dummies on wireless LAN security

[wolex7]

Hi Guys,

New in wireless networking I need you guys help.
I just step up my wireless LAN.
How can I secure it to avoid security breach ?

I would appreciate you guys ideas on best practices.
To defend my network from prying eyes.

Look forward to you guys response.

- "May there never develop in me the notion that my education is complete, but give me the strength and leisure and zeal continually to enlarge my knowledge."

[MrLinus]

Security is not a single solution but rather a layered concept. The more layers you have that work well with each other, the better your odds are in regards to security. Keep in mind there is no such thing as 100% security. There always is a hole, it just hasn't been found yet. That in mind, the following might be some simplistic measures/suggestions that might help:

Start with the Windows PCs on the wireless lan (they tend to have the most problems):

• - ensure each has a firewall (Sygate is a good one )
  
  - ensure each has active and up-to-date AV (AVG or Avast)
  
  - ensure each has some type of spyware detection (Adaware)
  
  - have a registry checker/startup/spyware identifier (HiJackThis! is well recognized at this)
  
  - use an alternative browser to IE (Mozilla/Firefox)
  
  - ensure that the OS is up-to-date and has latest patches/service packs (Windows Update -- for this you need IE)

Then for the wireless device itself (different devices have different levels of security -- take the time to read the fine print on the back of the box or explore the website of the manufacturure) you should look at these:

• - use some type of encryption (WEP-128 at the most basic; WPA at the higher end -- availability will depend on what the device has)
  
  - ensure that the pass-phrase used to create the key is not a simplistic or easily guessable one (i.e., use a variety of characters and include all the types -- upper case, lower case, numbers and special characters)
  
  - avoid using SSID broadcast
  
  - change the default password and user name at log on if possible (some routers won't allow username changes but you can change the password)
  
  - change the SSID to a different, non-identifying name (e.g., DeMixed)
  
  - use static MAC identification (ie., only these MAC addresses will be allowed to connect)
  
  - use static IP addressing rather than DHCP if it's a small network (when it gets to 30+ machines it can start to get unwieldly -- depends on your patience)
  
  - ensure that you've enabled logging on the wireless device to track activities

That all said, the best security you can have is how much you pay attention to the network, who's on and what's happening. You could have a 3rd party IDS (Snort is one that can be installed on a simple Win or *nix box) but nothing beats a human being questioning activities.

[Highlander]

If your like me... I also use double NAT on my wireless bridge....
cable modem--router---wireless bridge ---switch---wireless bridge----Router---internal network
I I
Router Router
I I
Internal Network Internal Network

I use 1 non routable Class C address for the Backbone
and another non routable class C for the internal networks
And I agree a layered concept is best.....