Ten steps to low-cost wireless LAN security

Let me guess: Despite your best efforts to stop them, users are hooking low-cost 802.11b (Wi-Fi) access points (APs) to the corporate network. And, despite your best efforts, your CFO has zero interest in buying the tools you really need to secure these wireless LANs.

Here, then, are some relatively simple, low-cost ways to boost the security of your wireless LANs. They're not perfect, but they do provide at least a first line of defense. And if a more determined hacker breaks through, taking these precautions will boost your case for stronger Wi-Fi security that actually costs money. I've listed them in approximate order of difficulty and cost.

1. Enable the highest level of WEP (Wireless Encryption Protocol) that ships with the AP. WEP may be flawed, but it does provide some protection, especially if your gear supports the higher-level, 128-bit WEP instead of the original 40-bit WEP, says Gartner Inc. Analyst Phil Redman.

2. Change the default SSID (Service Set ID) that ships with your access points. OK, everybody, quick quiz: What's the default name of a Cisco AP? ("tsunami") A Linksys AP? (101.) If you're a hacker, those words tell you you've found an access point nobody's guarding.

3. Disable the "broadcast" mode in which access points periodically transmit their SSIDs. Since hackers know the default names of many APs (see above), hackers can use freeware utilities, or even Windows XP, to find the names of nearby wireless networks.

4. Disable the "ad hoc" mode in which many wireless LAN cards ship and that allows them to connect with other wireless LAN cards. This allows any hacker in wireless range to access your network through a legitimate wireless user. You want your wireless LAN in "infrastructure" mode, where all wireless clients link to the network directly through an access point.

5. If you're running SNMP (Simple Network Management Protocol) agents on your access points, assign a non-obvious name to the "community" that identifies which management applications can communicate with those agents. That way, wireless hackers can't just sniff around for the default community names that ship with many management tools.

6. Perform a regular audit for rogue APs. Gartner's Redman recommends scans at least once a quarter, if not once a month. This can be as easy as walking around with a wireless notebook equipped with free sniffer software such as NetStumbler (or Windows XP), or as ambitious as using SNMP queries to find new devices that have been added to your network. Caution: Once you find the rogue APs, you'll need the political clout to shut them down or reconfigure them.

7. Turn down the power on your APs to the lowest level needed to reach all legitimate users. Fine-tuning the "footprint" of the APs can, however, take time or even require a site survey. Expect ongoing complaints and the need to fine-tune the power settings as users move from cube to cube or even rearrange their offices.

8. Place APs on separate subnets and put a firewall between that subnet and the main corporate network. (This mimics the architecture of many security tools that puts a gateway or other security server between the APs and the wired network.) This assumes, of course, you know about the APs in the first place, can devote the time to configuring and managing the firewalls and can afford whatever it costs to buy your firewall of choice.

9. Configure your access points so they allow only clients with specific MAC addresses to access the network, or allow access to only a given number of MAC addresses. This assumes, of course, you can find all your access points, but it does make it harder for unauthorized clients to flood through rogue APs.

10. Disable wired network access from conference rooms to discourage "plug and forget" APs. If a lazy user (or an unscrupulous cleaning person) hangs an unprotected AP in a properly placed conference room, a hacker could surf your network from their car all day using a Wi-Fi equipped notebook. If users complain about the lack of wired access in conference rooms, tell them that's what wireless is for.

Some would argue that in addition to all these steps, you should educate users about the security risks of wireless, then create and enforce a wireless security policy. They're probably right, but this column is about what to do when you don't have enough time and money to do the right thing. And if you don't make the most of the security tools you already have, you won't be in any position to ask for more when and if someone hacks your wireless networks.