Security has been the number one concern with businesses and customers for some time. But it needn't be. Our proven solutions - including Cisco EAP and Secure 3DES VPN's - will give you and your customers peace of mind. Read the Cisco Wireless LAN Security Whitepaper

HOW TO SIMPLY SECURE AN 802.11 WLAN.

Simply Wireless have a highly in- depth security policy that is implemented whenever we install a Wireless LAN for our clients. It provides a total Quality Assurance (QoS) mechanism for ensuring that your network wont be compromised.

Below Simply Wireless have provided some basic pointers that should get you started in trying to secure your own wireless network.

Enable Wired Equivalent Privacy or WEP.
Turn on WEP (Wired Equivalent Privacy). WEP is the basic security mechanism for most home & small business WLAN’s. WEP has some well documented security flaws, however it provides basic wireless LAN security. Approximately three quarters of all wireless LAN networks do not have WEP enabled.

WEP has two variants : 40-bit encryption also known as 64-bit WEP. To access to a 64-bit WEP you need to know an 10 digit alphanumeric network key. The second variant, 128-bit WEP encryption has a 26 digit key. Rotating WEP keys monthly is a good idea, more often if you're more concerned. 802.1x allows you to rotate WEP key's automatically at user defined intervals, say hourly.

Change your Access Points default password.

All manufacturers access points come with a default password provided by the manufacturer. Change it – as potential hackers can easily figure out the default password once they identify the make of your network access point.

An anonymous SSID is a good idea
There is no need for you to identify yourself as say Mr XYZ's Wireless LAN.
Why identify your network as that could make your wireless lan a target for hackers.

Site Survey & Access Point Positioning

Enterprise WLAN’s use signal shaping, or 3D RF modeling to minimize RF leakage. For a home WLAN it’s smart to avoid placing your access point in places where most of the signal goes outside. You can test RF goes outside your home or office by using an RF survey tool or simply checking to see how far you can go and still make a connection.

Turn off your SSID Broadcast.

On most enterprise grade hardware ( i.e. Cisco, Symbol, Enterasys and LinkSys) it is possible to disable the Service Set Identifier, or SSID from being broadcast. Most hardware ship with the SSID being broadcast (it makes finding wireless LAN Access Points easier). In effect, the broadcast is saying -"I'm here! Connect to me. By turning the SSID off you are essentially hiding your network. If hackers do not know you’re running Wireless you are less likely to be targeted. Most SoHo grade hardware (Netgear, D-Link and LinkSys) does not permit disabling SSID broadcasts.

Security 101

Whenever you communicate over the Internet using a wired or wireless connection, you should ensure you do so securely. If your transmissions are not secure, you risk of others intercepting your e-mails, snooping your corporate files and records, and perhaps using your network and Internet connection to send spam or similar.

When going to an SSL site, i.e. online banking, shopping etc, these financial transactions are usually protected by a technology called Secure Socket Layer (SSL). If your data is confidential or if you want additional security, there are several different technologies you might consider implementing.

Simply Wireless encourages our clients to use an appropriate level of security. In a home wireless network, you can use a variety of simple security procedures to protect your Wi-Fi connection. These include enabling 64-bit or 128-bit Wi-Fi encryption (Wired Equivalent Privacy, or WEP), changing your password or network name and closing your network. These basic techniques work in both small offices and large corporations. However, you can also employ additional, more sophisticated technologies and techniques to further secure your business network.

Security Technologies
WEP and other wireless encryption methods operate strictly between your Wi-Fi computer and your Wi-Fi access point or gateway. When data reaches the access point or gateway, it is unencrypted and unprotected while it is being transmitted out on the public Internet to its destination — unless it is also encrypted at the source with SSL when purchasing on the Internet or when using a VPN. So while using WEP will protect you from most external intruders, you may want to implement additional techniques to protect your transmissions as they travel on public networks and the Internet. There are several technologies available, but currently VPN works best.

VPN's - Virtual Private Networks - allowing triple DES encryption

Most businesses and enterprises use VPN to protect their remote-access workers and their connections. It works by creating a secure virtual "tunnel" from the end-user's computer through the end-user's access point or gateway, through the Internet, all the way to the corporation's servers and systems. It also works for wireless networks and can effectively protect transmissions from Wi-Fi equipped computers to corporate servers and systems.

Simply Wireless can assist with your VPN setup, and integrate Wireless to support Wi-Fi networks. A VPN works by creating an encryption scheme for data transferred to computers outside the enterprise network There are several vendors of VPN software. A VPN allows data to be safely transferred back and forth with no chance of interception.

VPN tunneling is an ideal way to secure mobile professionals communicating from hotspots or telecommuter's working from home.

VPN tunneling is possible from most Wi-Fi networks that allow VPN pass through. Business GPRS plans also allow secure VPN tunneling over GPRS.

In campus locations, facilities can provide security and still allow open access to guests by giving layers of network access. Visitors are allowed access to the Internet and use standard e-mail protocols, but to access the main corporate network, corporate e-mail and communications systems users need to tunnel in via VPN.

