Home & Office

Don't broadcast your SSID...

...and 9 other security dos and don'ts when setting up a wireless LAN.
Written by Matthew Broersma, Contributor
......and 9 other security do's and don'ts when setting up a wireless LAN.

Most IT managers should have got their heads around the obvious security issues thrown up by the Internet but now there's a new challenge: wireless. Wire-free networking offers a lot of flexibility but without proper handling there's a very real chance that company secrets can literally disappear out of the nearest window.

WLANs are spreading fast, starting with booming sales in the consumer and small-business sectors and now edging into even the most conservative of enterprises. This is partly because WLAN equipment and services based on the Wi-Fi standard are cheap and increasingly ubiquitous outside the workplace. Research firm IDC says 55,000 new Wi-Fi hot spots, or public access points, will be installed in the next five years in the US alone. More than half of business notebook PCs are expected to arrive Wi-Fi-ready by the end of this year, according to Gartner. Intel has announced it will integrate Wi-Fi into PC chipsets, potentially turning any desktop machine into an unsecured access point.

In this climate, the possibility that some careless employee will set up a wireless access point in the office, most likely neglecting to switch on any sort of security, is becoming increasing likely. Far from ignoring wireless, most UK firms are actively investigating it, with half of the respondents to a recent survey saying they planned to invest in wireless equipment in the next 12 months. But only 21 percent said they had a strategy for deploying wireless -- a key error. Industry analyst Gartner has noticed the same trend. "In our conversations with enterprise clients, a big problem has been they didn't have a strategy on WLAN," Gartner analyst Ian Keene says. "That's leaving them open to all sorts of security breaches."

The resulting situation, to go by security experts' accounts, is more than a little chaotic. Last autumn a wireless LAN security software vendor called AirDefense drove around in Atlanta, Chicago and San Francisco, finding that 57 percent of the access points they stumbled across weren't using any form of data encryption, not an atypical experience. "If you drive down a major street in a major city like London with an AirMagnet (WLAN sniffer) turned on in your car, you'll come across an unsecured access point three or four times in every block," says AirMagnet vice president of marketing Richard Mironov.

On the other hand, this isn't bad news for enterprises just getting to grips with wireless: it means a few basic measures will probably be enough to discourage all but the most persistent attackers. "If you turn on security, someone who's not specifically targeting your company can find other places to break into," Mironov says.

The following are some of the most important and practical steps in setting up a well-run, secure wireless network -- and some of the most common mistakes.

DO: Take control of your airspace.
Before you even start to hook up access points, it might be a good idea to do a site survey, even if that is just taking a walk around the office. Wi-Fi uses unlicensed spectrum, meaning you don't need special permission to turn it on. The downside is neither does anyone else, and the 2.4GHz spectrum is already starting to get crowded. Interference can come from cordless phones, not to mention the Bluetooth radios built into more and more mobiles.

If you're in a building with several tenants crammed together, you may need to have a quiet word with your neighbours about who's going to use which Wi-Fi channel. If you notice they haven't got security turned on, well, that might also be worth mentioning to them -- if nothing else, security will stop your employees from accidentally logging onto their network. Access points on your own network shouldn't use adjoining channels; only channels 1, 6 and 11 are spaced far enough apart to prevent interference.

Some companies may find it useful to shape their airwaves. A directional antenna will provide access exactly where it's wanted, without spilling over into the street; turning down the power on some access points will also reduce the airspace where access is available.

DO: Choose and implement a security model
This may sound obvious, but consider that every Centrino laptop arrives in your company ready to connect to the nearest access point with zero security. Just as with wired networks, keeping equipment in line with whatever security model you choose is an ongoing process. Even turning on WEP (Wired Equivalent Privacy), the now-discredited basic Wi-Fi encryption standard, will put you miles ahead of the pack. "WEP is better than nothing -- at least with that, it takes five to ten minutes to crack in," Mironov says.

