A.26. Securing the Wireless Environment
Wireless networking is a hot feature of many networks. Unfortunately, too many organizations rushed in and deployed wireless networks without realizing the security implications. Wireless networking as defined in IEEE 802.11 does not actually provide for realistic security, in spite of its claim. 802.11 defines a form of authentication and data encryption named Wired Equivalent Privacy (WEP). WEP never did—and wireless in general never will—provide the same level of privacy (aka security) as a wire. A wire can be run inside an insulating and difficult-to-penetrate conduit, making eavesdropping, hijacking, and even interruption nearly impossible. Wireless networking is actually radio wave networking. It will always be possible to capture, hijack, and interrupt radio waves. As new communication encryption protocols are deployed over wireless networks, it becomes harder to extract the transmitted data or use a wireless connection without authorization, but it doesn't make packet capturing and jamming any less difficult.
The wireless network is not and never will be secure. Use wireless only when absolutely necessary or when attempting to attract customers. But even customers probably won't have to access your secured private company LAN. If you must deploy a wireless network, here are some tips to make some improvements to wireless security:
Change the default SSID.
Disable SSID broadcasts.
Disable DHCP or use reservations.
Use MAC filtering.
Use IP filtering.
Use the strongest security available on the wireless access point: WEP, Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and so on.
Change the static security keys on a two- to four-week basis.
When new wireless protection schemes become available (and reasonably priced), consider migrating to them.
Limit the user accounts that can use wireless connectivity.
Use a preauthentication system, such as RADIUS.
Use remote access filters against client type, protocols used, time, date, user account, content, and so forth.
Use IPSec tunnels over the wireless links.
Turn down the signal strength to the minimum needed to support connectivity.
Seriously consider removing wireless from your LAN.
Wireless discussions sometimes include mobile devices, which are not 802.11 wireless networking devices themselves but instead are specialized services providing limited Internet connectivity to cell phones, PDAs, and pocket PCs. These devices often use WAP or an equivalent communication protocol suite. Unfortunately, providers are required by the Communications Assistance for Law Enforcement Act of 1994 (CALEA) to make wiretaps possible on all forms of communications offered regardless of the technologies employed (requiring a search warrant for actual use, of course)—lovingly referred to as "the gap in WAP." Therefore, if you want security over a wireless mobile device, your handheld device and the server you ultimately communicate with must have their own encryption scheme rather than relying on that provided by the provider's service.
You should be aware that malicious entities could be actively seeking to eavesdrop on all of your communications. In addition to personally imposed encryption for handheld devices, be careful of what is actually discussed or communicated over your mobile devices. Even if someone can't grab the information while in transit, it is possible they can look over your shoulder at your screen or be within earshot of your voice. There are many ways to collect data; in order to be secure, you need to be aware of all of them and provide protection against all of them.