Risk Management of Wireless Networks

An anonymous reader writes "As wireless becomes a bigger part of our networks, those of us charged with maintaining them find ourselves also responsible for keeping drive-by script kiddies with a Pringles can out. BankInfoSecurity.com is running an excellent article on identifying and mitigating risks on wireless networks. The article was written by members of the Office of the Comptroller of the Currency (OCC) for banks, but it's applicable to any network environment and clearly lays out all the key steps to protecting wireless systems." There's nothing new here, really, but it's a good overview of issues to keep in mind when building a wireless net, as well as a good security plan starting point.

Re:Pringles Can?

[frankmanowar]

It seems you can make a wirelss antenna out of a pringles can.

The key to it all is education.

[James+A.+C.+Joyce]

I think that the problem is that there are a lot of people who are hearing of the WiFi craze, hearing that it is a good idea, and then setting up these adhoc networks. The problem is, they often don't bother to read up about the potential security risks of misconfiguration and so if (when?) they mess up, there's a wide open hole right there.

(And no, "wide open hole" isn't a goatse link :-))

SSIDs and WEP

[USAPatriot]

Ars Technica has a good summary of what you can do with SSID's and WEP to improve your wireless network's security:

Security Practicum: Essential Home Wireless Security Practices

Re:SSIDs and WEP

[Glonoinha]

Locking the connections to specific MAC addresses is about your strongest link if protection from unknown outsiders is your concern. WEP128 is nice, the SSID thing is spiffy but if the WAP is rejecting connections from anybody not on the MAC white-list, unless someone is on the inside of your organization and can get his hands on that list I would say that you are going to be pretty tight.

Remember - you don't have to be uncrackable, you just have to be harder to crack that the other guy. My WAP has 64bit WEP and that's it - but in my hood there are 4 WAPs, two of which are totally open - it is easier for someone that wants to play to get into those systems than to get into mine.

If security is a serious concern, consider installing (on a different channel) a nearby wireless access point with no encryption, with a SSID that seems to indicate that it is worth hacking into, on a lame box connected to the internet but not on your internal network. Keep your eyes on this box watching for intruders. I think the term is 'honeypot' but I am not overly fond of that term.

POP passwords are the biggest risk I see out there

[Twid]

I've had some fun sniffing the network around the office, around town, and at O'Reilly OSXCon, and I think the biggest security risk I see on wireless networks are plaintext POP passwords going out in-the-clear.

It's amazing how many people who should know better are still using plain POP for grabbing their mail. Since most mail client recheck for mail every few minutes, it's quite simple to grab passwords. Using those password, a hacker can then try the same password to enter the network, read the person's e-mail to do subsequent social engineering, or just fish around the person's e-mail for interesting information.

The second thing I think most people don't realize is that on a standard wireless network all the HTTP url's they are surfing to with a web browser are public. This may not be a security risk, but companies also may not want a hacker in the parking lot to know that a server named secretinternaldata.mycompany.com exists.

I set up an SSH tunnel from my laptop to my squid proxy at home just for fun to see if I could fix the issue. It worked well, but of course it's not something the average end-user with a laptop on wireless could manage.

Anyway, that's my .02.

Re:Banks?

[kalislashdot]

I work at a bank and Wireless networks are a no no. We have none in our offices. People us them at home, including me, but we use VPN to remote in so it is all good.

Reducing Risks of Wireless Networks

[gellenburg]

Disclaimer: I work in Information Security.

• APs should be configured so as not to broadcast their SSID.
• 128bit WEP keys should be chosen.
• • WEP keys should be changed as frequently as practical.
  • APs should be firewalled, and on their own DMZ.
  • If the AP supports it, consider MAC Address filtering by only allowing authorized MAC Addresses.
  • If the AP supports it, consider additional authentication such as RADIUS.

But, by all means:

• Please change the damned default SSID that was configured on your AP:
  • Linksys
  • Default
  • Netgear

We now return you to your regularly scheduled programming.

Re:Disable wireless ability of wireless router?

[agwis]

Yes, at least with the linksys wireless routers you can.

Call me paranoid but I normally disable wireless mode unless I know I or someone else in my family needs it.

-Pat

Re:Disable wireless ability of wireless router?

[stuph]

I'm generally a fan of MAC address restrictions.. when I lived in an apartment in Berkeley, if I was in the living room, I would be connected to my own wireless router, but in my bedroom I got someone else's.. Oh well, I just used their bandwidth instead, they had the better link to me, so their loss.. But when I would check the router's logs to see connected users, there were FAR too many people who weren't my roommates trying to connect.. poor them, no free access from me (at that time, I'm reconsidering my position on that as I get trafic shaping improved on my linux box)