Table 8.1 provides a good start for creating a security checklist for your organization. This checklist was taken from the draft version of NIST SP-800-48 [12]. It is re-created here for your review.
Recommendation | Best Practice | May Consider | Done |
---|---|---|---|
Develop an organizational security policy that addresses the use of wireless technology, including 802.11 | ˆ | ||
Ensure that users on the network are fully trained in computer security awareness and the risks associated with wireless technology | ˆ | ||
Perform a risk assessment to understand the value of the assets in the organization that need protection | ˆ | ||
Ensure that the client NIC and AP support firmware upgrade so that security patches may be deployed as they become available (before purchase) | ˆ | ||
Perform comprehensive security assessments at regular intervals (including validating that rogue APs do not exist in the 802.11 WLAN) to fully understand the wireless network security posture | ˆ | ||
Ensure that external boundary protection is in place around the perimeter of the building or buildings of the organization | ˆ | ||
Deploy physical access controls to the building and other secure areas (e.g., photo ID, card badge readers) | ˆ | ||
Complete a site survey to measure and establish AP coverage for the organization | ˆ | ||
Take a complete inventory of all APs and 802.11 wireless devices | ˆ | ||
Empirically test AP range boundaries to determine the precise extent of the wireless coverage | ˆ | ||
Ensure that AP channels are at least five channels different from any other nearby wireless networks to prevent interference | ˆ | ||
Locate APs on the interior of buildings versus near exterior walls and windows | ˆ | ||
Make sure that APs are turned off during all hours when they are not used | ˆ | ||
Make sure the reset function on APs is being used only when needed and is only invoked by an authorized group of people | ˆ | ||
Restore the APs to the latest security settings when the reset functions are used | ˆ | ||
Change the default SSID in the APs | ˆ | ||
Disable the "broadcast SSID" feature so that the client SSID must match that of the AP | ˆ | ||
Validate that the SSID character string does not reflect the organization's name (division, department, street, etc.) or products | ˆ | ||
Understand and make sure that all default parameters are changed | ˆ | ||
Disable the broadcast beacon of the APs | ˆ | ||
Disable all insecure and nonessential management protocols on the APs | ˆ | ||
Enable all security features of the WLAN product, including the cryptographic authentication and WEP privacy feature | ˆ | ||
Ensure that encryption key sizes are at least 128 bits or as large as possible | ˆ | ||
Make sure that default shared keys are periodically replaced by more secure unique keys | ˆ | ||
Install a properly configured firewall between the wired infrastructure and the wireless network (AP or hub to APs) | ˆ | ||
Install antivirus software on all wireless clients | ˆ | ||
Install personal firewall software on all wireless clients | ˆ | ||
Deploy MAC access control lists | ˆ | ||
Consider installation of Layer 2 switches in lieu of hubs for AP connectivity | ˆ | ||
Deploy IPsec-based Virtual Private Network (VPN) technology for wireless communications | ˆ | ||
Ensure that encryption being used is as strong as possible given the sensitivity of the data on the network and the processor speeds of the computers | ˆ | ||
Fully test and deploy software patches and upgrades on a regular basis | ˆ | ||
Ensure that all APs have strong administrative passwords | ˆ | ||
Ensure that all passwords are being changed regularly | ˆ | ||
Deploy user authentication such as biometrics, SmartCards, two-factor authentication, or PKI | ˆ | ||
Ensure that the "ad hoc mode" for 802.11 has been disabled unless the environment is such that the risk is tolerable | ˆ | ||
Use static IP addressing on the network | ˆ | ||
Disable DHCP | ˆ | ||
Enable user authentication mechanisms for the management interfaces of the AP | ˆ | ||
Ensure that management traffic destined for APs is on a dedicated wired subnet | ˆ | ||
Make sure adequately robust community strings are used for SNMP management traffic on the APs | ˆ | ||
Configure SNMP settings on APs for least privilege (i.e., read only). Disable SNMP if it is not used | ˆ | ||
Enhance AP management traffic security by using SNMPv3 or equivalent cryptographically protected protocol | ˆ | ||
Use a local serial port interface for AP configuration to minimize the exposure of sensitive management | ˆ | ||
Consider other forms of authentication for the wireless network, such as RADIUS and Kerberos | ˆ | ||
Deploy intrusion detection sensors on the wireless part of the network to detect suspicious behavior or unauthorized access and activity | ˆ | ||
Deploy an 802.11 security product that offers other security features, such as enhanced cryptographic protection or user authorization features | ˆ | ||
Fully understand the impacts of deploying any security feature or product before deployment | ˆ | ||
Designate an individual to track the progress of 802.11 security products and standards (IETF, IEEE, etc.) and the threats and vulnerabilities with the technology. | ˆ | ||
Wait until future releases of 802.11 WLAN technology that incorporates fixes to the security features or enhanced security features | ˆ |