Subtitles of the Movie

Now, finally, we're going to talk about best practices. Let's talk about the best practices concerning security. Security is a very important part of our wireless network strategy. You want to make sure that you design and install your wireless networks with security in mind from the ground up. Don't start the design process or even the installation process and in the middle of it think, well, we probably need to start talking about security. At that point it's too late because at that point you've already made the plans, you've already decided how your wireless clients are going to talk to the access point, so you already should have decided, for example, what kind of encryption layer you're using. So you got to start this from scratch, from the ground up when you talk about security. Make sure you configure every, single link in the chain securely; your clients, your access points and any other infrastructure devices you have. Don't think that just because the wireless access point is secure that the clients can be any less secure. It, the weakest link in a chain can often destroy that chain. So make sure every bit along the way is configured as securely as you can get it. Use the strongest encryption level that your infrastructure can support. If all you can support is WEP, well, then use WEP and make sure there are other security measures in place as well. But if you can get away with it, use WPA or WPA2 and use, uh, 802.1X authentication mechanisms. Develop your security policies. I can't stress this enough as well because you need to find what's allowed and what's not allowed on the network. For example, where employees can surf, what they can connect to, policies on connecting rogue access points or home devices such as home laptops and PDAs and stuff. You need to develop these policies because you can't enforce what you haven't defined and there have actually been legal cases where companies have tried to enforce policies and punish employees, but those policies were never defined in writing, so many times those companies can get sued for unlawful termination and things of that nature. So you want to define all your security stuff up front. Make sure you inventory all your allowable devices and record the MAC addresses. We pretty much covered that already, but you want to also check the, those devices from time to time and make sure those are the only ones that are connecting to your wireless network. Limit you access point administration to only a select few administrators that know what they're doing. Don't just let anyone administer that access point because they may inadvertently set a configuration option on the access point that may lower your security level. Change the SSID to something obscure. And we've said this before. It's of limited effectiveness in terms of security, but it's something. It adds to the defense in-depth posture. It's another layer. Change it to something obscure. Don't change it to your company name or anything like that. You know, change it to 708147B2 or something like that so it'll make it difficult. It won't be impossible, it'll be difficult for someone to identify that wireless network with your company. Definitely don't broadcast the SSID. You don't have to broadcast it. Turn the broadcast off and then you'll just have to configure your wireless clients manually to get to that particular SSID. Set up MAC address filtering. We've talked about this already, but only allow authorized hardware addresses. Whenever you start seeing hardware addresses that are not on your list, that's when you, you got a problem and you need to start checking on that and find out who's tapping into your wireless network. Keep in mind, MAC addresses can be spoofed and there are ways to check that as well. As we've said before as well, use the built-in firewall features that come with a lot of your wireless access points, but don't rely solely on those. Use those in conjunction with other security devices such as perimeter firewalls and border routers and things. Use NAT in the private IP address space. This protects your clients from someone mapping out your internal network. Use a different DHCP scope than the default one that comes with the router's initial setup. You know, you'll find a lot of them come with 192.168.1.1 and a DHCP scope of, uh, 100.1. You need to kind of set that to something else because based upon the IP addresses are handed out, someone could guess what kind of wireless access point you're using and then take measures that are aimed at that particular kind of access point. Change the router's default password to something complex, not just 1 2 3 4. Change it to a complex password that meets your other password requirements as well. As I mentioned before, in the more complex networks and where you need more security, use the 802.1X authentication mechanisms; EAP, LEAP, PEAP and so forth whenever you can. Your clients are going to have to support it and your infrastructure devices are going to have to support. Make sure you use them whenever possible. You also may need to use additional methods such as IPSEC or SSH from your clients and servers whenever necessary, in addition to the built-in WPA, WPA2 protections. This is, uh, intended to add an extra layer of security just in case someone does break your encryption schemes and you're carrying sensitive data. Additional things you can do: require authentication methods to network resources. Don't just rely on authenticating to the wired network from the wireless network because anyone could steal your laptop and they would have your wireless configuration on there and they could authenticate to the wireless network and, in turn, to the wired network. So you want some additional authentication methods. If you're authenticating to a wired network that has a Windows domain, you know, enforce domain authentication. Smartcards can be used in addition to, uh, some of the other measures we've talked about. Make sure permissions are set on network resources so that only certain people can access them. Another thing you want to do is only allow certain protocols to pass through your wireless network, especially back and forth between the wireless and wired networks. Block certain protocols if they are not needed. Telnet, FTP are examples of insecure protocols that have a lot of vulnerabilities and if you're going to administer your network, try to administer it remotely over HTTPS, SSL, or even better, SSH. And finally, update the firmware on all your devices, your wireless access points to ensure that you have the latest security updates and other patches applied to those devices. We've taken a look at the best practices of wireless security and other areas of wireless network administration. Use these and collect your own along the way and they'll help you make sure that your wireless network is both secure and provides the services that your clients need.