Six Steps You Can Take to Secure Your Wireless Network at The WiFi Weblog lists the steps that TechRepublic recommend for securing your wireless network. Some I agree with, some are very dated even for home use, and some are just plain wrong, especially for corporate use (even in small businesses). So, here’s my corrected six steps:
- Antenna placement is of little use against a determined hacker who will simply employ a high-gain directional antenna. Short of turning your apartment/house/office into a faraday cage, this will be of limited benefit.
- They suggest using WEP. I’d suggest using WPA. For home users, WPA-PSK (or WPA-Personal) is a great choice. In a corporate setting, I would suggest using full WPA (or WPA-Enterprise) with a RADIUS server backend, to restrict access to the network based on either username/password or a certificate installed on each user’s system. Most wireless access points support WPA now, as do most client cards. There are supplicant’s built into Windows XP and Mac OS X 10.3, and a free supplicant with support for several wireless cards is available for Linux.
- Change the SSID. Definitely. Don’t worry about hiding it though – that is not much of an impediment to a determined hacker.
- I would not recommend disabling DHCP. Again, if your hacker has defeated all the other security measures, it takes but a second to sniff a packet from the network and get an idea of the IP addresses being used. Disabling DHCP just makes your life harder!
- Disabling, or securing, SNMP is probably a good idea if your wireless access point(s) or other network infrastructure devices support it. I would be more concerned about UPnP though since it has the potential to allow a compromised laptop to punch holes in the firewall at your internet gateway. Corporate networks will probably want to leave SNMP enabled so that they have remote management of their network.
- Use access lists (MAC address filtering) in a home network, but in a corporate setting this is just a headache to manage (keeping the list up to date on all wireless access points will quickly drive a network administrator insane). Stick with WPA for corporate use to limit network access to authorised users.
In addition, WPA2 is on the way. As soon as your access point(s) and clients all support it, then switch to further improve the security of your network. You can phase this in as most APs offer an option to support legacy WPA clients at the same time as WPA2 ones.
Finally, don’t be fooled by proprietary solutions like Cisco’s LEAP though – WPA is a better choice than LEAP and will be more widely supported. Indeed, Cisco’s CCX certification programme even requires WPA certification.