How did we live without Wi-Fi? I can go to McDonald's or a coffee shop and get Wi-Fi and do my work, access my email or even do online banking. Ever worry about the security of that capability? Wi-Fi is inherently susceptible to hacking and eavesdropping, but it can be secure if you use some basic principles. I would not recommend online banking or sensitive transactions from a public Wi-Fi though.
Here are some tips to keep in mind:
Don't use WEP. WEP (wired equivalent privacy) security is long dead. Its underlying encryption can be broken quickly and there are tools to download off the Internet to help you hack it. I would recommend WPA2.
Don't use WPA/WPA2-PSK. PSK = pre-shared key. This mode of WPA and WPA2 security isn't secure for the enterprise. The entry of this key into the client would need to be changed each time an employee leaves or the client is lost or stolen. This is a management challenge, and many times goes overlooked or forgotten. Not a good option.
Do implement 802.11i. The EAP protocol of WPA and WPA2 security uses 802.1x authentication instead of PSKs, providing the ability to offer each users or client their own login credentials: user name and password or a digital certificate. The encryption keys are regularly changed and exchanged silently in the background. Look into NPS of Windows Server 2008. There are also some great RSA products to help with security.
Do Secure 802.1x Client Settings: The EAP mode of WPA/WPA2 is still vulnerable to man-in-the-middle attacks. You need to secure the settings of the client to prevent these attacks. An example would be to in the EAP settings of Windows you can enable server certificate validation by selecting the CA certificate, specify the server address, and disable it from prompting users to trust new servers or CA certificates. Utilize Group Policy if you can.
Use a wireless intrusion prevention system: When it comes to Wi-Fi security there is more than combating those directly trying to gain access to the network. Hackers can setup rogue access points, or perform DOS attacks. An intrusion prevention system for wireless (WIPS) can alert you to rogue APs or malicious activity. Think of security in layers. One more tool and protection layer to keep you safe.
NAP: Should you consider deploying a Network Access Protection (NAP)? It could provide additional control over network access, and policy based protection. Windows 2008 comes with some of these features, give it some consideration. There are some great third party options as well.
There are several other things you can do, like hiding your SSID, don't leave default passwords on your systems, and disable feature/functions you don't need. Bottom like is that using wireless comes with additional security awareness and steps needed to be taken. I would also recommend a firewall on that laptop you are using at your favorite Wi-Fi hot spot. Security is everyone's responsibility.
Keep it positive!
Scott Arnett
scott.arnett@charter.net
About Me
- Scott Arnett
- Scott Arnett is an Information Technology & Security Professional Executive with over 30 years experience in IT. Scott has worked in various industries such as health care, insurance, manufacturing, broadcast, printing, and consulting and in enterprises ranging in size from $50M to $20B in revenue. Scott’s experience encompasses the following areas of specialization: Leadership, Strategy, Architecture, Business Partnership & Acumen, Process Management, Infrastructure and Security. With his broad understanding of technology and his ability to communicate successfully with both Executives and Technical Specialists, Scott has been consistently recognized as someone who not only can "Connect the Dots", but who can also create a workable solution. Scott is equally comfortable playing technical, project management/leadership and organizational leadership roles through experience gained throughout his career. Scott has previously acted in the role of CIO, CTO, and VP of IT, successfully built 9 data centers across the country, and is expert in understanding ITIL, PCI Compliance, SOX, HIPAA, FERPA, FRCP and COBIT.
No comments:
Post a Comment