For a step up, add NICs (network interface cards) and access points with Wi-Fi Protected Access (WPA), which fixes many of WEP's problems. WPA is a stopgap measure before the release of the upcoming IEEE 802.11i standard, which will incorporate the Advanced Encryption Standard (AES), using block cyphers instead of the less powerful stream cyphers in WEP and WPA. (For more on these, see below).

If you're already running a virtual private network (VPN) for remote workers, and want another layer of security in the office, you might consider extending the VPN for workers in the building, though this requires considerable processing power for each user added to the VPN. Another alternative is to create a firewall between the wired and wireless network, or to choose access points that allow you to create virtual LANs, segmenting off parts of your network.

DO: Prepare for upgrades
As noted above, security standards for WLAN are constantly evolving -- and this isn't likely to level off. Look at access points with flash memory, allowing them to accept security patches and encryption standard upgrades, and work out a strategy for blocking equipment that doesn't have up-to-date security. Keep in mind that when 802.11i arrives it is likely to require new equipment to handle the extra processing overhead.

DO: Consider using third-party security apparatus
Experts recommend companies regularly scan their airwaves with sniffers, to keep track of exactly what is connected to the network. Besides monitoring for, and even retaliating against attacks, these devices let you examine wireless traffic, disconnect or block clients and locate rogue access points.

Wireless security controllers can simplify administration of your chosen security model, particularly if you feel you need a firewall or VPN. These devices often incorporate firewall and VPN, while centralising administration.

DO: Integrate wireless and wired security
Ultimately, you will not want to manage your wireless and wired networks separately, but much of the security gear available won't necessarily integrate with your administration systems. Make sure whatever you invest in uses standard protocols such as SNMP (Simple Network Management Protocol). "Newer products enable network managers to integrate WLAN management with the wired LAN," says Gartner's Keene. "If you're managing them as completely separate functions, you're going to be doubling the tasks you have to perform."

DON'T: Declare a WLAN-free zone
"Wireless LANs are attractive to home users, and they make it easy for mobile workers to be more productive, downloading the latest client information or catching up with email in their down-time," says Keene. "It's going to be increasingly difficult to ban WLAN use. And even if you do make it clear to users it's against company policy, it's going to be difficult to enforce."

Ignoring WLANs might not make financial sense, either. "You've got to consider the cost of retrofitting your notebooks if, in two years' time, you decide WLAN is a good idea after all," Keene points out. At the very least, he argues companies should be carrying out controlled trials to examine the benefits of WLAN.

DON'T: Use your default SSID password
When you plug in a new access point, don't forget to change the default Service Set Identifier (SSID) password. Every Cisco access point arrives with the default password "tsunami", and once a user logs on they can change your security settings or deny you access to your own equipment. You should also change the device's default IP address

DON'T: Broadcast your SSID
It's common for businesses to forget to turn off SSID broadcasting. This feature is necessary for public hot spots, but otherwise is an open invitation for someone in the parking lot to try and break into your network.

DON'T: Mix 802.11b and 802.11g
It's very kind of wireless gear makers to come out with dual-mode equipment, as it means companies can move from the older b standard to the faster, better g standard whenever they're ready. The downside: an access point can only handle one of the standards at a time, so that as soon as someone on the access point fires up a b-powered laptop, the bandwidth for everyone else plummets. If you want to use 802.11g on your network, you will need to ensure all the NICs are also g-compatible.

DON'T: Enable ad-hoc mode
Ad-hoc mode allows a Wi-Fi client to form a direct link with another laptop nearby, acting as a kind of relay station. Unfortunately, it also opens up the laptop's entire hard drive for anyone to read, and on a corporate network may act as an unsecured entry point to the LAN. "I've been in airport lounges and noticed people who didn't remember they had ad hoc mode turned on," says AirMagnet's Mironov. "You could read everything on their laptop. If that isn't chilling, it should be."

Editorial standards