• All:

    I wrote up the following to accompany a talk on SOHO 802.11 security. I personally do not recommend all the practices in the list. What would you add or change?

    Thanks. /criss

    =====================cut here=====================

    Available Security Practices for Small Office Home Office
    IEEE 802.11 WLAN Access Points

    * Reset AP to factory defaults, and record the procedure
    * Upgrade AP to latest firmware, and record the procedure
    * Change and record settings for the SSID and the administrative password
    * Enter and record settings to connect with the ISP
    * Select one of the following encryption methods, create and record a key value
    - IEEE 802.11 standard 40/64 bit WEP RC4
    - Vendor proprietary 104/128 bit WEP RC4
    - Wi-Fi Protected Access: WPA RC4 with PSK (2004)
    - IEEE 802.11i RSN: TKIP RC4 with PSK (2005)
    - IEEE 802.11i RSN: CCMP AES with PSK (2005 and new AES hardware)
    * Use Open rather than WEP Shared Key method for 802.11 authentication
    * Enable Personal Firewall on work stations to compensate for weak security at APs
    * Reduce radio power to contain coverage area inside the premises
    * Create MAC filter list of the expected wireless client stations
    * Select “Hide SSID” or “Closed Network” to make discovering the SSID harder
    * Add blank space, that cannot be easily read, to the end of the SSID
    * Disable DHCP server to make intruder ‘s IP configuration more challenging
    * Power off the AP when not in use

    AES: Advanced Encryption System
    AP: Access Point
    CBC-MAC: Cipher Block Chaining - Message Authentication Code
    CCMP: Counter mode CBC-MAC Protocol
    DHCP: Dynamic Host Configuration Protocol
    IEEE: Institute of Electrical and Electronics Engineers
    IP: Internet Protocol
    ISP: Internet Service Provider
    MAC: Medium Access Control
    PSK: Pre Shared Key
    RC4: "RSA Labs Cipher 4"
    RSN: Robust Security Networks
    SOHO: Small Office Home Office
    SSID: Service Set Identifier
    TKIP: Temporal Key Integrity Protocol
    WEP: Wired Equivalent Privacy
    WLAN: Wireless Local Area Network
    WPA: Wi-Fi Protected Access

    Criss Hyde 15Jun2004

  • Well, I guess my first question would be what is the wireless LAN that is to implement these security practices use for?

    I mean, you are really locking this thing down as tightly as possible, so it can't be a HotSpot in a coffee house, or an inter-departmental workgroup portal.

    I'm guessing from the amount of man/horsepower this WLAN will take to administer that it's an enterprise-level system for a business that has extremely sensitive data, yet absolutely must have wireless connectivity.

    Many of these practices listed don't seem very "SOHO" to me.

  • Hi JD:

    For SOHO users I recommend the first five bullets and WPA-PSK, available now from most vendors in new equipment and as upgrades to older equipment -- hence the advice for users to learn how to upgrade their access point firmware.

    Some of the other bullets are popular SOHO marketing band-aids for WEP and offer little if any additional security. Still other bullets are novel but also do not get beyond what one might call "security by obscurity".

    No hot spot or enterprise customer in her right mind would be interested in implementing this list.

    Have a great day. /criss

  • Some things I would suggest are:

    * No mention of RADIUS? Even the little crappy APs support it. What if the customer has a spare Windows 2003 Server sitting around doing nothing? Put it to work! ;)

    * Update the firmware first, fully reset the AP, and then record all of the default provisioning values. Very important to be clear on this order.

    * On some devices, holding the reset button in for 5 seconds only performs a "quick reset" and doesn not completely reset all of the provisioning values in the AP. Holding the reset button in for 30 seconds will perform a "full reset". This isn't always documented, so you need to real buddy-buddy with the AP's tech support people to find out about these backdoor tricks.

    * I like the blank at the end of the SSID. Can an SSID have 8-bit ANSI characters? Both ANSI 127 and 255 are good hidden characters too, but I can see that most client apps won't have a way to enter them into the string. Kismet can probably be configured to put double quotes around SSIDs to catch this sort of thing, but it's cute.

    * I would prefer the APs being plugged into firewall appliances rather than depending on firewall software being installed on all wireless clients--including PDAs.

    * Only the higher-end APs have adjustable output power. You might note this security measure as "when available in hardware".

    * Dark APs provide the ultimate in security, that's for sure. Hopefully all the APs can be powered-down from a central switch. It's certainly possible using a PoE solution. I think you should include as an alternate solution the APs are provisioned to deny access to all during non-business hours.

    * Do you have any practical experience with obfuscating network configurations to confuse infiltrators? For exmaple, use the wrong netmask for your network's IP address range (e.g., use a class B addressing scheme with a class A netmask). Kismet shows a node's IP address, but not its netmask. Things like this are silly, but anything to discourage an intruder.

  • All:

    I have rewritten and reposted my remarks under "Home 802.11 Security Advice"

    Thanks. /criss

Page 1 of 1
  • 1