Implementation Phase

• Implement Strong Physical Security Controls

  The loss or theft of network equipment may pose a significant threat to a wireless network because configuration of the network can be retrieved from a lost access point or wireless interface card. By securely mounting network equipment, such as access points, in less accessible locations together with strong physical security controls, the risk of theft can be minimised.

• Avoid Excessive Coverage of Wireless Networks

Using the information collected during the site survey, proper placement of access points can be designed to avoid excessive coverage by the wireless network and hence limit the possibility of intrusion. In addition to proper placement of the access points, adjusting the radio frequency (RF) power transmission or using directional antennas can also control the propagation of the RF signal and hence control coverage of a wireless network.

• Secure Access Points

Access points are the core of a wireless network. Their security clearly has an overall effect on the security of the wireless network. Properly securing access points is the first step in protecting a wireless network. The following suggestions can help in hardening access points:

1. Change the default configuration settings;
2. Change encryption keys regularly;
3. Ensure that all access points have strong, unique administrative passwords and change the passwords regularly;
4. Disable all insecure and unused management protocols on access points and configure the remaining management protocols for least privilege;
5. Activate logging features and direct all log entries to a remote logging server;
6. Enable wireless threshold parameters, such as inactivity timeouts and maximum supported associations.

• Use Non-suggestive Service Set Identifier (SSID) Naming Conventions

In a wireless network, an SSID serves as a network name for segmenting networks. A client station must be configured with the correct SSID in order to join a network. The SSID value is broadcast in beacons, probe requests and probe responses. To prevent a malicious attacker from collecting reconnaissance information on a wireless network by eavesdropping, SSIDs should not reflect internal information of the organisation.

• Disable Direct Client-to-Client "Ad-Hoc Mode" Transmissions

In general, a wireless network can be operated using three different topologies; infrastructure mode, ad-hoc mode and bridging mode. When a wireless network operates in ad-hoc mode, client stations are connected directly and no access point is required. Using this mode, a potential attacker can gain access to a client station easily if the client station is improperly configured. Unless there is a specific business need, the ad-hoc mode should be disabled on wireless devices.

• Limit Client-to-Client Communication through the Access Point

Most installed wireless networks operate in "infrastructure" mode that requires the use of one or more access points. With this configuration, all traffic in the wireless network travels through the access points. By controlling the communication among client stations at the access points, malicious users can be prevented from gaining access to vulnerable client stations.

• Keep Security Patches Up-to-date

Newly discovered security vulnerabilities in vendor products should be patched to prevent inadvertent and malicious exploits. Patches should also be tested before deployment so as to ensure they work correctly.

• Employ MAC Address Filtering on Access Points

MAC address filtering can be considered the first layer of defence for wireless networks. With MAC address filtering enabled, only devices with pre-approved MAC addresses can see the network and be granted access to the network. However, such access control should by no means be solely relied upon to protect data confidentiality and integrity, as tools are available on the Internet for modifying the MAC address of a client. Besides, MAC address filtering mechanisms may not be feasible in some scenarios such as the implementation of public wireless hotspots.

• Deploy Wireless Intrusion Detection Systems

Deploying wireless intrusion detection systems on the network can help detect and respond to malicious activities in a timely manner. More recently, a number of wireless intrusion detection systems have been equipped with capabilities to detect and prevent rogue access points.