Risk Management of Wireless Networks

An anonymous reader writes "As wireless becomes a bigger part of our networks, those of us charged with maintaining them find ourselves also responsible for keeping drive-by script kiddies with a Pringles can out. BankInfoSecurity.com is running an excellent article on identifying and mitigating risks on wireless networks. The article was written by members of the Office of the Comptroller of the Currency (OCC) for banks, but it's applicable to any network environment and clearly lays out all the key steps to protecting wireless systems." There's nothing new here, really, but it's a good overview of issues to keep in mind when building a wireless net, as well as a good security plan starting point.

Re:Pringles Can?

[frankmanowar]

It seems you can make a wirelss antenna out of a pringles can.

The key to it all is education.

[James+A.+C.+Joyce]

I think that the problem is that there are a lot of people who are hearing of the WiFi craze, hearing that it is a good idea, and then setting up these adhoc networks. The problem is, they often don't bother to read up about the potential security risks of misconfiguration and so if (when?) they mess up, there's a wide open hole right there.

(And no, "wide open hole" isn't a goatse link :-))

SSIDs and WEP

[USAPatriot]

Ars Technica has a good summary of what you can do with SSID's and WEP to improve your wireless network's security:

Security Practicum: Essential Home Wireless Security Practices

POP passwords are the biggest risk I see out there

[Twid]

I've had some fun sniffing the network around the office, around town, and at O'Reilly OSXCon, and I think the biggest security risk I see on wireless networks are plaintext POP passwords going out in-the-clear.

It's amazing how many people who should know better are still using plain POP for grabbing their mail. Since most mail client recheck for mail every few minutes, it's quite simple to grab passwords. Using those password, a hacker can then try the same password to enter the network, read the person's e-mail to do subsequent social engineering, or just fish around the person's e-mail for interesting information.

The second thing I think most people don't realize is that on a standard wireless network all the HTTP url's they are surfing to with a web browser are public. This may not be a security risk, but companies also may not want a hacker in the parking lot to know that a server named secretinternaldata.mycompany.com exists.

I set up an SSH tunnel from my laptop to my squid proxy at home just for fun to see if I could fix the issue. It worked well, but of course it's not something the average end-user with a laptop on wireless could manage.

Anyway, that's my .02.

Reducing Risks of Wireless Networks

[gellenburg]

Disclaimer: I work in Information Security.

• APs should be configured so as not to broadcast their SSID.
• 128bit WEP keys should be chosen.
• • WEP keys should be changed as frequently as practical.
  • APs should be firewalled, and on their own DMZ.
  • If the AP supports it, consider MAC Address filtering by only allowing authorized MAC Addresses.
  • If the AP supports it, consider additional authentication such as RADIUS.

But, by all means:

• Please change the damned default SSID that was configured on your AP:
  • Linksys
  • Default
  • Netgear

We now return you to your regularly scheduled programming.