Greetings all

Use the following as possible guidelines for securing your WLan.

------------------------------------------------------------------------------------------------------------

Securing your Wireless LAN

Radio interference

Place Access Points (AP’s) well within the building so that they are shielded as much as possible from any unwanted radio transmissions from the outside world. (Site survey).
Install wireless network equipment as far from potential interference sources as possible, such as microwave ovens and DECT cordless phones.
Check for other networks within the intended coverage area prior to implementing a wireless LAN. If these are insecure then the relevant network owner(s) should secure them.
Test for radio interferences.

Radio Propagation

Place Access Points (APs) well within the building so that they are shielded as much as possible from any unwanted connections. (Site survey).
Configure wireless APs and wireless NICs to use WEP in order to encrypt all network traffic.
Consider using directional antennas to focus the radio transmission into the building.

Wired Equivalent Privacy (WEP) weaknesses

Configure wireless APs and wireless NICs to use WEP in order to offer a rudimentary level of protection from malicious third parties.
Consider encrypting specific sensitive traffic on an individual basis using an encryption application on the client computer (e.g. PGP).
Consider using a Virtual Private Network (VPN) in order to encrypt all data being transmitted across the wireless LAN. Consider changing WEP keys frequently, for example daily for critical networks and monthly for non-critical installations.
Consider using proprietary key management solutions.

Poor network address management

Change the default SSID (Service Set Identifier) of the Access Point.
Disable beacons within APs that broadcast the SSID.
Use IP address filtering to limit access to client computers with authorised IP addresses.
Use MAC address filtering to limit access to client computers with authorised MAC addresses.
Disable the DHCP server in the AP and configure the AP to assign static IP addresses only to authorised MAC addresses.

Lack of user authentication

Consider using an authentication server solution, such as IEEE 802.1x
Consider using APs or wireless NICs that employ proprietary authentication services.
Consider using a VPN in order to provide user authentication.

Unauthorised or inappropriate hardware implementation

Perform wireless network monitoring, using tools such as Network Stumbler, on a regular basis in order to detect any unauthorised equipment.
Check the configuration of wireless NICs in clients computers so that they do not act as APs.
Protect the AP with a firewall.
Consider placing the AP in a De-Militarized Zone (DMZ) so that all wireless network traffic is logged.
Standardize wireless network equipment upon a single preferred manufacturer.
Use only equipment that carries the “Wi-Fi” logo.
Test all wireless network equipment prior to using it to support business applications.

Client computer attacks

Check the configuration of wireless NICs in client computers so that they are not set-up in Ad-Hoc mode. Install a personal firewall software product on each client device and configure it to reject any unknown inbound connections. Disable the use of file or drive sharing on client computers.
Configure the client computer to only permit connection to an AP with a known SSID.
Password protect the client computer so that if lost or stolen it cannot be used easily.

------------------------------------------------------------------------------------------------------------

Regards

Meerkat