Management Countermeasures
Management countermeasures set the stage for all that happens on the WLAN. Based on policy, these countermeasures should work to:
· Identify who may use WLAN technology in a corporation and limit access by function, location, and workgroup or security clearance.
· Identify whether Internet access is required beyond the WLAN network. Some WLAN applications are for intranets only.
· Describe who can install access points and other wireless equipment. With the ease of installation and configurations, it is important to verify proper use of the technology.
· Provide limitations on the location of and physical security for access points to minimize the propagation (distance and availability) of the signal.
· Describe the type of information that may be sent over wireless links to reduce compromises of sensitive data.
· Describe conditions under which wireless devices are allowed.
· Define standard security settings for access points to reduce risks and establish uniform configurations standards.
· Describe limitations on how the wireless device may be used, such as location in and outside the building and near sensitive areas, to gain access to personal or sensitive data.
· Describe the hardware and software configuration of all wireless devices.
· Provide guidelines on reporting losses of wireless devices and security incidents
· Provide guidelines for the protection of wireless clients to minimize/ reduce theft.
· Provide guidelines on the use of encryption and key management systems.
· Define the frequency and scope of security assessments to include access point discovery.
Implementation Countermeasures
Implementation countermeasures are the controls in the process. Controls in WLAN management allow or restrict an activity or event from occurring. Think of all wireless networking as unsecured and publicly available. If possible move the access point into a DMZ (a protected sub- network on the LAN) where sensitive data are not available to attackers. Implement firewall protection to protect you from attacks and log attack attempts.
· Only use WAPs and NICs that support at least 64-bit (preferably a 128 bit) WEP.
· Consider using third-party encryption tools and third-party authentication before you permit communication with your access point.
· Try to physically locate the WAP so that its signal will be harder for a network sniffer to locate. Pay close attention to the orientation of the antenna; avoid locating the WAP near windows, or in a room adjacent to a street or parking lot.
· Do a periodic assessment of wireless networks in and around your workplace/home using a sniffer or employing a consulting service. It is easy for an employee to buy an NIC and a WAP and install them on a workstation. Some operating systems automatically bridge a WAP with the wired network, providing network access (behind the firewall) and proprietary information to anyone with a wireless card. An assessment will determine if security measures are in place, or if there have been any changes to the configuration. An assessment will also show how far wireless signals will travel outside your building.
· Purchase wireless technology that has flash upgradeable firmware. New security enhancements such as Wi-Fi Protected Access (WPA) are being developed, and with an upgradeable product, the likelihood of being able to use this technology is greater. Consider using WPA as it becomes available. WPA will have many new wireless security features, including authentication, key management, Temporal Key Integrity Protocol (TKIP), integrity checking, replay protection, and Advanced Encryption Standard (AES) encryption support.
· Ensure that your computers are running at the most current software patch level. This makes it harder to attack your systems and information if hackers gain access to the wireless network.
· Use an antivirus application with the most current virus and worm signature updates. This will help to prevent an attacker who has gained access to your network from installing a Trojan to gain backdoor access to your computer, and will protect your computer from other malicious code.
· Restrict physical access to the access point; keep it out of sight and in a locked area. By restricting access to the WAP you will help to ensure that unauthorized persons are not able to physically reset, control, or reconfigure the device.
Configuration Countermeasures
Configuration countermeasures are the easiest to understand. The countermeasures address the authentication, access control, integrity and confidentiality of the data and hardware on the network. Understanding how to configure the access point is critical to meet the vision stated in your organization’s security policy. Proper configuration will mitigate many threats and go a great distance to limit unforeseen, unanticipated vulnerabilities. A proactive approach is the best way to describe configuration countermeasures. Since instruction manuals come with most technology today, it should be easy to locate the specific settings by reading the manuals. Specific areas of interest include:
1. Enable WEP (wireless encryption protocol). WEP minimizes the risk of radio frequency interception by somebody nearby. WEP is specified for encryption and authentication between clients and APs according to the 802.11 standard. WEP security is based on an encryption algorithm called RC4. Some products allow you to separately set the authentication method to shared key or open system. Use the “shared key” method so that encryption is used to both authenticate your client and encrypt its data. Even though WEP has been broken, it is a cost effective (free), and valuable first layer of security. In my research over the past three years, more than 60% of all access points do not use WEP; while enabling the service may cause an attacker or curious user to move on to an easier target. The encryption algorithm is generated based on a key (a number sequence) entered and controlled by the user. All clients and APs are configured with the same key to encrypt and decrypt transmissions of data. WEP keys are 40 or 128 bits in length and can be configured in three possible modes: no encryption mode, 40- bit or 128-bit encryption.
2. Secure your access point with a password. Your access point should require a password to access its administrative features: if it does not, replace it with one that does. Use strong passwords to protect against password cracking tools. Make sure the access point is not using the default password. Default passwords are well known and will be one of the first exploits tried by an educated attacker. Many wireless detection devices identify the manufacturer based on the media access control (MAC) address; this information makes it easier to guess what type of WAP is being used, even if the SSID has been changed. Change your password periodically.
3. Change the SSID to a truly unique name that does not identify the owner of the access point. The SSID allows a WLAN to be segmented into multiple networks, each with a different identifier. Each of these networks is assigned a unique identifier, which is programmed into one or more APs. To access any of the networks, a client computer must be configured with the corresponding SSID identifier for that network. Thus, SSID acts as a simple password, providing a measure of security. A weakness is created when the SSID is widely known or shared, and it is easily obtained by freeware loaded onto a wireless network client.
4. Disable “broadcast SSID” if this feature is supported by the equipment vendor. Most access points broadcast SSID by default. This will accept any SSID. By disabling broadcast SSID, the SSID configured in the client must match the SSID of the access point.
5. Turn off dynamic host configuration protocol (DHCP) and assign a static IP address to wireless devices. This will keep your WAP from issuing an IP address to any computer that tries to connect with it. Also consider changing the IP subnet to a non-default address. Many access points default to the 192.168.1.0 network, and use 192.168.1.1 as the default router. Changing these defaults provides additional layers of security.
6. Filter devices based on the MAC address. Filtering increases security by configuring an access point with a list of MAC addresses associated with the client computers that are allowed access to the access point. If a client’s MAC address is not on the list, the access point will deny access. This method provides good security but is only suited to small networks. The labor-intensive work of entering MAC addresses and maintaining up-to-date lists on all of the access point devices obviously limits the scalability of this approach. An access point can be set up to provide encryption-only protection in open- system mode, or to add authentication in shared-key mode. MAC address filtering is often used together with this encryption. WEP security is best suited for small networks, as there is no key management protocol. As a result, keys must be manually entered into every client. This can be a huge management task, especially as keys should be changed regularly to provide a higher level of security.
Lengthen the beacon interval of your access point. Beacon frames announce the existence of your wireless network to all. These beacons are transmitted from access points at regular intervals and allow a client station to identify and match configuration parameters in order to join a wireless network. The interval length may be set to its highest value, resulting in an approximate 67-second interval.
As a more secure model, some vendors have developed VPN solutions that create a secure tunnel for your wireless traffic. An evolution of wireless security products now includes the means to authenticate all wireless users before they can gain access to network resources, encrypt data prior to them passing through the air using the advanced encryption standard and controlling user access to network segments through the use of policy servers.
PEOPLE FIND THIS PAGE BY THIS WORDS:
wireless information security; security wireless; Virus Countermeasures Router malaysia; wap security countermeasures;
