Page 252 - StudyBook.pdf
P. 252

236    Chapter 4 • Communication Security: Wireless

                      firmware updates and apply them to all wireless devices.You can leave
                      your network exposed if you fail to update even one device with the most
                      recent firmware.

                  ■   In medium- to high-security environments, wireless devices should sup-
                      port EAP-based 802.1x authentication and, possibly,TKIP.Another desir-
                      able feature is the ability to remotely administer a wireless AP over a
                      secure, encrypted channel. Being able to use IPSec for communications
                      between the AP and the RADIUS server is also desirable.
                  ■   Always use WEP.While it is true that WEP can be cracked, doing so
                      requires knowledge and time. Even 40-bit WEP is better than no WEP.

                  ■   Rotate static WEP keys frequently. If this is too much of an administrative
                      burden, consider purchasing devices that support dynamic WEP keys.

                  ■   Change the default administrative password used to manage the AP fre-
                      quently.The default passwords for wireless APs are well known. If possible,
                      use a password generator to create a difficult and sufficiently complex
                      password.

                  ■   Change the default SSID of the AP.The default SSIDs for APs from dif-
                      ferent vendors are well known, such as “tsunami” and “Linksys” for Cisco
                      and Linksys APs, respectively.

                  ■   Do not put any kind of identifying information in the SSID, such as com-
                      pany name, address, products, divisions, and so on. Doing so provides too
                      much information to potential hackers and lets them know whether your
                      network is of sufficient interest to warrant further effort.

                  ■   If possible, disable SSID broadcasts.This will make your network invisible
                      to site survey tools such as NetStumbler. However, this will cause an
                      administrative burden if you are heavily dependent on Windows XP
                      clients being able to automatically discover and associate with the wireless
                      network.
                  ■   If possible, avoid the use of DHCP for your wireless clients, especially if
                      SSID broadcasts are not disabled. By using DHCP, casual wardrivers can
                      potentially acquire IP address configurations automatically.
                  ■   Do not use shared-key authentication.Although it can protect your net-
                      work against specific types of DoS attacks, other kinds of DoS attacks are
                      still possible. Shared-key authentication exposes your WEP keys to com-
                      promise.


          www.syngress.com
   247   248   249   250   251   252   253   254   255   256   257