|
|
A few years ago deploying a secure wireless network was a real challenge. The closest thing to a standard you could hope to use was some sort of dynamically keyed WEP scheme. If that wasn't enough (and it probably wasn't), then you had to go to a totally proprietary solution. These solutions offered much higher levels of protection, but at the price of total vendor dependence and a dubious upgrade path to standards compliance.
Today things are much easier; the proliferation of WPA support across all modern wireless devices and operating systems makes deploying a secure wireless network straightforward. Home users can simply use WPA-PSK, while businesses and other large organizations can use a RADIUS server and get strong, upgradeable authentication with dynamic key generation.
This chapter covers details of the various authentication and encryption schemes possible on 802.11 networks. Many aspects of WEP and its various band-aid solutions are covered. If you are securing a network with WPA, you can safely ignore all the perils and information associated with WEP and move straight into the section on WPA.
Techniques to secure your network that do not make use of WEP and WPA are also covered. These include higher-level authentication schemes, VPNs, and wireless intrusion detection systems.
This section covers generic defenses that apply to all 802.11 configurations. Do not, however, assume techniques in this section provide security on their own. These are small tweaks that make finding or attacking a wireless network a little more difficult. These techniques will not prevent an attacker from breaking into your network, but at least they let outsiders know they aren't welcome.
One of the effective ways to improve wireless security is to minimize your signal's exposure to outside attackers. Depending on your physical location, this recommendation may not be practical. One common mistake many people make is to try to maximize the range of their signal so they get better throughput everywhere within range.
In reality, if all of your nodes already have a good signal, boosting the power (either via software, amplifiers, or antennas) will not inherently make the connection any faster. If you think you can get better throughput by increasing signal strength, by all means try it, but verify that it really improves things before you leave it ramped up. Conversely, if you are only trying to cover a small area, see if you can find the right balance of signal strength and speed. Some high-end APs will actually allow you to turn the transmission power of the AP down via software.
Another way to accomplish this goal is to use 802.11a hardware, which operates in the 5-GHz spectrum. The 5-GHz band not only has more room for you to use (more channels are available), but many attackers also don't bother scanning for it because cards that support 802.11a cost considerably more than their 802.11b/g equivalents. Another potentially desirable security property of 802.11a is that it doesn't penetrate walls as efficiently as its 2.4-GHz counterpart.
While the SSID (or the name) of your network might not seem like an integral part of your wireless security, it is actually important. When trying to ensure your network is safe, there are two properties of your SSID to consider: whether or not to broadcast the SSID and its uniqueness.
Many APs allow you to disable the broadcasting of your SSID in beacon packets to prevent the network from showing up in the list of available networks in most operating systems. Though this will stop casual passersby from associating with your network, it won't stop anyone running a passive scanner from discovering the name of your network. It may stop amateurs running NetStumbler from discovering your network, though it depends on the driver they are using. Don't forget that if you disable SSID broadcasting you (or your users) will need to enter the name of your network explicitly into the OS so it can find it.
Regardless of whether or not you choose to broadcast your SSID in beacon packets, it is very important when using WPA that you choose a unique SSID. When using WPA-PSK, your SSID is input into a cryptographic function when creating the pairwise master key (PMK). If you have a default SSID, you are much more vulnerable to dictionary attacks against WPA-PSK. The easiest precaution to take is to append a random number to your SSID.
MAC filtering on wireless networks makes very little sense. Almost any card on any operating system can be compelled to use a different MAC address, thus circumventing the alleged protection MAC filtering provides. If you do decide to employ MAC filtering, you may want to see if you can get a wireless IDS to monitor for duplicate MACs.
|
|