1.1 Firewall between wireless LAN and internal network
1.2 Intrusion detection at wireless
LAN/internal network junction
1.3 Vulnerability assessments of wireless access
points and other wireless infrastructure
1.4 VPN from wireless station into internal network, providing end-to-end
encryption across the untrusted wireless network into the trusted
network. However, consider whether the VPN can handle the changes
when a station roams from one access point to another.
2 Security Policy & Architecture
2.1 define a policy for how wireless
networks are to be used
2.1.1 specify what is allowed and
what is not allowed
188.8.131.52 What services, devices, protocols or
departments can use the Wirelss LAN
3 Discover unauthorised use
3.1 search regularly in the following ways for
unauthorised access points or wireless LAN cards.
3.1.1 Port Scanning
184.108.40.206 Searching for unknown SNMP agents, web or Telnet interfaces that
might indicate that an access point is present on the network
3.1.2 MAC Address sniffing
220.127.116.11 Searching for MAC addresses that lie within known MAC
ranges for access point and WLAN NIC manufacturers.
18.104.22.168 Manual Scanning
22.214.171.124.1 be aware you will detect signals
that are not in your building
4 Access point audits
4.1 Standard configuration
4.2 Passwords should be strong and
community strings should be correctly set.
4.3 Unnecessary administration interfaces should be shut down,
and the remaining administration interfaces should use secure
protocols to prevent administrator passwords being intercepted.
4.4 Access control lists on firewalls and routers should
be used to ensure only administrators have access
to the access point administration interfaces.
4.5 WEP keys should be strong (not generated from
alphanumeric pass phrases) & should be secret. Backups of
access point configurations should not store the WEP keys.
4.6 Stop transmitting SSID
5 Station Protection
5.1 Stations should have personal firewalls, IDS, AV
5.2 Standardises configs for stations.
5.3 Check stations regularly for config standards
6 Location of AP's
6.1 spread of the wireless radio signal outside the
building should also be considered, to try to limit the
possibility of the wireless signal being intercepted.
6.2 If access points have omni-directional antennae,
they should be located in the centre of a building
and not located by windows or on external walls.
6.3 The line of sight from the location of the
access point to the outside should be limited.
6.4 Transmission strength should be turned
down from the default maximum to limit the
spread of the signal outside the building,
7 MAC Address locking
7.1 Use MAC address ACL's to allow only devices
with MAC's in the ACL to connect to an AP
7.1.1 MAC's are spoofable so this is only
good for low risk environments