September 19th, 2008, 06:16 PM
How To: Define Wireless Network Security Policies
Wi-Fi Planet outlines wireless security best practices for enterprises.
How to: Define Wireless Network Security Policies - Wi-Fi Planet
Utilize IPSec-based Virtual Private Network (VPN) technology for end-to-end security.
If users need access to sensitive applications from Wi-Fi hotspots, definitely utilize a VPN system to provide sufficient end-to-end encryption and access control. Some companies require VPNs for all wireless client devices, even when they’re connecting from inside the secured walls of the enterprise. A “full-throttle” VPN solution such as this offers good security, but it becomes costly and difficult to manage when there are hundreds of wireless users (mainly due to the need for VPN servers). As a result, consider implementing 802.11 encryption when users are operating inside the enterprise and VPNs for the likely fewer users who need access from hotspots.
September 20th, 2008, 03:05 PM
That's where VPN concentrators and RADIUS/TACACS servers come in
A “full-throttle” VPN solution such as this offers good security, but it becomes costly and difficult to manage when there are hundreds of wireless users (mainly due to the need for VPN servers).
VLAN's should NOT be used as a security measure as they were never meant to be used that way. VLAN's are used to improve network performance by limiting the size of broadcast domains, NOT improve security. Use a separate (physical) LAN not VLAN.
Establish the wireless network on a separate VLAN. A firewall can then help keep hackers located on the VLAN associated with the wireless network from having easy access to corporate servers located on different, more secured VLANs (i.e., not accessible from the wireless network). In this manner, the wireless network is similar to a public network, except you can apply encryption and authentication mechanisms to the wireless users.
This is BS. You'll only make it harder for your clients to connect to the network and it adds absolutely nothing to your security.
Don’t broadcast SSIDs. If this feature is available, you can avoid having user devices automatically sniff the SSID in use by the access point. Most current computer operating systems and monitoring tools will automatically sniff the 802.11 beacon frames to obtain the SSID. With SSID broadcasting turned off, the access point will not include the SSID in the beacon frame, making most SSID sniffing tools useless. This isn’t a foolproof method of hiding the SSID, however, because someone can still monitor 802.11 association frames (which always carry the SSID, even if SSID broadcasting is turned off) with a packet tracer. At least shutting off the broadcast mechanism will limit access.
Last edited by SirDice; September 20th, 2008 at 03:19 PM.
Experience is something you don't get until just after you need it.
September 20th, 2008, 06:55 PM
Agreed. Same goes with MAC filtering, it does almost nothing -_-
Originally Posted by SirDice
By XTC46 in forum Site Feedback/Questions/Suggestions
Last Post: August 24th, 2005, 07:52 PM
By Tiger Shark in forum Microsoft Security Discussions
Last Post: January 14th, 2005, 07:47 PM
By qod in forum The Security Tutorials Forum
Last Post: February 27th, 2004, 02:03 AM
By NullDevice in forum The Security Tutorials Forum
Last Post: December 17th, 2003, 09:03 PM
By instronics in forum The Security Tutorials Forum
Last Post: February 5th, 2003, 09:04 AM