Wireless security overhaul
I have the feeling I am going to be asked to do a major overhaul to the Wireless security policy and practices of my company's network. You may, after reading this, find security to be completely an afterthought in my institution and I will readily agree with you.
Here's the overview:
38 Wan sites (hardwired, bandwidth is a commodity)
300+ Cisco 1100b and 1100G access points (all documented and locally manageable)
1000+ laptops (centrally managed)
(If you're wondering, no, my network is not all wireless. This is just the WLAN information)
I have inherented a wireless network that is "secured" by merely disabling SSID broadcasts. I mentioned to one of the bosses today that it isn't even really a security policy and he told me he'd be calling me tomorrow to talk about changing that. Well, the way I look at it is it eventually needs to be done so I might as well be the one to do it.
I was reading a post by a senior member XTC46. Some of these are followed,but there are problems with me implementing some of these practices.
Quote:
Should be done:
- DO NOT use the default SSID
- DO NOT broadcast SSID
- Change the administrator Username/Password for your router
- Use WEP or WPA (if available on your router)
- Use MAC filtering if possible
- Limit the number of DHCP assigned IP address (or use static IP)
- Block ALL unassigned IP addresses
- Turn off default shares on the computer, set permissions for files that need to be shared.
- Turn off Printer sharing if it is not needed.
Optional: (not so basic)
- Limit broadcast range
- Use rotating WEPS
- When assigning IP addresses use class A or B IP’s and a class C subnet (sort of a Security through Obscurity technique against people scanning for active IP’s)
- Use a form of data encryption during transfers
- Rotate assigned IP addresses
(My thanks to XTC46 for the useful post)
1. I can't use MAC filtering because the laptops are constantly moving around to different areas.
2. I have static IP's assigned to the laptops from a predetermined range for each site, but we know that's easy to spoof.
I guess what I'm asking for is some advice or ideas, (how some of you have done it). I'm thinking of running a seperate VLAN for all the access points and making all machines validate through a TACACS server. I'm wondering if there are any major consideration to doing this. Everything is working now, but should I be conscience of any major problems I may face doing this. I'll probably have 4 or 5 techs with limited knowledge to help me implement the fix.
My primary concern is for best effort security. Obviously I cannot have total security using wireless. Stopping the users from moving around within each site is not an option. Stopping the APs from moving from port to port is not an option either (I know, this stops all talk of static VLANs from the switches. I'd rather not explain it) I have already limited range on many of the access points that had ridiculously large ranges on them.
Thanks in advance for all your help. Let me know if you need any clarification on my disposition.