Thorn

Wireless Networking Basic Security Checklist

Written with the help and co-operation of the Members and Moderators of the NetStumbler forums. Compiled from the original thread at: http://forums.netstumbler.com/showth...&threadid=2920

Due to popular demand, two versions are now available as PDF Documents. Small Business Version, Release 3(140kb)

Home Version, Release 1(92kb)

These are also mirrored at WardrivingCentral.org
WardrivngCentral.org along with text and HTML from both versions.





Wireless Networking Basic Security Checklist
Small Business version
by Frank Thornton
Written with the help and co-operation of the Members and Moderators of the NetStumbler forums and the fine people at WarDriving Central. Additional input was provided by a number of individuals. My thanks to all.

The intended audience for this document is the small business owner who currently has, or intends to install a wireless network in the immediate future.

One of the worst mistakes a new user to wireless networking can make is to just set up the equipment and use it right out of the box. By doing so, they have opened their whole network and Internet access to anyone else with wireless connection. In an effort to make wireless networking "user friendly," most WLAN manufacturers have rendered most wireless networking equipment COMPLETELY UNSECURE out of the box. Making a wireless network more secure is possible. However it takes some work, and you MUST read the instructions that are often hidden in the back of the manuals.
You should always assume everything going over the air is open to anyone with the right configuration and equipment. Use wireless as the last viable option.

To help secure your business' wireless network you should consider doing all of the following:

1. Change ALL the default settings on your Access Point, wireless cards, and routers. These include the SSID, Administrative passwords and User passwords. The default names and passwords are published by the manufacturers on the Internet and are available to anyone.
* Choose an SSID (Network Name) that will not attract unwanted attention. Do not use your telephone number, family last name, the name of the residence, the address of the residence, etc.
* Choose a unique SSID that will not attract unwanted attention. For example, an SSID of "Rm125" is less apt to attract criminals as opposed to "Accounting Department Wireless".
* Disable Automatic SSID Broadcast. If you have more than one AP set up to allow roaming, you might not want to do this due to technical considerations. However, most users should consider this option.
* Change the default channel. While this is not truly a security issue, it may help with radio interference, as many devices use the same channel.

2. WLAN isolation: Treat all APs as UNTRUSTED and as such, locate the wired network connection of any AP on its own firewall or firewall interface. This firewall should have rules for both the WLAN and internal LAN access.

3. Always use encryption (WEP or WPA) on your wireless network. If possible, use a 128-bit or higher variation. If WPA is available for your equipment, then update all firmware and switch to WPA.
* Whenever possible, use additional encryption such as SSL or VPN.
* Change the encryption key on a periodic basis.
* NEVER use the SSID (Network Name) as the Encryption Key.Use proven security measures such as VPN, SSL, etc.
* If using WEP, run the systems as an Open Key rather than Shared Key. While this may seem counterintuitive due to the names, Open Key systems are actually the more secure of the two types of key systems. In a Shared Key network, the data exchange is easily attackable, revealing the key. Also, do not use common words as a key. Create keys as you would a strong password, mixing alpha and numeric characters.

4. Design the WLAN to limit RF propagation to only those areas needed for coverage. Choosing the correct antenna and RF power levels can also help limit the RF footprint. Limiting the RF footprint to only needed areas will help minimize access to the WLAN by unauthorized persons who are outside the building or grounds.

5. Consider disabling Automatic SSID Broadcast. This may cause performance problems for those with a multiple AP setup for fast roaming. This may also cause problems for businesses running VoIP on 802.11. However, this will help make your WLAN less likely to be discovered to the casual wireless user.

6. Restrict wireless usage to only the minimum TCP and UPD ports needed by the users to meet job requirements. Disable all other ports. For example, you may wish to enable TCP Port 80 (HTTP), and TCP Port 110 (POP) yet disable TCP Port 25 (SMTP) to prevent becoming a wireless mail relay, and TCP Ports 20, 21 (FTP) to prevent unauthorized file transfers.

