Developing a Wireless Security Checklist

If you feel like you’re ready to start building your new wireless network, this section will help prepare you. Presented as three scenarios of varying security levels, read over each and choose the level you feel is appropriate for your installation. Following the steps listed with each security level will help give you an idea of the type of equipment and planning that will be necessary

Minimum Security

Objective:The objective of a minimum security wireless access installation is to provide a minimal level of security for a home office or small company. Since a fairly determined attacker with plenty of time can compromise this type of system, it is not recommended for sensitive or confidential data.

1. Determine your requirements. Get an idea of the number of users, the type of environment you are working in, the amount of bandwidth you expect to consume, and define what you classify as your minimum security standards. 
2. Scout your locations. Knowledge of your building layout and the location of your user base should assist you in finding suitable AP placements. 
3. Decide which AP to get. Make certain it supports 128-bit encryption. If you have some additional money to spend, find one that also supports the closed network functionality. 
4. Enable WEP, change your SSID, and alter the configuration of the AP, based on the suggestions provided in the earlier sections. 
5. Install WEP keys on the client workstations, and update your security policy to determine proper key distribution methods.
6. Test your system for vulnerabilities before going live.As described in the previous sections, war drive your location and try to see it as an attacker would. 
7. Enjoy minimally secured wireless access, but realize that an attacker, given the motivation and enough time, can break this network with commonly available tools.

Moderate Security

A moderate security solution is a good choice for a larger company who wishes to have a wireless LAN with tighter access controls. It also assumes that the 128- bit encryption found in WEP will be sufficient to protect company data.This means that an attacker may still be able to view data on the wireless network. This solution is not recommended if it is crucial that a third party never intercept data.

1. Determine your requirements. Get an idea of the number of users, the type of environment you are working in, the amount of bandwidth you expect to consume, and define what you classify as your minimum security standards. 
2. Scout out your location.Through trial and error, and using the preceding text as a guide, determine the best placement of your AP.Avoid windows and doorways. 
3. Shop around for an AP. For moderate security, find one that supports MAC address filtering.This means that only predetermined MAC addresses will be able to participate on the network.This tightens the access controls down to a specific set of cards and also provides better logging capabilities, now that cards can be traced to specific users. If it’s not possible to find one that supports MAC filtering, configure your DHCP server to only assign IPs based on the MAC address.Additionally it is important to make sure the AP has 128-bit WEP and supports the closed network functionality. 
4. Enable WEP, change your SSID, and alter the configuration of the AP, based on the suggestions provided in the earlier sections. 
5. Install client WEP keys, and update the security policy to provide for a secure method of key distribution.
6. Test your system for vulnerabilities before going live.As described in the previous sections, war drive your location and try to see it as an attacker would. 
7. You’re ready to go. Realize that this solution requires considerable determination for an attacker to breach since the AP isn’t advertising itself, it supports MAC filtering, and it’s using WEP. It’s not unbreakable, but it certainly isn’t an easy target.

Optimal Security

The objective behind optimal security is to provide the best possible protection for your wireless LAN.This type of scenario would be useful for larger companies, financial institutions, or any company that must guarantee with all possible certainty that the data is not compromised.

1. Determine your requirements. Get an idea of the number of users, the type of environment you are working in, the amount of bandwidth you expect to consume, and define what you classify as your minimum security standards. 
2. Scout out your location.Through trial and error, and using the previous text as a guide, decide the best placement of your AP. Placement is critical in the optimal security model. Make certain that the AP is placed in a tamper proof location, and make certain to avoid windows. Do your homework, and scout the location to know the distances your signal travels. 
3. Find the best wireless AP. It’s critical that 128-bit WEP and closed network functionality are supported. It’s also a generally good idea that it support MAC filtering, though in particularly large installations this can be a real headache, due to the size of the user base. 
4. Rewrite all of the default settings. Using the tips provided in the earlier section, make sure you are using a new SSID, password, have disabled the SSID broadcasting, and that WEP is enabled.This is also a good time to enable MAC address filtering and protocol filtering. 
5. Build your network. For this installation you’ll need to place your AP behind its own firewall.This is also the time to begin investigating intrusion detection packages, if you haven’t already standardized on one.
6. Install and configure your VPN server. Decide exactly where on your network this will live. Ideally, it should be placed in the DMZ network. 
7. Install client WEP keys, and update the security policy to provide for a secure method of key distribution. 
8. Test your system for vulnerabilities before going live.As described in the previous sections, war drive your location and try to see it as an attacker would. 
9. Consider hiring an outside security group to perform vulnerability testing against your network. Even if you think you’ve done it all correctly, it’s always a good idea to have independent verification. 
10. Enjoy your wireless network, knowing that you’ve done many things to make it difficult to compromise.This is not to say that it is impossible to breach, but that it would be very difficult using known attack methodology.The work isn’t completely over at this stage however, monitoring of the firewall and intrusion detection are a must!