With the proliferation of inexpensive wireless technology, trying to maintain security has become an interesting challenge for most network administrators. The most serious challenges in securing wireless networks come from two areas:
- Bandwidth hijacking -- Either unintentionally or maliciously, anyone with a wireless laptop or other WiFi device can tap into your bandwidth without so much as sending you a thank-you note for the free Internet access. Even more disturbing is that such a hijacker could gain access to your internal network resources through an unsecured WAP.
- Data encryption -- At present, there aren't many viable options for wireless encryption. The Wired Equivalent Privacy (WEP) protocol, previously the standard for wireless encryption, has been "broken" and is only really useful as a means of thwarting casual eavesdropping on a wireless connection, not to prevent the actions of a determined attacker.
Depending on the size of your network, there are still several measures that you can take to protect your wireless implementation. For a home installation or a SoHo network without a server or Active Directory installation, you should take the following steps to secure your wireless access points:
- Change the administrative password on your wireless routers. Each manufacturer ships their routers with a default password for easy initial access. These passwords are easy to find on vendor support sites, and should therefore be changed immediately.
- Change the default SSID name and turn off SSID broadcasting. This will require your wireless clients to manually enter the name of your SSID before they can connect to your network, greatly minimizing the damage from the casual user whose laptop is configured to connect to any available SSID broadcast it finds. You should also change the SSID name from the factory default, since these are just as well-known as the default passwords.
- Disabling DHCP. For a SoHo network with only a few nodes, consider disabling DHCP on your router and assigning IP addresses to your clients manually. On newer wireless routers, you can even restrict access to the router to specific MAC addresses.
If you have an Active Directory infrastructure already in place, you have a much better option available for securing your wireless networks. Using the Windows Server 2003 PKI service and RADIUS for authentication, you can implement 802.1x certificate-based security for your clients. The Security Guidance section of the Microsoft Web site offers step-by-step instructions to configure this.
Laura E. Hunter is a Microsoft MVP and SearchWindowsSecurity.com site expert.