Design/Procurement Phase

• Keep Track of Wi-Fi Development Standards

  Since the 802.11 standard was first introduced, enhancements have continuously been made to strengthen data rates, signal range, and security of wireless networks. Therefore, it is a good idea to keep track of the development of new standards as they appear, in particular when procuring new equipment or acquiring new wireless network services. In any new purchase, protection by one of the stronger wireless security protocols such as WPA/AES or WPA2/AES should be considered, but by no means should such wireless security protocols be solely relied upon to protect data confidentiality and integrity, as new weaknesses in protocols may be discovered in the future.

• Perform Security Risk Assessments and Audits to Identify Security Vulnerabilities

Security assessments and audits are essential means for checking the security status of a wireless network and identifying any corrective action necessary to maintain an acceptable level of security. These assessments can help identify loopholes in the wireless network, such as poorly configured access points using default or easily guessed passwords and SNMP community strings, or the presence or absence of encryption. However, a security risk assessment can only give a snapshot of the risks to information systems at a given time. As a result, it is important to perform assessments and audits regularly once the wireless network is up and running.

• Perform Site Surveys

Due to the nature of radio frequency (RF) propagation, radio signal emissions cannot generally be contained within a particular building or location. Excessive coverage by the wireless signal could pose significant threat to the organisation, opening it to parking lot attacks on the network. Therefore, it is necessary to have a good understanding of the coverage requirements for the desired wireless network during the network-planning phase. By performing a site survey, one can identify:

• the appropriate technologies to apply;
• obstacles to avoid, eliminate, or work around;
• coverage patterns to adopt; and
• amount of capacity needed.

• Apply a Defence-in-Depth Approach

The concept of "defence-in-depth" has been widely employed in the secure design of wired networks. The same concept can also be applied to wireless networks. By implementing multiple layers of security, the risk of intrusion via a wireless network is greatly reduced. If an attacker breaches one measure, additional measures and layers of security remain in place to protect the network.

Separation of wireless and wired network segments, use of strong device and user authentication methods, application of network filtering based on addresses and protocols, and deployment of intrusion detection systems on the wireless and wired networks are all possible measures that can be employed to build multiple layers of defence.

• Separate Wireless Networks from Wired Networks

Due to the nature of wireless technology, wireless networks are relatively hard to contain within a building and it is generally considered to be an un-trusted network. As a best practice, wireless networks and wired networks should not be directly connected to each other. It is common to deploy firewalls to separate and control the traffic between different networks. For example, ARP broadcast packets should be blocked from entering a wired network from a wireless network since a malicious user could uncover internal information, such as Ethernet MAC address from these broadcasts.

• Segment the Access Point's Coverage Areas

Due to the limited transmission capacity of a wireless network, a malicious attacker can easily launch a Denial-of-Service (DoS) attack to bring down the network. Segmenting access point coverage areas can balance the loads on a wireless network and minimise any impact from DoS attacks.