Many companies are already deploying wireless technologies, and others are only moments behind. But before your company implements an 802.11b wireless network, you should consider how you'd secure it. In this Daily Feature, I'll show you some obvious and some not-so-obvious ways to keep your wireless network safe.
Permanent DHCP reservations
If you use DHCP with your wireless network, you may have reservations about someone hijacking an IP address and gaining access to your data. Permanent reservation in DHCP solves this problem by requiring the MAC address of the wireless card to make the connection between wireless card and access point. This DHCP reservation requires the MAC address and unique IP address of the wireless card. When you use only permanent reservations for DHCP IP assignment, the wireless card doesn’t have to be configured any differently for your network than it would to be used on another network. The exception to this, of course, would be that you would have to configure the correct channel(s) to use, but this would depend on which card you're using.
How you configure your permanent DHCP reservations will depend on which operating system you're using on your DHCP server. For instance, in a Linux environment, the /etc/dhcpd.conf would be edited to map MAC addresses to IP addresses. On a Windows 2000 DHCP server, you would handle the configuration through the DHCP MMC.
For more information on implementing DHCP, see these TechProGuild articles:
- "Installing a DHCP server under Linux"
- "Understanding new DHCP features in Windows 2000"
- "Configuring DHCP for NetWare 5.1"
For someone to hijack the IP address of your wireless network, he or she would have to override the MAC address of the card or have equipment to listen in on your network to see which MAC addresses or IP addresses are being used. If you need an even tighter lockdown on your wireless network, you can also use permanent reservations in conjunction with RADIUS accounting.
Read the RADIUS RFC
Fore more information on RADIUS accounting, check out RFC2139.
Use a firewall between your wireless and wired networks
Though most networks have some type of firewall between the wired network and the Internet, many don't deploy firewalls between the wired network and the wireless network. Depending on the size of the wireless network, you may not need a firewall as sophisticated as what lies between your wired network and the Internet. The two features you'll want to put in place are port filtering and proxy server authentication.
With port filtering, you block some IP ports and allow others to pass. You should have two types of port filtering: static and stateful. Of the two, static filtering requires a more extensive setup, because you must define port usage going through the firewall in both directions. Stateful filtering is easier to set up, because you only define port usage from one direction, the side where the packet originated.
The trade-off in setting up stateful port filters is that there will be a little more processor overhead on the firewall. This occurs because the firewall has to build a table of the traffic going through the stateful filter. With this table in place, the firewall will know which traffic can pass through and which cannot.
To make things easier, when setting up port filtering, you should have some type of protocol analyzer to see the ports that are being used in the communication that you want to allow to pass. Since the wireless standard 802.11b is a little different than what is used on the wired portion of your network, you will need to use a different protocol analyzer. Two analyzers that work with wireless networks are the AiroPeek NX from WildPackets.com and Sniffer Wireless from Network Associates. I've used the beta version of AiroPeek NX and have found it to be very simple to set up and use. You can also share the packet capture filters you set up in AiroPeek with its wired cousin EtherPeek. The sharing of packets between the two sniffers saves you from having to set up duplicate filters between products.
The second feature you should use with your firewall is a proxy server, the most common of which is HTTP proxy. With HTTP proxy, you can require users going through the proxy to authenticate before being allowed to pass through. Depending on what you are using for your HTTP proxy, the authentication screen will come up as either an HTML screen or Java applet. Using an HTTP proxy means you won't need to configure as many port filter exceptions for your Web traffic to pass through your firewall.
For more information on setting up and managing a proxy server, see these TechProGuild articles:
- "Planning an effective Proxy Server configuration"
- "Backing up Proxy Server"
- "Using SmartFilter and Microsoft Proxy to control Internet use"
- "Configuring Internet Explorer on proxy networks"
Depending on the type of firewall you use between the wired and wireless portions of your network, you may also want to consider a virtual private network (VPN) server. While it may seem like a bit of overkill to use a VPN on a local network, Wired Equivalent Privacy (WEP) as it ships with the wireless cards isn’t totally private. Using a VPN server with it adds an additional layer of security.
For more information on setting up a VPN, check out these articles:
- "How to configure Win2K client VPN connections"
- "Configure Windows XP Professional to be a VPN server"
- "Optimal VPN server security and management"
Taking advantage of antennas
To get better wireless coverage in your building/campus, and to make it a little more difficult for unwanted users stealing your wireless bandwidth, use directional antennas to focus coverage only where you need it. I've seen three types of access points: those with omnidirectional antennas, those that use the antenna in a wireless PCMCIA card, and those that don’t come with any antenna.
The omnidirectional antenna distributes a signal over as uniform an area as possible, as shown in Figure A.
|The omnidirectional antenna sends out a signal in all directions.|
Directional antennas concentrate the signal to a specified location, as shown in Figure B.
|The directional antenna sends out signals in only one direction.|
When looking at antennas, consider which coverage pattern will work best for your company's needs. For example, if your antenna must be placed next to an external wall, your best bet will be the directional antenna.
External antennas vs. PCMCIA wireless cards with antennas
I've noticed something with access points that use the antenna in the PCMCIA wireless card that might cause you to consider using an external antenna (even if it is omnidirectional). During one installation, I found one access point that when using a different brand of wireless NIC had a much weaker signal. However, when I used the same brand of NIC as the access point, the signal was much stronger. Since you may have wireless NICs being used by visitors/vendors, and thus they may have different brands of NICs, you should consider using an external antenna to ensure consistent support.