8.6 Sample WLAN Security Checklist
8.6 Sample WLAN Security Checklist
Table 8.1 provides a good start for creating a security checklist for your organization. This checklist was taken from the draft version of NIST SP-800-48 [12]. It is re-created here for your review.
| Recommendation | Best Practice | May Consider | Done |
|---|---|---|---|
| Develop an organizational security policy that addresses the use of wireless technology, including 802.11 | ˆ | ||
| Ensure that users on the network are fully trained in computer security awareness and the risks associated with wireless technology | ˆ | ||
| Perform a risk assessment to understand the value of the assets in the organization that need protection | ˆ | ||
| Ensure that the client NIC and AP support firmware upgrade so that security patches may be deployed as they become available (before purchase) | ˆ | ||
| Perform comprehensive security assessments at regular intervals (including validating that rogue APs do not exist in the 802.11 WLAN) to fully understand the wireless network security posture | ˆ | ||
| Ensure that external boundary protection is in place around the perimeter of the building or buildings of the organization | ˆ | ||
| Deploy physical access controls to the building and other secure areas (e.g., photo ID, card badge readers) | ˆ | ||
| Complete a site survey to measure and establish AP coverage for the organization | ˆ | ||
| Take a complete inventory of all APs and 802.11 wireless devices | ˆ | ||
| Empirically test AP range boundaries to determine the precise extent of the wireless coverage | ˆ | ||
| Ensure that AP channels are at least five channels different from any other nearby wireless networks to prevent interference | ˆ | ||
| Locate APs on the interior of buildings versus near exterior walls and windows | ˆ | ||
| Make sure that APs are turned off during all hours when they are not used | ˆ | ||
| Make sure the reset function on APs is being used only when needed and is only invoked by an authorized group of people | ˆ | ||
| Restore the APs to the latest security settings when the reset functions are used | ˆ | ||
| Change the default SSID in the APs | ˆ | ||
| Disable the "broadcast SSID" feature so that the client SSID must match that of the AP | ˆ | ||
| Validate that the SSID character string does not reflect the organization's name (division, department, street, etc.) or products | ˆ | ||
| Understand and make sure that all default parameters are changed | ˆ | ||
| Disable the broadcast beacon of the APs | ˆ | ||
| Disable all insecure and nonessential management protocols on the APs | ˆ | ||
| Enable all security features of the WLAN product, including the cryptographic authentication and WEP privacy feature | ˆ | ||
| Ensure that encryption key sizes are at least 128 bits or as large as possible | ˆ | ||
| Make sure that default shared keys are periodically replaced by more secure unique keys | ˆ | ||
| Install a properly configured firewall between the wired infrastructure and the wireless network (AP or hub to APs) | ˆ | ||
| Install antivirus software on all wireless clients | ˆ | ||
| Install personal firewall software on all wireless clients | ˆ | ||
| Deploy MAC access control lists | ˆ | ||
| Consider installation of Layer 2 switches in lieu of hubs for AP connectivity | ˆ | ||
| Deploy IPsec-based Virtual Private Network (VPN) technology for wireless communications | ˆ | ||
| Ensure that encryption being used is as strong as possible given the sensitivity of the data on the network and the processor speeds of the computers | ˆ | ||
| Fully test and deploy software patches and upgrades on a regular basis | ˆ | ||
| Ensure that all APs have strong administrative passwords | ˆ | ||
| Ensure that all passwords are being changed regularly | ˆ | ||
| Deploy user authentication such as biometrics, SmartCards, two-factor authentication, or PKI | ˆ | ||
| Ensure that the "ad hoc mode" for 802.11 has been disabled unless the environment is such that the risk is tolerable | ˆ | ||
| Use static IP addressing on the network | ˆ | ||
| Disable DHCP | ˆ | ||
| Enable user authentication mechanisms for the management interfaces of the AP | ˆ | ||
| Ensure that management traffic destined for APs is on a dedicated wired subnet | ˆ | ||
| Make sure adequately robust community strings are used for SNMP management traffic on the APs | ˆ | ||
| Configure SNMP settings on APs for least privilege (i.e., read only). Disable SNMP if it is not used | ˆ | ||
| Enhance AP management traffic security by using SNMPv3 or equivalent cryptographically protected protocol | ˆ | ||
| Use a local serial port interface for AP configuration to minimize the exposure of sensitive management | ˆ | ||
| Consider other forms of authentication for the wireless network, such as RADIUS and Kerberos | ˆ | ||
| Deploy intrusion detection sensors on the wireless part of the network to detect suspicious behavior or unauthorized access and activity | ˆ | ||
| Deploy an 802.11 security product that offers other security features, such as enhanced cryptographic protection or user authorization features | ˆ | ||
| Fully understand the impacts of deploying any security feature or product before deployment | ˆ | ||
| Designate an individual to track the progress of 802.11 security products and standards (IETF, IEEE, etc.) and the threats and vulnerabilities with the technology. | ˆ | ||
| Wait until future releases of 802.11 WLAN technology that incorporates fixes to the security features or enhanced security features | ˆ |
EAN: 2147483647
Pages: 153
- Challenging the Unpredictable: Changeable Order Management Systems
- ERP System Acquisition: A Process Model and Results From an Austrian Survey
- Enterprise Application Integration: New Solutions for a Solved Problem or a Challenging Research Field?
- Distributed Data Warehouse for Geo-spatial Services
- Relevance and Micro-Relevance for the Professional as Determinants of IT-Diffusion and IT-Use in Healthcare