April 8, 2011, 9:21 p.m.
posted by gelassen
Here’s a quick and dirty listing of some of the important (and fairly easy) things you can do to make your network less visible to war drivers and to implement WEP or other encryption schemes:
Because wireless access points are very cheap, the temptation for employees to install their own access point is very high. In fact, they may be sitting right on top of the CPU box and you haven’t even noticed them. Rogue access points can expose your network to outsiders and circumvent security measures such as firewalls and intrusion detection systems. This is the sort of problem that makes war chalking symbols appear outside buildings.
First of all, make it a policy that unauthorized access points are a big no-no and installing them is grounds for termination. That lets your staff know that you mean business.
Secondly, get one of the free war driving software programs I mentioned earlier and use it yourself to find rogue access points. There are even programs you can easily run on a PDA. One that has gotten good reports is called WaveRunner. I mention this because walking around the office with a PDA is a lot less obtrusive than walking around with a laptop. With a PDA device your staff may not realize what you’re up to. Otherwise they may turn off their access points so you won’t find them.
On the other hand, you may want to send out an announcement to all staff telling them that you are going to conduct a search for unauthorized wireless access points and will confiscate any you find. You may want to offer amnesty to get staff to turn in their wireless access points before you start your search. Tell the staff that they have a few days grace period in which to turn in their access points and there will be no punishment or terminations. After that period though, there will be (and should be) some sort of penalty to show that you are serious about this. I’m all in favor of giving people the opportunity to do the right thing first.
Although this isn’t strictly an encryption technique, changing the default SSIDs can help “hide” your network from casual lookers. The SSID is basically the network name that the wireless access point broadcasts. It’s a well-known fact (among hackers, anyway) that vendors often use their company name as the SSID. For example, the company LinkSys uses the SSID of “linksys.” It doesn’t take a brain surgeon to find networks using the default names. You’ll need the access point’s manual for instructions on how to change the SSID.
When you change the SSID, try to choose a name that’s not totally obvious or too generic. For example, if your company is 123 Company and that name is on the door of your offices, don’t change the SSID to “123 Company.” That would be one of the first names a hacker would attempt to try. Likewise, names like “finance” or “personnel” or “marketing” are far too easy and obvious for someone to guess. So, try to be a little more creative and give your networks names that only mean something to you.
In addition to changing the default SSID you can also disable the “broadcasting” feature of the SSID. The broadcast feature means that the access point is sending out the name of the network to any wireless card that is trying to log on. If you disable this feature, a user will have to manually enter the name of the network and the network card won’t find it automatically. The various wireless access point vendors have different methods of accomplishing this task, so you’ll have to refer to your user’s manual to see how to make these changes.
You have to do more than just turn on WEP; you also have to check a box that says something like “make WEP required.” That ensures that WEP must be enabled on all desktop and laptop computers, too. Again, refer to your user’s manual to figure out how your system handles this.
While I’m on this subject, I want to mention that it’s important to change the default keys for WEP on your system. You’ll need to refer to your manual again. In any case, when you’ve changed the keys, you have to go around to all the desktop and laptop computers and manually enter those same keys into those computers.
And one more thing on WEP: always use the strongest encryption possible. As of this writing it’s 128-bit encryption. You’ll have to make sure that all the wireless network cards in your computers are able to handle that level of encryption as some of the older ones were limited to a using a much smaller key size. If your systems can handle it, it doesn’t cost you anything to use the strongest encryption, so why waste your time with weaker encryption? Even with WEP cracking tools, it would take a hacker quite a bit longer to figure out 128-bit keys. He may just move on to an easier target and leave your system alone.
If you install your access points near windows and walls, you can be sure that the wireless signals “leak” to the outside and can be found by others. The best thing to do is to locate the access points as close to the center of the building as possible. There’s a number of software programs and devices that can help you with this and one of them is called the Ekahau Positioning Device. You can find more information about this at www.ekahau.com. You want to position your access points so people outside the building can’t find the signals, but your staff inside the office do need to be able to find the signals. If you place the access point too securely (like behind steel doors), no one will be able to log on.
Yes! You can buy special antennas that will shield and/or shape the wireless signals. With these antennas on your access points, you can direct the signals, limit them to certain areas, and shield them from walls, windows, and doors. Check with your local electronics store and try talking to some of your local ham radio enthusiasts. Ham radio operators usually know more about radio waves and tuning antennas than you ever thought possible.
This would mean that you would need to hire someone who has a great amount of experience in the field because it’s not something even the best network administrators are used to doing. Special programs would need to be created to affect the way the access points and the clients communicate and the encryption algorithms and keys that they use.
VPNs are much better at authentication and encryption than WEP. If you already have VPNs set up for the rest of your network, it’s not much of a chore to set it up for wireless networks. Just make sure your access points are all behind your firewall and then set up your VPN scheme. You can be guaranteed of better authentication and much better encryption that way.
There are a few companies that are making special software to help hide your network from freeloaders. Bluesocket (www.bluesocket.com), NetMotion Wireless (www.netmotionwireless.com), and Net-Screen Technologies (www.netscreen.com) even make specialized wireless VPNs. If your wireless network deals with a lot of sensitive information, this is something you really should look into.
RADIUS servers were designed to support stronger authentication for remote users so, in this case, they are a good marriage. There is more information about RADIUS and other authentication systems in Chapter 10, so you should check back there for the software and hardware you will need.