Thursday, 17 April 2014

How to Secure Wireless Network

Secure Wireless Network part 2

4. Best Practices

There are certain best practices explained below which should be followed for enhancing security of wireless Access Point / Routers.

i) Restrict the Access

SSID (Service Set Identifier) is used to identify a wireless network which a user wants to attach. All wireless devices that want to communicate on the WLAN need to have their SSID set to the same string as the AP. Even though the attacker can get the SSID simply by sniffing the network it is preferable to change the default SSID. Avoid SSID which shows name or other information. Name the access point such that it can be easily traceable during trouble shooting. Physical security of access point is also important.

ii) Disable Management via Wireless

It is recommended to disable management of the router via wireless devices associated with the access point. If someone manages to associate with the access point and login to the router , they can change the configuration of the router. Prefer wired interface with AP/Router to configure the device.

iii) Disable Remote Management

Remote Router Access permits web-based management of the wireless router from external networks such as the Internet. By default this feature opens port 8080/TCP on the external side of the router. This feature provides significant risk to the device, permitting an attack vector and more importantly significant risk to internal network. It should be disabled unless remote management is absolutely required. Universal Plug and Play may also be disabled.

iv) Turn off the AP when not in use

This is also advisable since it minimizes the risk of unauthorized access.

v) Configure Network Mode

Select the wireless mode which is depending upon the protocols. The possible options are.

_ Disabled – disables AP.

_ Mixed – permits both 802.11 b and 802.11g.

_ B-Only – 8.2.11 b only.

_ G-Only – 8.2.11 g only.

vi) Disable SSID Broadcast.

This can protect the AP from a naive attacker . By disabling SSID broadcast, the easy availability of SSID can be restricted. But the attacker can still sniff the SSID from frames that devices use when associating with an AP. According to some vendors disabling SSID broadcast may restrict or invite the chance of exploitation.

vii) Set Wireless Channel from default

Changing the default wireless channel used by the AP is a good practice.It may avoid automatic association of the wireless interface to the network.

viii ) Maximize the Beacon Interval

Beacon frames are used for connection establishment and management by IEEE 802.11 networks. These frames from AP to wireless clients ,transmitted at regular intervals are used for configuration matching. It is recommended to set the beacon interval to the maximum number. This will reduce the transmission frequency of SSID so that the attacker will get less number of opportunities to sniff the beacons containing SSID. But there is a problem here. The attacker can probe the network using some specific SSID which is known as active scanning.

ix) Prefer Static IP instead of DHCP.

Since DHCP is automatically assigning IP addresses, an attacker can utilize this feature to get an IP. So it is recommended to use static IP on wireless networks.

No comments:

Post a Comment