|
Develop an organizational security policy that addresses the
use of wireless technology, including 802.11 |
√ |
|
|
|
Ensure that users on the network are fully trained in
computer security awareness and the risks associated with wireless
technology |
√ |
|
|
|
Perform a risk assessment to understand the value of the
assets in the organization that need protection |
√ |
|
|
|
Ensure that the client NIC and AP support firmware upgrade
so that security patches may be deployed as they become available (before
purchase) |
√ |
|
|
|
Perform comprehensive security assessments at regular
intervals (including validating that rogue APs do not exist in the 802.11 WLAN)
to fully understand the wireless network security posture |
√ |
|
|
|
Ensure that external boundary protection is in place around
the perimeter of the building or buildings of the organization |
√ |
|
|
|
Deploy physical access controls to the building and other
secure areas (e.g., photo ID, card badge readers) |
√ |
|
|
|
Complete a site survey to measure and establish AP coverage
for the organization |
√ |
|
|
|
Take a complete inventory of all APs and 802.11 wireless
devices |
√ |
|
|
|
Empirically test AP range boundaries to determine the
precise extent of the wireless coverage |
√ |
|
|
|
Ensure that AP channels are at least five channels different
from any other nearby wireless networks to prevent interference |
√ |
|
|
|
Locate APs on the interior of buildings versus near exterior
walls and windows |
√ |
|
|
|
Make sure that APs are turned off during all hours when they
are not used |
√ |
|
|
|
Make sure the reset function on APs is being used only when
needed and is only invoked by an authorized group of people |
√ |
|
|
|
Restore the APs to the latest security settings when the
reset functions are used |
√ |
|
|
|
Change the default SSID in the APs |
√ |
|
|
|
Disable the "broadcast SSID" feature so that the client SSID
must match that of the AP |
√ |
|
|
|
Validate that the SSID character string does not reflect the
organization's name (division, department, street, etc.) or products |
√ |
|
|
|
Understand and make sure that all default parameters are
changed |
√ |
|
|
|
Disable the broadcast beacon of the APs |
|
√ |
|
|
Disable all insecure and nonessential management protocols
on the APs |
√ |
|
|
|
Enable all security features of the WLAN product, including
the cryptographic authentication and WEP privacy feature |
√ |
|
|
|
Ensure that encryption key sizes are at least 128 bits or as
large as possible |
√ |
|
|
|
Make sure that default shared keys are periodically replaced
by more secure unique keys |
√ |
|
|
|
Install a properly configured firewall between the wired
infrastructure and the wireless network (AP or hub to APs) |
√ |
|
|
|
Install antivirus software on all wireless clients |
|
√ |
|
|
Install personal firewall software on all wireless
clients |
|
√ |
|
|
Deploy MAC access control lists |
|
√ |
|
|
Consider installation of Layer 2 switches in lieu of hubs
for AP connectivity |
|
√ |
|
|
Deploy IPsec-based Virtual Private Network (VPN) technology
for wireless communications |
|
√ |
|
|
Ensure that encryption being used is as strong as possible
given the sensitivity of the data on the network and the processor speeds of the
computers |
|
√ |
|
|
Fully test and deploy software patches and upgrades on a
regular basis |
√ |
|
|
|
Ensure that all APs have strong administrative
passwords |
√ |
|
|
|
Ensure that all passwords are being changed
regularly |
√ |
|
|
|
Deploy user authentication such as biometrics, SmartCards,
two-factor authentication, or PKI |
|
√ |
|
|
Ensure that the "ad hoc mode" for 802.11 has been disabled
unless the environment is such that the risk is tolerable |
√ |
|
|
|
Use static IP addressing on the network |
|
√ |
|
|
Disable DHCP |
|
√ |
|
|
Enable user authentication mechanisms for the management
interfaces of the AP |
√ |
|
|
|
Ensure that management traffic destined for APs is on a
dedicated wired subnet |
|
√ |
|
|
Make sure adequately robust community strings are used for
SNMP management traffic on the APs |
√ |
|
|
|
Configure SNMP settings on APs for least privilege (i.e., read only). Disable SNMP if it is not used |
√ |
|
|
|
Enhance AP management traffic security by using SNMPv3 or
equivalent cryptographically protected protocol |
|
√ |
|
|
Use a local serial port interface for AP configuration to
minimize the exposure of sensitive management |
|
√ |
|
|
Consider other forms of authentication for the wireless
network, such as RADIUS and Kerberos |
|
√ |
|
|
Deploy intrusion detection sensors on the wireless part of
the network to detect suspicious behavior or unauthorized access and
activity |
|
√ |
|
|
Deploy an 802.11 security product that offers other security
features, such as enhanced cryptographic protection or user authorization
features |
|
√ |
|
|
Fully understand the impacts of deploying any security
feature or product before deployment |
√ |
|
|
|
Designate an individual to track the progress of 802.11
security products and standards (IETF, IEEE, etc.) and the threats and
vulnerabilities with the technology. |
|
√ |
|
|
Wait until future releases of 802.11 WLAN technology that
incorporates fixes to the security features or enhanced security
features |
|
√ |
|
Sections
Archive
Syndication
