groups (e.g., Human Resources) can access the resources they need. In the event of a network breach, hackers will not instantly gain access to everything.
5. Are users using strong authentication?
Three-factor authentication, such as offered by RSA’s SecureID token, is an excellent method to ensure users are properly authenticated. But authentication must not be confused with data encryption, and network traffic should still be secured even if users successfully authenticate. This is to prevent vulnerability to man-in-the-middle wire-tapping attacks on the WLAN radio signals.
6. Is there another wireless LAN ready for visitors/customers?
It is not only convenient for visitors to your company to have WLAN access, it is also imperative that guests only use the Internet and do not have unfettered access to internal resources. Guests should have guest accounts and should never be given internal user logins. Visitors might accidentally provide the logins to hackers, and visitors may also have relationships with your competitors that you are not aware of. Best to be safe.
-
So, ever wonder what all those TIME_WAITs are doing in your netstat listing? Okay, for those of you who don't spend all your waking hou...
-
If you are serving a high traffic web/DNS server, and recently having PING loss to the server and not all HTTP request were successful to i...
-
How to show my NIC MTU value, and how do I change it to use Jumbo Frame? list current value $ lsattr -E -l en0 -a mtu ...
Showing posts with label Wireless Network Security. Show all posts
Showing posts with label Wireless Network Security. Show all posts
How to Strengthen Your Wireless Network
Wireless networks are present in most homes and businesses. The convenience they offer can open unsecured paths into your network. The different levels of security options and configuration parameters can be confusing and lead to insecure setups which work, but leave you vulnerable to exploitation. There are 6 easy ways to strengthen your wireless network’s protection.
Use WPA2 encryption – Older security options like WEP can be broken in moments without special equipment or techniques using something as simple as a browser add-on or mobile phone application. WPA2 is the latest security algorithm which is included with virtually all wireless systems, and should be selected from the configuration screen.
Have a password longer than 10 characters – Even newer encryption schemes like WPA2 can be compromised using attacks which employ an automated process to try billions of possible passwords. Longer passwords don’t need to be hard to remember. Using a phrase like “makemywirelessnetworksecure” instead of a shorter, more complex password like “w1f1p4ss!” offers far more security, as the computing power to test and break such a long key cannot be realized.
Don’t use standard SSIDs – Many wireless routers ship with a default wireless network name (also known as the SSID) like “netgear” or “linksys” which most users do not bother to change. This SSID is used as part of the password by the WPA2 encryption. Not changing this allows hackers to prepare password look-up lists for common SSIDs (rainbow tables) which speed up the password cracking process drastically, enabling them to test millions of passwords per second. Having a custom SSID drastically increases the work and time needed to attempt to compromise your wireless network.
Leave personal information out of your SSID – You don’t want to give hackers a way to know that your network is worth trying to compromise. Putting “John’s House” as the SSID provides information which might be useful to a nosy, tech-saavy neighbor or someone targeting your business. Don’t give hackers a way to see whether a wireless network is yours, or the one of the shop around the corner, use something vague which doesn’t identify you or your location.
In your password, add numbers, special characters and use upper and lower case characters – Complex passwords increase the amount of characters which must be considered when performing password cracking. For example, if your password consists of 4 digits and you only use numbers, there will be 10 times 4 (10,000) possibilities. If you additionally use the alphabet in only small cases, you will get 36 times 4 possibilities (1,6 million). Forcing a cracking program to choose from 104 characters times 11 digits results in 15,394,540,563,150,776,827,904 possibilities. This increases the time needed to crack such a password from seconds to millions of years.
Tune the range of the radio – Modern access points have multiple antennas and transmit power, letting their signal reach far beyond the walls of the places they are providing access to. Some products let you adjust the transmission power of the radio using menu options. This provides a way to limit how far outside your location someone can pick up your wireless signal and work on compromising your network.
Use WPA2 encryption – Older security options like WEP can be broken in moments without special equipment or techniques using something as simple as a browser add-on or mobile phone application. WPA2 is the latest security algorithm which is included with virtually all wireless systems, and should be selected from the configuration screen.
Have a password longer than 10 characters – Even newer encryption schemes like WPA2 can be compromised using attacks which employ an automated process to try billions of possible passwords. Longer passwords don’t need to be hard to remember. Using a phrase like “makemywirelessnetworksecure” instead of a shorter, more complex password like “w1f1p4ss!” offers far more security, as the computing power to test and break such a long key cannot be realized.
Don’t use standard SSIDs – Many wireless routers ship with a default wireless network name (also known as the SSID) like “netgear” or “linksys” which most users do not bother to change. This SSID is used as part of the password by the WPA2 encryption. Not changing this allows hackers to prepare password look-up lists for common SSIDs (rainbow tables) which speed up the password cracking process drastically, enabling them to test millions of passwords per second. Having a custom SSID drastically increases the work and time needed to attempt to compromise your wireless network.
Leave personal information out of your SSID – You don’t want to give hackers a way to know that your network is worth trying to compromise. Putting “John’s House” as the SSID provides information which might be useful to a nosy, tech-saavy neighbor or someone targeting your business. Don’t give hackers a way to see whether a wireless network is yours, or the one of the shop around the corner, use something vague which doesn’t identify you or your location.
In your password, add numbers, special characters and use upper and lower case characters – Complex passwords increase the amount of characters which must be considered when performing password cracking. For example, if your password consists of 4 digits and you only use numbers, there will be 10 times 4 (10,000) possibilities. If you additionally use the alphabet in only small cases, you will get 36 times 4 possibilities (1,6 million). Forcing a cracking program to choose from 104 characters times 11 digits results in 15,394,540,563,150,776,827,904 possibilities. This increases the time needed to crack such a password from seconds to millions of years.
Tune the range of the radio – Modern access points have multiple antennas and transmit power, letting their signal reach far beyond the walls of the places they are providing access to. Some products let you adjust the transmission power of the radio using menu options. This provides a way to limit how far outside your location someone can pick up your wireless signal and work on compromising your network.
Subscribe to:
Posts (Atom)