Have you recently connected a “wireless Access point” to your corporate Local Area Network, or you are planning to do so in the future?
If your answer is “Yes,” you have good reason to be worried … Although you’ve deployed a Firewall with anti-virus scanning systems, those have all been bypassed.
Why has this happened?
Since the time you connected the access point directly to your LAN (Local Area Network,) your network has been exposed to unauthorized access from any device that has a wireless support. Once an attacker obtains an IP address using his laptop or PDA, he can then launch an attack against computers on your network and other objects using corporate resources. Computers on your LAN will receive commands from the attacker launching timely attacks acting as robots.
Simply… wireless attacks can be launched by anyone from anywhere. From the person who’s next to you or in the office down the hall, in an elevator or the parking garage, he or she could be hacking your wireless networks at this very moment. If you do not take the necessary precautions to protect your systems, you might just as well them the alarm code to your office and your private files.
Outcomes might include:
- Slow network response when accessing files on servers and slow performance when reading or sending emails.
- A non-operational network, where users cannot access ANY resource on corporate servers.
- Interception of usernames, passwords and other data transmitted between wireless workstations and the servers on the network.
- Public relations damage to the company.
What can you do to prevent a “Security Breakdown” within your infrastructure?
Here are some of the basic things that can be down to prevent security invasions:
- Connect the Access Point to the firewall using a hub, then connect the hub to the Firewall on a separate NIC (Network Interface Card).
- Disable the DHCP (Dynamic Host Configuration Protocol) function on the Access Point. Any access point has the ability to assign an IP address to devices connecting thru the “air” – this is normal operation and needed for communication, resulting in the IP assignment working manually.
- Enable MAC (Media Access Control) address to filter connections to the Access Point. Any device that performs communication needs a physical address. The MAC address is a unique and given by the manufacturer. We can define which MAC address would be able to connect to the access point.
- Enable encryption WEP (Wireless Encryption Protocol) or WPA (Wi-Fi Protected Access) on the Access Point. To avoid data interception it is recommended to activate at least the WEP.
- Stop broadcasting the Access Point BSSID (Basic Service ID) on the Access Point. Any access point is broadcasting its name on the “air,” it says “I am here, my name is …” and we need to associate each device manually.
- Give an Unknown name to the Access Point. Any access point comes with a default name such as “linksys,” which is easily decoded. Using a name like this allows a hacker to know what kind of access point you have, and a small search will reveal its defaults.
- Change the access point’s default password. Every access point comes with a default password and hackers know these passwords.
- Authenticate users accessing the wireless Access Point using RADIUS (Remote Authentication Dial-in User Service). To enhance security measures it is necessary to check their identity before letting them in using RADIUS server.
- Deploy IDS (Intrusion Detection System) or IPS (Intrusion Prevention Systems). IDS in some cases can alert if someone is trying to tamper with your access point, and IPS can detect and prevent from pre-defined attacks from happening.
- Enable event logging on the Access Point. Any access point has the ability to log events, such as connections to the access point and etc.
- Monitor activities on the Access Point. Check logs and try to correlate events from the access point and IDS or IPS.
Yigal Behar works as a computer security consultant at 2Secure Corp. Questions and ideas? Please contact us or call 646-666-9601