There are several VPN vendors who have various levels of VPN technology. VPN’s often need hardware and software components. However most Microsoft operating systems allow basic but free VPN technology with its advanced server operating systems.

We can help with your business deploying VPN’s. Call 1300 888 166 for help.

Firewall's

Firewall's are not specific to wireless networks, they apply equally to wired networks. A firewall shelters your network from the Internet, they block unauthorized users from penetrating your network. Hardware and software firewall systems monitor and control the flow of data in and out of computers in both wired and wireless enterprise, business and home networks. They can be set to intercept, analyze and stop a wide range of Internet intruders and hackers.

Like VPN's, there are many types and levels of firewall technology. Many firewall solutions are software only; many are powerful hardware and software combinations. Some Wi-Fi gateways and access points provide a built-in firewall capability. But even if they don't, most Wi-Fi gateways include a routing capability that acts like a basic firewall, making the networked computers and their data invisible to simple hacking scans and probes.

Media Access Control (MAC) Filtering

As part of the 802.11b standard, every Wi-Fi radio has its unique Media Access Control (MAC) number allocated by the manufacturer. To increase wireless network security, it is possible for an IT manager to program a corporate Wi-Fi access point to accept only certain MAC addresses and filter out all others. The MAC control table thus created works like "call blocking" on a telephone: if a computer with an unknown MAC address tries to connect, the access point will not allow it. However, programming all the authorized users' MAC addresses into all the company's access points can be an arduous task for a large organization and can be time consuming — but for the home technology enthusiast it can be quite effective.

It is also possible for a dedicated hacker to "spoof" a MAC address, by intercepting valid MAC addresses and then programming his or her computer to broadcast using one of those. Despite that, for small network installations, using a MAC filtering technique can a be very effective method to prevent unauthorized access.

Radius

RADIUS (Remote Access Dial-Up User Service) is another standard technology that is already in use by many major corporations to protect access to wireless networks. RADIUS is a user name and password scheme that enables only approved users to access the network; it does not affect or encrypt data. The first time a user wants access to the network, secure files or net locations, he or she must input his or her name and password and submit it over the network to the RADIUS server. The server then verifies that the individual has an account and, if so, ensures that the person uses the correct password before she or he can get on the network.

RADIUS can be set up to provide different access levels or classes of access. For example, one level can provide blanket access to the Internet; another can provide access to the Internet as well as to e-mail communications; yet another account class can provide access to the Net, email and the secure business file server.

Like other sophisticated security technologies already mentioned, RADIUS comes in a variety of types and levels. You can use the free RADIUS provided by Microsoft for its advanced server operating systems, or you can use a sophisticated hardware and software solution.

Kerberos

Another way to protect your wireless data is by using a technology called Kerberos. Created by MIT, Kerberos is a network authentication system based on key distribution. It allows entities to communicate over a wired or wireless network to prove their identity to each other while preventing eavesdropping or replay attacks. It also provides for data stream integrity (detection of modification) and secrecy (preventing unauthorized reading) using cryptography systems such as DES.

After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.

Kerberos works by providing principals (users or services) with digital tickets that they can use to identify themselves to the network and secret cryptographic keys for secure communications. A ticket is a sequence of a few hundred bytes that can be embedded in virtually any other network protocol, thereby allowing the processes implementing that protocol to be sure about the identity of the principals involved.

Kerberos is available free from MIT and as a product from many different vendors.

802.1x security

With the burgeoning success and adoption of Wi-Fi networks, many other security technologies have been developed and continue to be developed. Security is a constant challenge, and there are thousands of companies developing a myriad of solutions.

There are a variety of proprietary third-party security solutions that effectively sit on top standard Wi-Fi transmission and provide encryption, firewall and authentication services. Many Wi-Fi manufacturers have also developed proprietary encryption technologies that greatly enhance basic Wi-Fi security.

Encryption techniques use special technologies to scramble transmissions on one end and then unscramble them on the other. Other techniques use special keys or codes that enable the computers to talk to each other: the sender's computer transmits a key or code to the receiving computer, and if the keys match, the sender is allowed into the system. These new security standards will use advanced encryption technologies such as AES and TKIP, as well as secure key-distribution methods.

Hackers can break encryption codes by intercepting and analyzing large amounts of data, but breaking codes takes time. By automatically rotating encryption keys at set intervals., the Wi-Fi network is already using a new code by the time a hacker has managed to intercept and crack the old one. Most enterprise-level Wi-Fi networks already enable IT managers to change the codes manually, 802.1x makes the process automatic.

Getting Security Right.

For more information about Network Security that goes beyond basic security mechanisms call Simply Wireless. We can help you implement increased protection for their mobile workers and their data.

As with any network, wired or wireless, the more layers of security that are added, the more secure your transmissions can be.We can build very very secure networks that allow our clients sleep at night. Call 1300 888 166 for more info.

(elements of content courtesy of www.weca.org )