The following excerpt is from Chapter 4 of the free e-book "The tips and tricks guide to securing Windows Server 2003" written by Roberta Bragg and available at Realtimepublishers.com. Click for the complete book excerpt series.
Standard security options
Most commercially available WAPs include five purported security mechanisms. The following bullet points briefly discuss each mechanism.
- Encryption -- The Wireless Encryption Protocol (WEP) can be switched on and will be used to encrypt data transmitted across the wireless LAN. Although the implementation has been demonstrated to be weak, it is nevertheless useful in thwarting casual eavesdropping and many intentional penetration attempts. The determined attacker will persevere. I recommend turning on encryption.
- SSID -- The SSID is merely an identification mechanism and is not a security device. Many systems broadcast the SSID and many wireless connectivity applications automatically detect the SSID or all nearby wireless networks. For those that are not automatically broadcast, keeping such a secret is next to impossible. However, you can modify from the default. Most WAPs have a default SSID. These are not secret, and attackers will try these default SSIDs.
- Turn off broadcast -- Broadcasting the availability and SSID of a WAP is helpful to network users. Unfortunately, it is also helpful to intruders. Preconfigure authorized systems to use authorized access points and turn off broadcasting. Yes, security through obscurity is not particularly good security, but it does limit exposure.
- Use MAC addresses for authentication -- By limiting access to approved MAC addresses, you prevent most unauthorized computers from connecting. Take note, because the authentication is based on the network card address, possession of the computer or the card provides access. In addition, MAC addresses can be spoofed, so this plan isn't foolproof.
- Insist on direct connection for administration -- Allowing wireless access for administration of the access point opens security configuration to anyone within range of the system. By configuring the system to require physical connection, you've limited this exposure. Some systems can require direct serial connection, while others require Ethernet cabling directly to the box.
Although these security mechanisms have their shortcomings, they at least provide some measure of security.
Click for the next excerpt in this series: Standard security options plus fire walling.
Click for the book excerpt series or visit Realtimepublishers.com to obtain the complete book.