7. Use a MAC based ACL. Maintain an updated list of current MAC addresses.

8. If a fixed number of mobile devices are connecting to the AP(s), disable DHCP and use static IP addresses.

9. If a floating number of devices will be on the wireless network segment, do not size of the DHCP pool to the absolute maximum number of needed addresses, and use proper subnetting to limit the determine the number of clients
* Limiting the DHCP pool limits the amount of leases handed out.
* The subnet mask determines the limit of the amount of clients.
* Limiting the subnet will add a little tighter security, although if an attacker knows subnets, it will just slow him down. There is nothing to prevent someone who understands subnetting to manually entering an IP address and submask within the proper range.
* Part of the idea of this Security checklist is to give a little balance on the security side. Many people use DHCP to make it easier on the users. This just helps even that out. i.e. Don't hand out 254 addresses, or even 30, if you only need 3.

10. Authenticate users via a system such as RADIUS or NoCat. Restrict access to the network until the user is authenticated.

11. Perform regular network scans on both the LAN and WLAN for "rogue" APs.

12. Perform regular audits and review LAN and WLAN logs:
* Check the DHCP logs for rogue APs.
* Check the DHCP logs for rogue clients; odd MAC addresses that have associated and de-associated.
* Maintain and regularly audit AP access logs
* AP logs for exception alarm (SNMP) messages.

13. As a standard policy, restrict the use of wireless NICs to authorized personnel only.

14. Integrate the Network User/Security Policies for both wireless and wired networks.


Not all of the above may apply to your situation, depending on the systems and network. For example, the hand-held wireless terminals used by many popular warehouse management systems are incapable of several of using Virtual Private Networking. The hardware used by these systems only has enough processing power to run the built-in firmware.



Glossary:
ACL - Access Control List
AP - Access Point
DHCP- Dynamic Host Configuration Protocol
FTP - File Transfer Protocol
HTTP - HyperText Transfer Protocol
MAC - Machine Address Code
NIC - Network Interface Cards
POP - Post Office Protocol
RF - Radio Frequency
SMTP - Simple Mail Transfer Protocol
SSID - Service Set Identifier
SSL - Secure Socket Layer
VoIP - Voice over IP
VPN - Virtual Private Networks
WEP - Wired Equivalent Privacy
WPA - WiFi Protected Access
WLAN - Wireless Local Area Network


Wireless Networking Basic Security Checklist
Small Business Version, Release 3.0
Last Updated: 12/01/2003

Copyright (c) 2003 Blackthorn Systems and Francis J. Thornton, Jr.

5921 Shelburne Road
Shelburne, Vermont 05482-6504

(802) 985-2415
(802) 985-1139 FAX
www.blackthornsystems.com
email: info@blackthornsystems.com






Wireless Networking Basic Security Checklist
Home User version
by Frank Thornton
Written with the help and co-operation of the Members and Moderators of the NetStumbler forums and the fine people at WarDriving Central. Additional input was provided by a number of individuals. My thanks to all.

The intended audience for this document is the home owner who currently has, or intends to install a wireless network in the immediate future.

One of the worst mistakes a new user to wireless networking can make is to just set up the equipment and use it right out of the box. By doing so, they have very likely opened their whole network and Internet access to anyone else with wireless connection. In an effort to make wireless networking "user friendly," most WLAN manufacturers have rendered consumer-level wireless equipment COMPLETELY UNSECURE out of the box. Making a home wireless network more secure is possible. However it takes some work, and you MUST read the instructions that are often hidden in the back of the manuals.

You should always assume everything going over the air is open to anyone with the right configuration and equipment. Use wireless as the last viable option.

To help secure your home wireless network you should consider doing all of the following:

1. Change ALL the default settings on your Access Point, wireless cards, and routers. These include the SSID, Administrative passwords and User passwords. The default names and passwords are published by the manufacturers on the Internet and are available to anyone.
* Choose an SSID (Network Name) that will not attract unwanted attention. Do not use your telephone number, family last name, the name of the residence, the address of the residence, etc.
* Choose a unique SSID.
* Disable Automatic SSID Broadcast. If you have more than one AP set up to allow roaming, you might not want to do this due to technical considerations. However, most users should consider this option.
* Change the default channel. While this is not truly a security issue, it may help with radio interference, as many devices use the same channel.

2. Always use encryption (WEP or WPA) on your wireless network. If possible, use a 128-bit or higher variation.
* Whenever possible, use additional encryption such as SSL or VPN.
* Change the encryption key on a periodic basis.
* NEVER use the SSID (Network Name) as the Encryption Key.

