Making your Wireless Network Secure

There’s a lot you can do to secure your wireless LAN. Most of these tips apply to 802.11b based LANs, since they’re the most used. But some tips are just good network security practice and can help no matter how you build your LAN:
 

  1. Do not use TCP/IP for File and Printer sharing!
    Access Points are usually installed on your LAN, behind any router or firewall you may be using. If someone successfully connects to your Access Point, they’ll be on your LAN, just like any of your other clients. But since they’ll be using TCP/IP to make the connection, you can easily deny access to MS File and Printer sharing by using a protocol other than TCP/IP for those services. That way, they may get access to your network connection, but they won’t get access to your files! 
  2. Follow secure file-sharing practices
    • Share only the Folders you need , not an entire hard drive
    • Password protect everything that is shared with a strong password.

     

  3. Enable WEP Encryption
    Enable WEP encryption and use a non-obvious encryption key. Look for and use products that support 128bit WEP. 
  4. Use WEP for data and Authentication
    Some products allow you to separately set the Authentication method to “Shared Key” or “Open System”. Use the “Shared Key” method so that encryption is used to both authenticate your client and encrypt its data.

  5. Use non-obvious WEP keys and periodically change them
    While the limitations that some wireless client utilities have don’t help (hexadecimal only support, single keys, forgetting keys, etc.), don’t make it easy for potential snoops to get onto your LAN by using simple keys like 123456, all ones, etc. Changing the keys periodically is more difficult, because it requires sending out information about the new keys to users and that can be a security problem in itself. But changing keys periodically can help keep your LAN secure, so consider getting a procedure into place to do it. 
  6. Secure your wireless router / Access Point
    Your router or Access Point should require a password to access its Admin. features.

  7. Disallow router/ Access Point administration via wireless
    Unfortunately, this feature is usually only present in “Enterprise-grade” Access Points, and shuts off the ability to administer your Access Point from wireless clients. But if your router / Access Point has it, use it! 
  8. Use MAC address based Access and Association control
    Previously available only on “Enterprise-grade” products, many routers and Access Points are being upgraded to have the ability to control the clients that can use them. MAC addresses are tied to physical network adapters, so using this method requires a little coordination and maybe a little inconvenience for LAN users. And MAC addresses can be “spoofed” or imitated/copied, so it’s not a guarantee of security. But it adds another hurdle for potential intruders to jump. If you already have a product that doesn’t include this feature, check your Manufacturer’s Web site for a firmware upgrade. 
  9. Do not send the ESSID *
    ORiNOCO and Apple call the ability to stop their products from sending out the network ESSID the “closed network” feature. Other manufacturers are adding this ability, so check your Manufacturer’s Web site for a firmware upgrade. Note that the feature doesn’t have a consistent name, so check your product’s documentation. 
  10. Do not accept “ANY” ESSID *
    ORiNOCO and Apple’s “closed network” feature also won’t accept connections from clients using the default “ANY” ESSID. Other manufacturers’ products have the ability to not accept clients with an “ANY” ESSID, but you’ll need to check your product’s documentation, since there’s not a consistent name for the feature. 
  11. Use VPN
    Of course, if you really don’t want to take chances with your data, then you should run a VPN tunnel over your wireless connection, too. You may take a through put hit, but isn’t your data’s security worth it?

* ESSID “Extended Service Set ID.” The ESSID is the identifying name of a wireless network – strictly it is the identifying name of a wireless access point.