I wrote up the following to accompany a talk on SOHO 802.11 security. I personally do not recommend all the practices in the list. What would you add or change?
Available Security Practices for Small Office Home Office
IEEE 802.11 WLAN Access Points
* Reset AP to factory defaults, and record the procedure
* Upgrade AP to latest firmware, and record the procedure
* Change and record settings for the SSID and the administrative password
* Enter and record settings to connect with the ISP
* Select one of the following encryption methods, create and record a key value
- IEEE 802.11 standard 40/64 bit WEP RC4
- Vendor proprietary 104/128 bit WEP RC4
- Wi-Fi Protected Access: WPA RC4 with PSK (2004)
- IEEE 802.11i RSN: TKIP RC4 with PSK (2005)
- IEEE 802.11i RSN: CCMP AES with PSK (2005 and new AES hardware)
* Use Open rather than WEP Shared Key method for 802.11 authentication
* Enable Personal Firewall on work stations to compensate for weak security at APs
* Reduce radio power to contain coverage area inside the premises
* Create MAC filter list of the expected wireless client stations
* Select Ã¢Â€ÂœHide SSIDÃ¢Â€Â or Ã¢Â€ÂœClosed NetworkÃ¢Â€Â to make discovering the SSID harder
* Add blank space, that cannot be easily read, to the end of the SSID
* Disable DHCP server to make intruder Ã¢Â€Â˜s IP configuration more challenging
* Power off the AP when not in use
AES: Advanced Encryption System
AP: Access Point
CBC-MAC: Cipher Block Chaining - Message Authentication Code
CCMP: Counter mode CBC-MAC Protocol
DHCP: Dynamic Host Configuration Protocol
IEEE: Institute of Electrical and Electronics Engineers
IP: Internet Protocol
ISP: Internet Service Provider
MAC: Medium Access Control
PSK: Pre Shared Key
RC4: "RSA Labs Cipher 4"
RSN: Robust Security Networks
SOHO: Small Office Home Office
SSID: Service Set Identifier
TKIP: Temporal Key Integrity Protocol
WEP: Wired Equivalent Privacy
WLAN: Wireless Local Area Network
WPA: Wi-Fi Protected Access
Criss Hyde 15Jun2004
Well, I guess my first question would be what is the wireless LAN that is to implement these security practices use for?
I mean, you are really locking this thing down as tightly as possible, so it can't be a HotSpot in a coffee house, or an inter-departmental workgroup portal.
I'm guessing from the amount of man/horsepower this WLAN will take to administer that it's an enterprise-level system for a business that has extremely sensitive data, yet absolutely must have wireless connectivity.
Many of these practices listed don't seem very "SOHO" to me.
For SOHO users I recommend the first five bullets and WPA-PSK, available now from most vendors in new equipment and as upgrades to older equipment -- hence the advice for users to learn how to upgrade their access point firmware.
Some of the other bullets are popular SOHO marketing band-aids for WEP and offer little if any additional security. Still other bullets are novel but also do not get beyond what one might call "security by obscurity".
No hot spot or enterprise customer in her right mind would be interested in implementing this list.
Have a great day. /criss
Some things I would suggest are:
* No mention of RADIUS? Even the little crappy APs support it. What if the customer has a spare Windows 2003 Server sitting around doing nothing? Put it to work! ;)
* Update the firmware first, fully reset the AP, and then record all of the default provisioning values. Very important to be clear on this order.
* On some devices, holding the reset button in for 5 seconds only performs a "quick reset" and doesn not completely reset all of the provisioning values in the AP. Holding the reset button in for 30 seconds will perform a "full reset". This isn't always documented, so you need to real buddy-buddy with the AP's tech support people to find out about these backdoor tricks.
* I like the blank at the end of the SSID. Can an SSID have 8-bit ANSI characters? Both ANSI 127 and 255 are good hidden characters too, but I can see that most client apps won't have a way to enter them into the string. Kismet can probably be configured to put double quotes around SSIDs to catch this sort of thing, but it's cute.
* I would prefer the APs being plugged into firewall appliances rather than depending on firewall software being installed on all wireless clients--including PDAs.
* Only the higher-end APs have adjustable output power. You might note this security measure as "when available in hardware".
* Dark APs provide the ultimate in security, that's for sure. Hopefully all the APs can be powered-down from a central switch. It's certainly possible using a PoE solution. I think you should include as an alternate solution the APs are provisioned to deny access to all during non-business hours.
* Do you have any practical experience with obfuscating network configurations to confuse infiltrators? For exmaple, use the wrong netmask for your network's IP address range (e.g., use a class B addressing scheme with a class A netmask). Kismet shows a node's IP address, but not its netmask. Things like this are silly, but anything to discourage an intruder.
I have rewritten and reposted my remarks under "Home 802.11 Security Advice"