Extra Security for Wireless Networks

Extra Security for Wireless Networks
On small networks, the measures we outline in this chapter should be sufficient to protect you from the most common forms of outside attacks aimed at your wireless network. Of course, that assumes that you've protected the rest of your network using the precautions we outline elsewhere in this book: implementing a sensible security policy, using strong passwords, limiting the use of administrator accounts, and carefully setting access to shared resources.

In businesses where the value of information stored on the network is high, you may need to implement additional precautions to safeguard a wireless network. Most of these steps involve investments in software and hardware that significantly increase the cost and complexity of your network. If your business routinely handles data that is extremely sensitive and is subject to legal restrictions on its storage (such as patient records in a medical office, or client correspondence in a law office), you should thoroughly investigate the security of wireless network equipment before purchasing and implementing it. The investment required to safeguard the data may be prohibitive.

A detailed discussion of these options is outside the scope of this book; we list the following options to give you an idea of what you should consider when setting up a wireless network in a sensitive environment:

Avoid connecting the wireless LAN to the wired LAN. The wireless access point should connect to a router on a separate network or a firewalled interface.
Use virtual private networks for all wireless connections. In this configuration, the access point connects to the rest of the network through the server acting as the VPN gateway. Outside intruders may be able to reach the access point, but they won't be able to transmit or receive data without authenticating against the VPN server. (The following section describes how to set up a VPN server on a computer running Windows XP or Windows 2000 Professional.)
Use a scanning tool to test your wireless LAN for vulnerability. The same tools that hackers use to break into wireless networks are freely available for download on the Internet. If you administer a wireless network, download a copy of AirSnort from http://airsnort.shmoo.com. You'll find Network Stumbler at http://www.netstumbler.com. Both programs are well documented and easy to use—if you can figure them out, so can a world full of unsavory characters.
Check audit logs regularly. Set up the Security log to monitor connections to your network and review it regularly. Be on the lookout for account logon events (connections made over the network) that don't match the normal behavior of users on your network. You'll find details on how to set up this sort of monitoring in Auditing Security Events