3. If the following features are part of your AP or router, make sure you use them:
* Firewall: Restrict wireless usage to only the minimum TCP and UPD ports needed. And disable all other ports. For example, you may wish to enable TCP Port 80 (HTTP), and TCP Port 110 (POP) yet disable TCP Port 25 (SMTP) to prevent becoming a wireless mail relay, and TCP Ports 20, 21 (FTP) to prevent unauthorized file transfers. Also, block file sharing ports for programs such as Kaaza.
* Address Control List: The ACL limits the Machine Address Code addresses that may access your AP. Each wireless Network Interface Card has a unique MAC address, so this limits which wireless NICs (and therefore which computers) may access your network.
* If a fixed number of mobile devices are connecting to the AP, disable DHCP and use static IP addresses.
* If a varying number of devices will be on the wireless network segment, limit the size of the DHCP address pool to the absolute maximum number of needed addresses. Many people use DHCP to make it easier on the users. However, there is no need to for the network to give out 254 addresses, or even 30, if you only need 3.

4. Most Access Points have built in logging. Periodically, review the access logs and look for any abnormalities.

Glossary:
ACL - Access Control List
AP - Access Point
DHCP- Dynamic Host Configuration Protocol
FTP - File Transfer Protocol
HTTP - HyperText Transfer Protocol
MAC - Machine Address Code
NIC - Network Interface Cards
POP - Post Office Protocol
SMTP - Simple Mail Transfer Protocol
SSID - Service Set Identifier
SSL - Secure Socket Layer
VPN - Virtual Private Networks
WEP - Wired Equivalent Privacy
WPA - WiFi Protected Access
WLAN - Wireless Local Area Network


Wireless Networking Basic Security Checklist
Home User Version, Release 1.0.
Last Updated: 12/01/2003

Copyright (c) 2003 Blackthorn Systems and Francis J. Thornton, Jr.

5921 Shelburne Road
Shelburne, Vermont 05482-6504

(802) 985-2415
(802) 985-1139 FAX
www.blackthornsystems.com
email: info@blackthornsystems.com

__________________
Thorn
"You guys'll be chalk outlines without me."

Thorn

The above text is now Version 2, as is the linked PDF file.

Blackwave and HITMONEY sent some PMs over the last few months suggesting a couple of changes. These changes have been incorporated into the orginal.

Thanks, guys.

__________________
Thorn
"You guys'll be chalk outlines without me."

Thorn

There are now two versions listed above, with their respective linked PDF files.

Blackwave, HITMONEY, and Renderman as well as some individuals from outside these forums have made some further suggestions. These changes have been incorporated into the orginal.

If there was anyone else not named, it's just fault memory on my part.

Thanks, guys.

__________________
Thorn
"You guys'll be chalk outlines without me."

Thorn

audit also reminded me that he's mirroring them at www.michiganwireless.org/tools/docs

__________________
Thorn
"You guys'll be chalk outlines without me."

Thorn

Void Main caught a goof in the business version. It's been corrected above and on my FTP site. The mirrors should be fixed shortly.

__________________
Thorn
"You guys'll be chalk outlines without me."

Thorn

Since I first posted these files, I check my FTP logs every so often. I have yet to do some real analysis on the logs, but just for kicks today I was perusing the top level and secondary domains.

It give an interesting view of those who come to these forums.

First of all there are the usual .com, .edu and .net domains. Nothing unusual there, except I'm slightly surprised at some of the major corporations that seem a bit late in developing policies. Maybe they're just checking to make sure they didn't miss anything.

What I really found interesting is the second level .gov, .mil and the international address. Those are much more eye opening, IMHO.

Anyway, here is a partial list of those that happend to catch my eye:

US Federal Govt (.gov)
.ymp (Office of Civilian Radioactive Waste Management)
.gsa (General Services Admin. The people who write the policies for everyone else in Fed govt.)
.uscourts (US Courts)
.fdic (Federal Deposit Insurance Corp. The people who insure banks.)
.doe (Dept. of Energy)
.fcc (Federal Commumications Commission)


US Military (.mil):
.af (US Air Force)
.navy
.army
.pentagon


International:
.ca (Canada)
.de (Germany)
.fr (France)
.uk (United Kingdom, including .gov.uk)
.nl (Netherlands)
.jp (Japan)
.au (Australia, including .gov.au)
.ph (Phillipines, including .gov.ph)
.be (Belgium)

__________________
Thorn
"You guys'll be chalk outlines without me."