Wireless Security Checklist

[Rottz]

Securing your Wireless Network

1) Don't use TCP/IP for File and Printer sharing!

Access Points are usually installed on your LAN, behind any router or firewall you may be using. If someone successfully connects to your Access Point, they'll be on your LAN, just like any of your other clients. But since they'll be using TCP/IP to make the connection, you can easily deny access to MS File and Printer sharing by using a protocol other than TCP/IP for those services. That way, they may get access to your Internet connection, but they won't get access to your files!

2) Follow secure file-sharing practices

This means:
* Share only what you need to share(think Folders, not entire hard drives)
* Password protect anything that is shared with a strong password.

3) Enable WEP Encryption

802.11b's WEP encryption has had a lot of bad press lately about its weaknesses. But a weak lock is better than no lock at all, so enable WEP encryption and use a non-obvious encryption key. Look for and use products that support 128bit WEP. Prices have come down on 802.11b equipment so there's no need to buy something that doesn't support 128bit WEP. See this page if you need help getting WEP to work.

4) Use WEP for data and Authentication

Some products allow you to separately set the Authentication method to "Shared Key" or "Open System". Use the "Shared Key" method so that encryption is used to both authenticate your client and encrypt its data. See this page for more info.

5) Use non-obvious WEP keys and periodically change them

While the limitations that some wireless client utilities have don't help (hexadecimal only support, single keys, forgetting keys, etc.), don't make it easy for potential snoops to get onto your LAN by using simple keys like 123456, all ones, etc. Changing the keys periodically is more difficult, because it requires sending out information about the new keys to users and that can be a security problem in itself. But changing keys periodically can help keep your LAN secure, so consider getting a procedure into place to do it.

6) Secure your wireless router / Access Point (AP)

Your router or Access Point should require a password to access its Admin features. If it doesn't, get one that will!
Also, change your password from the default and use a strong one!

7) Disallow router/ AP administration via wireless

Unfortunately, this feature is usually only present in "Enterprise-grade" APs, and shuts off the ability to administer your Access Point from wireless clients. But if your router/AP has it, use it!

8) Use MAC address based Access and Association control

Previously available only on "Enterprise-grade" products, many routers and Access Points are being upgraded to have the ability to control the clients that can use them. MAC addresses are tied to physical network adapters, so using this method requires a little coordination and maybe a little inconvenience for LAN users. And MAC addresses can be "spoofed" or imitated/copied, so it's not a guarantee of security. But it adds another hurdle for potential intruders to jump. If you already have a product that doesn't include this feature, check your Manufacturer's Web site for a firmware upgrade.

9) Don't send the ESSID

ORiNOCO and Apple call the ability to stop their products from sending out the network ESSID the "closed network" feature. Other manufacturers are adding this ability, so check your Manufacturer's Web site for a firmware upgrade. Note that the feature doesn't have a consistent name, so check your product's documentation.

10) Don't accept "ANY" ESSID

ORiNOCO and Apple's "closed network" feature also won't accept connections from clients using the default "ANY" ESSID. Other manufacturers' products have the ability to not accept clients with an "ANY" ESSID, but you'll need to check your product's documentation, since there's not a consistent name for the feature.

11) Use VPN

Of course, if you really don't want to take chances with your data, then you should run a VPN tunnel over your wireless connection, too. You may take a throughput hit, but isn't your data's security worth it?

source: http://www.practicallynetworked.com/support/wireless_secure.htm

Additional Links:

Safe WLAN Deployment Checklist

WLAN Hardening Checklist

Hardening 802.11 Wireless Networks

[flw]

[Posideon]

[flw]

[Posideon]

Yeh thanks for that flw, just wondered if there were any specific methods people who use wireless adopt. Just been reading a very interesting article on stat based IDS and rule based IDS working together to get the onion effect you mention.
_________________
Posideon

I love it when a plan comes together

[JustinT]

[johnburns]

[cpconstantine]

as regards the SSID, here's a few thoughts

1) Don't set the SSID to something that offers additional intelligence on your network. Naming your SSID as the name of your company is probably a bad idea. Naming your SSID the same as your workgroup name/kerberos domain or other piece of supposedly private intel is similitarly stupid

2) Turning off SSID broadcast will cause those little keychain Wifi detectors to fail to indicate the prescence of a WLAN. Just an FYI you might find interesting

3) There's a good few papers out there that scientifically go into the proof that turning off your SSID broadcast does nothing to significantly improve security

soo..as a general rule, broadcast an SSID isn't so bad, so long as you don't name it something like 'ACCOUNTING_DEPT' or the like... of course, this is what most cluebies do, as they love advertising things in simple terms. These are the same cluebies that go onto to be WAN admins, and name major hub routers as things like 'primary.egress.company.com' in the public DNS, and wonder why that router seems to attract more attack attempts than the others...

Never understimate the value of 'soft' data to an attacker
_________________
Your neighborhood IDS Geek, Unrepentant Reverse-Engineer, CISSP carpetbagger and mercenary audittor.