Certification - May 2008 - (Page 38) need to broadcast this information. The SSID is akin to a shared password, a configurable identification that allows clients to communicate with an access point. Only clients with the correct SSID should be able to communicate with the access point. Hackers know the default factory set names of all of the different types of wireless equipment, so you need to change it to something that can’t be easily guessed. • Turn off SSID broadcast: This is one of the most elementary wireless security requirements. If you Check CertScope to read 232 articles and link to 224 Web sites on “wireless.” Wireless is insecure, but it does not have to be that way. By making yourself aware of the security risks and deploying the appropriate security controls, you can secure your wireless network and not have to worry about becoming yet another victim of wireless insecurity. allow SSID broadcasts, anyone can connect to your network. Disable the identifier broadcasting mechanism if your wireless router allows it. • MAC address authentication: You should set up MAC address authentication via access control lists (ACLs) on the access point. Configure the access point so that it only allows clients with specific MAC addresses to access the network, or allow access to only a given number of MAC addresses. MAC address authentication is far from perfect, but it is an added layer of defense. • Wireless audit: You should perform a regular security audit for rogue access points in your environment. For enterprise networks, this should be done at least quarterly. You don’t need a sophisticated device to do that, but it helps. You can simply walk around with a wireless notebook and sniffer (NetStumbler, Kismet, etc.) to determine if new unauthorized wireless devices have been added to your network. If you find a rogue access point, you can attempt to shut it down. • Access-point segmentation: For the corporate arena, segment the access point wired portion of your network on to a separate VLAN. This enables you to separate this traffic and, in the event of a breach, minimize the level of access that an attacker has to your network. • Reception area: The wireless coverage area should be fit to the desired work area. The greater the excessive broadcasting is on the perimeter access points, the greater the risk of attack. Where possible, directional antennas should be used at the perimeter, directing their broadcasting inward. Some access points allow attenuation levels to be set via their Web-based setup utility. Wireless is insecure, but it does not have to be that way. By making yourself aware of the security risks and deploying the appropriate security controls, you can secure your wireless network and not have to worry about becoming yet another victim of wireless insecurity. For further investigation of wireless, the risks associated with it and how to guard against them, see our May Security Community Feature on www. certmag.com. 8 Ben Rothke is senior security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know. He can be reached at editor@certmag.com. 38 CERTIFICATION MAGAZINE May 2008 http://www.certmag.com/ http://www.certmag.com http://www.certmag.com
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.