The term wireless network is perhaps the ultimate oxymoron when discussing network security. You want your network to be as secure as possible, but by its very nature the wireless data is transmitted over radio waves that can be captured by anyone within range. On the surface one would think that trying to secure your network and provide wireless access would be mutually exclusive. At the same time, though, the ease of connectivity and the flexibility of accessing the network over a wireless connection are causing more and more networks to include wireless connectivity. It is the classic challenge of functionality versus security. Our responsibility, then, is to take the necessary precautions to ensure that our wireless connections are as secure as they can be.
Because WEP is effectively a broken protocol, you should only use it as a last resort. If your devices support WPA, use WPA. Furthermore, you should use WPA with RADIUS/802.1x authentication so that you do not have to rely on shared keys for authentication. If you have to use WEP, you should seriously consider requiring all WEP-based wireless connections to use a VPN to gain access to the production/wired network resources. We will look at how you can design this VPN network architecture in Chapter 12.
Once you have decided on the wireless protocol, you need to harden the WAP. By default, most vendors ship their WAPs allowing all connections as well as using many default settings that you ll need to change. The first step is to harden your remote administration capabilities by changing any default usernames and implementing passwords that conform to your password security policy. Next, you should disable SSID broadcasts to keep the WAP from advertising itself to unknown users. If someone is going to connect to the WAP, they should know the SSID already. You also need to implement whatever logging facilities are supported so that you can better monitor the connections being made and, more important, the connections being denied . You also need to disable or harden all services that the WAP is running, paying special attention to ensuring that you do not leave the default SNMP community strings in place. Next, you should explicitly define the wireless mode that the WAP should operate in. If you know that all your users will connect using 802.11g, you should configure the WAP to only allow 802.11g connections. Although this does not necessarily prevent someone from connecting, it at least ensures that they have to have a NIC that supports the wireless mode you have specified. The last step is to implement MAC address filtering to explicitly permit only those MAC addresses you want to be able to connect to your network and denying everything else.
If you follow these hardening steps for your WLAN, you will greatly mitigate the risk related to offering wireless network access to your users.