Slashdot Mirror

← Back to Stories (view on slashdot.org)

Risk Management of Wireless Networks

Posted by CowboyNeal on from the keeping-out-the-black-hats dept.

An anonymous reader writes "As wireless becomes a bigger part of our networks, those of us charged with maintaining them find ourselves also responsible for keeping drive-by script kiddies with a Pringles can out. BankInfoSecurity.com is running an excellent article on identifying and mitigating risks on wireless networks. The article was written by members of the Office of the Comptroller of the Currency (OCC) for banks, but it's applicable to any network environment and clearly lays out all the key steps to protecting wireless systems." There's nothing new here, really, but it's a good overview of issues to keep in mind when building a wireless net, as well as a good security plan starting point.

6 of 109 comments (clear)

  1. Banks? by Anonymous Coward · · Score: 5, Insightful

    I'm sorry, but banks should not be using wirless networks. Yes, yes, I realize wires are inconvenient, but they are much more secure. This is the customer's money and lives they're dealing with, not just some company secrets.

  2. Re:Pringles Can? by frankmanowar · · Score: 5, Informative

    It seems you can make a wirelss antenna out of a pringles can.

    --

    "Other bands play, but Manowar KILLS"
  3. VPN by Munkey_123 · · Score: 5, Interesting

    Just have your wireless devices set to a DMZ that opens to one page, a VPN portal. Then you have a wireless connection, with VPN providing your security. Voila...a little bit more cumbersome, but isn't your network integrity worth it?

  4. SSIDs and WEP by USAPatriot · · Score: 5, Informative
    Ars Technica has a good summary of what you can do with SSID's and WEP to improve your wireless network's security:

    Security Practicum: Essential Home Wireless Security Practices

    --

    Slashdot Moderation: From positive to terrible in 2 "insightful" posts.

  5. Reducing Risks of Wireless Networks by gellenburg · · Score: 5, Informative

    Disclaimer: I work in Information Security.

    • APs should be configured so as not to broadcast their SSID.
    • 128bit WEP keys should be chosen.
      • WEP keys should be changed as frequently as practical.
      • APs should be firewalled, and on their own DMZ.
      • If the AP supports it, consider MAC Address filtering by only allowing authorized MAC Addresses.
      • If the AP supports it, consider additional authentication such as RADIUS.

    But, by all means:

    • Please change the damned default SSID that was configured on your AP:
      • Linksys
      • Default
      • Netgear

    We now return you to your regularly scheduled programming.

  6. Re:Wireless should not be used for sensitive info by Frennzy · · Score: 5, Insightful

    The government already uses wireless links for data. Ever heard of satellite communications?

    Back to the point, 802.11 networks are inherently insecure.

    WEP is fairly trivial to crack for someone determined to break in. The problem lies in the init vector of the key, not the length of the key.

    SSID 'hiding' achieves nothing...the first time your box associates or reassociates, a listener has your SSID.

    WPA is not as secure as people think either, even with a PSK. This was covered on /. a week or so ago (or was that Ars?)

    MAC filtering is beyond trivial...most NIC drivers nowdays allow you to set your MAC...which you could easily see on a target network while hunting.

    You can make your home network more effort than it's worth to hijack...but for business use, make damned sure you want that traffic exposed...because you simply have to assume it will be. I wouldn't install wireless client access in a work environment without the use of VPN. I've heard some interesting theories about getting past even *that*, but I've never seen or heard a practical way to do it.

    Unless and until I see some more thorough reviews of the newer 802.11 security standards (EAP and it's variants) I wouldn't implicitly trust them...however I do get the feeling they are going to be far more difficult to compromise.

    As mentioned in a previous post, there are a number of problems with wireless that many people don't think about, especially in a corporate environment. One of the worst is the rogue AP. I've found no less than three unauthorized WAPs on networks I've run in the last three years. Each time it was a (l)user who brought it and just plugged it into their switch port so they could 'use their laptop'. Each time, the AP was completely wide open. So much for the quarter-million-dollar security infrastructure of firewall, VPN, IDS, etc. They might as well have run a wire outside the building and hooked up a PC with a sign that said 'Free Corporate Access!'

    There is yet another problem with rogue access points. Someone who brings one into close proximity with your wireless users. Guess what information the blackhat can get in that scenario?