Configuration Countermeasures


Configuration countermeasures are the easiest to understand. The countermeasures address the authentication, access control, integrity and confidentiality of the data and hardware on the network. Understanding how to configure the access point is critical to meet the vision stated in your organization s security policy. Proper configuration will mitigate many threats and go a great distance to limit unforeseen, unanticipated vulnerabilities. A proactive approach is the best way to describe configuration countermeasures. Since instruction manuals come with most technology today, it should be easy to locate the specific settings by reading the manuals. Specific areas of interest include:

  1. Enable WEP (wireless encryption protocol). WEP minimizes the risk of radio frequency interception by somebody nearby. WEP is specified for encryption and authentication between clients and APs according to the 802.11 standard. WEP security is based on an encryption algorithm called RC4. Some products allow you to separately set the authentication method to shared key or open system. Use the shared key method so that encryption is used to both authenticate your client and encrypt its data. Even though WEP has been broken, it is a cost effective (free), and valuable first layer of security. In my research over the past three years , more than 60% of all access points do not use WEP; while enabling the service may cause an attacker or curious user to move on to an easier target. The encryption algorithm is generated based on a key (a number sequence) entered and controlled by the user . All clients and APs are configured with the same key to encrypt and decrypt transmissions of data. WEP keys are 40 or 128 bits in length and can be configured in three possible modes: no encryption mode, 40- bit or 128-bit encryption.

  2. Secure your access point with a password. Your access point should require a password to access its administrative features: if it does not, replace it with one that does. Use strong passwords to protect against password cracking tools. Make sure the access point is not using the default password. Default passwords are well known and will be one of the first exploits tried by an educated attacker. Many wireless detection devices identify the manufacturer based on the media access control (MAC) address; this information makes it easier to guess what type of WAP is being used, even if the SSID has been changed. Change your password periodically.

  3. Change the SSID to a truly unique name that does not identify the owner of the access point. The SSID allows a WLAN to be segmented into multiple networks, each with a different identifier. Each of these networks is assigned a unique identifier, which is programmed into one or more APs. To access any of the networks, a client computer must be configured with the corresponding SSID identifier for that network. Thus, SSID acts as a simple password, providing a measure of security. A weakness is created when the SSID is widely known or shared, and it is easily obtained by freeware loaded onto a wireless network client.

  4. Disable broadcast SSID if this feature is supported by the equipment vendor. Most access points broadcast SSID by default. This will accept any SSID. By disabling broadcast SSID, the SSID configured in the client must match the SSID of the access point.

  5. Turn off dynamic host configuration protocol (DHCP) and assign a static IP address to wireless devices. This will keep your WAP from issuing an IP address to any computer that tries to connect with it. Also consider changing the IP subnet to a non-default address. Many access points default to the 192.168.1.0 network, and use 192.168.1.1 as the default router. Changing these defaults provides additional layers of security.

  6. Filter devices based on the MAC address. Filtering increases security by configuring an access point with a list of MAC addresses associated with the client computers that are allowed access to the access point. If a client s MAC address is not on the list, the access point will deny access. This method provides good security but is only suited to small networks. The labor- intensive work of entering MAC addresses and maintaining up-to-date lists on all of the access point devices obviously limits the scalability of this approach. An access point can be set up to provide encryption-only protection in open- system mode, or to add authentication in shared-key mode. MAC address filtering is often used together with this encryption. WEP security is best suited for small networks, as there is no key management protocol. As a result, keys must be manually entered into every client. This can be a huge management task, especially as keys should be changed regularly to provide a higher level of security.

Lengthen the beacon interval of your access point. Beacon frames announce the existence of your wireless network to all. These beacons are transmitted from access points at regular intervals and allow a client station to identify and match configuration parameters in order to join a wireless network. The interval length may be set to its highest value, resulting in an approximate 67-second interval.

As a more secure model, some vendors have developed VPN solutions that create a secure tunnel for your wireless traffic. An evolution of wireless security products now includes the means to authenticate all wireless users before they can gain access to network resources, encrypt data prior to them passing through the air using the advanced encryption standard and controlling user access to network segments through the use of policy servers.




Information Technology Security. Advice from Experts
Information Technology Security. Advice from Experts
ISBN: 1591402484
EAN: N/A
Year: 2004
Pages: 113

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net