Conclusion: Best Defense Is a Good Offense!

There are a number of steps you can take to administer your security in
the most effective manner possible. You can use the steps outlined here
as a reference guide to implement the necessary safeguards to ensure
that your wireless network is secure at all times.

As we have discussed in this chapter, there are multiple “layers” to
your security solution. These layers often include physical security,
access levels, and most important, the administrative types of security.
The administrator is the “key” or cornerstone of your entire wireless
network. If anyone is going to try to breach your network, the administrator
will be the first line of defense in preventing your information and
network infrastructure from being corrupted.

Protecting your network involves the adoption of good physical security.
This entails preventing unauthorized users from any access. Adopting
a personal identification system for every employee and contractor
within your organization is important to achieving the control you need.
That control also extends to the Web-based configuration for your
access points. These devices are designed to be very easy to configure.
Unfortunately, that ease of use can very easily translate into a security
breach when someone comes into contact with the access point. A hacker
can easily access a password-unprotected resource and alter the settings
to allow unrestricted access into your intranet.

Sometimes the smallest and least thought of access control barrier is
enough to buy you time to protect your company. For example, how good
are your password rules? Do you have an alphanumeric password
assigned to every member of your team before they acquire network
access? Did you make certain there are no words from the dictionary in
the password? This simple precaution would make you less vulnerable
to a hacker using an automated “dictionary” attack, where every word
from the dictionary is sent to your login prompt in order to gain access.
Are your employees forced to change their password every few months
to make certain that the information never becomes “stale” and therefore
susceptible to discovery by a hacker? Do you have a rule that states that nobody is permitted to share a password with any other user, no
matter what the reason?

The most common mistake administrators unfamiliar with wireless
networks make is not turning on the inherent WEP encryption capabilities.
Often, you will need more security than simple encryption, but I
can’t stress enough how highly I recommend using the highest-available
encryption, presently 128 bit. The NIC cards that support 128-bit
encryption (on average) only cost about $10 more than the regular wireless
NIC cards. This expense more than justifies itself by making it that
much harder for a hacker to breach the security of your network.

One of the biggest security vulnerabilities is that most administrators
fail to realize that access points enable an “open system” right out of the
box! Most hackers just wait for people to enable an open system so that
they can come along and directly connect the network using DHCP, and
no one is the wiser. Access point devices support ACLs that are configured
to screen out any wireless NIC card whose unique MAC address
has not been previous entered into its configuration access settings by
the administrator. This very simple step does a world of good in preventing
a hacker from roaming onto your network without your knowledge.
This essential protection scheme must be employed as the most basic
level of protection to ensure hackers don’t gain access to your missioncritical
internal network resources.

Another step you can take is to change the default SSID for your
wireless network and make certain you don’t allow just anyone to roam
on your network or pick up your SSID just by eavesdropping when the
network broadcasts this piece of information. Many network administrations
feel they are secure as long as nobody knows their network SSID.
Nothing could be further from the truth; this is the easiest way to hack
into the network, because the SSID can be determined by a little social
engineering or just by finding the field blank as it is in most wireless
network cards.


The most important test is to have a security team come in and perform
a study of your network in an attempt to determine items such as
the best placement of your access points, and to identify if your signals
are vulnerable to attack from a hacker trying to roam onto your network,
eavesdrop, or simply disrupt the wireless transmission by making
your entire WLAN useless to any user (similar to a DoS attack).
Personal firewalls and VPN transmissions are a good way to make
certain that when a connection does take place from the outside, it is at
least structured to enter the protected internal network through the
designated ports in the firewall; that transmission should also be encrypted using a VPN so that nobody can eavesdrop on your signal.

Firewalls are not only for the server, but for the wireless workstation
too. Processing power in laptop computers, for example, has become as
powerful as that on any server in many cases. These machines can easily
be exploited by hackers attempting to turn the wireless laptop into a
file server. Information from your internal network can be stolen just as
easily from the laptop as it can from the mainframe itself. This is why
inexpensive personal firewalls are always a good idea on both ends of
your wireless connections.

Finally, you should at all times establish a wireless security policy.
Make certain that when mobile workers travel, they password-protect
all their access connections; sometimes a simple password can be
required before the device is even allowed to boot up! Establish your
access policy and make certain users follow it. Simple steps will help
you make certain that you can effectively administer your WLAN so
that you make it enormously difficult for hackers to penetrate your
defenses. Although security is never 100 percent, forewarning of an
attack, preventing gaping security holes, and ensuring that users follow
a predefined policy and procedure before accessing mission-critical internal
network resources are all that is needed to make certain that you
can maintain security and justify the safe and secure deployment of a
beneficial wireless network that will meet your information needs effectively
and efficiently for many years to come.