Design/Procuremen Phase
-
Keep Track of Wi-Fi Development Standards
Since the 802.11 standard was first introduced,
enhancements have continuously been made to
strengthen data rates, signal range, and security
of wireless networks. Therefore, it is a good
idea to keep track of the development of new
standards as they appear, in particular when
procuring new equipment or acquiring new wireless
network services. In any new purchase, protection
by one of the stronger wireless security protocols
such as WPA/AES or WPA2/AES should be considered,
but by no means should such wireless security
protocols be solely relied upon to protect
data confidentiality and integrity, as new
weaknesses in protocols may be discovered
in the future.
- Perform Security Risk Assessments and Audits
to Identify Security Vulnerabilities
Security assessments and audits are essential
means for checking the security status of a
wireless network and identifying any corrective
action necessary to maintain an acceptable level
of security. These assessments can help identify
loopholes in the wireless network, such as poorly
configured access points using default or easily
guessed passwords and SNMP community strings,
or the presence or absence of encryption. However,
a security risk assessment can only give a snapshot
of the risks to information systems at a given
time. As a result, it is important to perform
assessments and audits regularly once the wireless
network is up and running.
Due to the nature of radio frequency (RF) propagation,
radio signal emissions cannot generally be contained
within a particular building or location. Excessive
coverage by the wireless signal could pose significant
threat to the organisation, opening it to parking
lot attacks on the network. Therefore, it is
necessary to have a good understanding of the
coverage requirements for the desired wireless
network during the network-planning phase. By
performing a site survey, one can identify:
- the appropriate technologies to apply;
- obstacles to avoid, eliminate, or work
around;
- coverage patterns to adopt; and
- amount of capacity needed.
- Apply a Defence-in-Depth Approach
The concept of "defence-in-depth"
has been widely employed in the secure design
of wired networks. The same concept can also
be applied to wireless networks. By implementing
multiple layers of security, the risk of intrusion
via a wireless network is greatly reduced. If
an attacker breaches one measure, additional
measures and layers of security remain in place
to protect the network.
Separation of wireless and wired network segments,
use of strong device and user authentication
methods, application of network filtering based
on addresses and protocols, and deployment of
intrusion detection systems on the wireless
and wired networks are all possible measures
that can be employed to build multiple layers
of defence.
- Separate Wireless Networks from Wired Networks
Due to the nature of wireless technology, wireless
networks are relatively hard to contain within
a building and it is generally considered to
be an un-trusted network. As a best practice,
wireless networks and wired networks should
not be directly connected to each other. It
is common to deploy firewalls to separate and
control the traffic between different networks.
For example, ARP broadcast packets should be
blocked from entering a wired network from a
wireless network since a malicious user could
uncover internal information, such as Ethernet
MAC address from these broadcasts.
- Segment the Access Point's Coverage Areas
Due to the limited transmission capacity of
a wireless network, a malicious attacker can
easily launch a Denial-of-Service (DoS) attack
to bring down the network. Segmenting access
point coverage areas can balance the loads on
a wireless network and minimise any impact from
DoS attacks.
|
English
