The development of wireless network is like wildfire, its potential deep into consumers, bring huge profits to enterprises. As a result, more and more wireless networks are now exposed to threats, which do not cause sufficient attention to enterprises. The misuse and misuse of wireless networks have brought direct economic losses to enterprises, and indirectly led to the decline of enterprises ' competitiveness and market value.
For internal and external audit pressures and for the prevention of misuse of unauthorized networks, every company-even the enterprise that bans wireless networks-must take into account the risks posed by wireless networks. Traditional methods of protecting wired network systems and applications are still necessary. However, due to the lack of actual control of the aerial carrier, this means that the traditional method of protection is not enough. Employees often consciously or unconsciously entered the vicinity of wireless LAN, advertising sites, or malicious honeypot. A vague or improperly configured access point opens up a long, unprotected, invisible security backdoor to corporate network security, which is terrifying.
Existing security policies, implementation and methodologies must be updated to address the changing risks. An effective network defense program has the ability to control all business-related wireless network activities. This article will discuss the challenges of WLAN in five steps. From the protection of wireless network clients and data, to security audits and wireless network connectivity, we will propose a set of integrated methods to ensure the security of enterprise Wireless LAN.
First step: Protect the wireless network client
Almost all laptops and handheld devices come with wireless networking when they leave the factory. Whether your company prohibits or allows wireless networks, these wireless network client programs must take the necessary steps to prevent wireless network threats. Includes viruses, TCP/IP attacks, and unauthorized wireless network ports.
Traditional defenses typically focus on the host, including file encryption, antivirus software, and personal firewall programs, which are also necessary for wireless network clients. These measures effectively prevent TCP/IP intrusion, such as the occasional file-sharing worm spread on wireless network hotspots.
Nonetheless, these measures do not prevent dangerous wireless network connections. We need new client defenses to prevent employees from connecting to neighboring wireless networks, malicious peeping people, malicious honeypot. Some ports outside of the security policy are intended to circumvent corporate restrictions by using personal e-mail or point-to-point downloads. Most are unintentional, due to the messy 0 configuration software. Whatever the cause, unauthorized wireless network connectivity exposes the company's confidential data and bridges the network, directly threatening the corporate network.
To regain control of the employee's wireless network, only the authorized SSID (Service Setup ID) can be used on all machines. All connections are prohibited unless required by the enterprise. It is best to use a central management policy-for example, Windows wireless network connections must be configured through Active Directory group Policy Objects (active catalog Group Policy objectives). To prevent employees from adding their own private network connections, use a network Third-party Connection manager that has no wireless network client configuration.
In order to automatically disconnect unsecured connections, secure host-based wireless network intrusion prevention systems on each client. Host wireless network intrusion system can monitor the use of company notebooks in the home and hotspot Wireless LAN, take the necessary measures to implement the defined wireless network security policy. Controlling the installation and installation of the client program controls the connection of the wireless network, which is the only way to ensure that employees are protected from malicious attacks and low-level wireless errors, whether within the corporate network or outside the network.
Step two: Secure the data during transmission
Wireless networks are less physically protected than wired networks. In the wireless network data transmission, we need new defense methods to clear the listening, network fraud.
VPN can also be used to protect wireless network traffic for Wireless LAN transmissions if the virtual personal network (VPN) has been used to protect enterprise data in the public network. This ensures the security of data transmission away from the office point and extends the area of security.
Others use VPNs to protect wireless networks in the field-especially those that were earlier using the WEP (Wired Equivalent Privacy) protocol. Fortunately, all wireless network-licensed products now offer two widely accepted security-enhancing data protection protocols.
WPA:WPA (Wireless network protection Connection) uses TKIP (temporary key integration protocol) to protect against network eavesdropping, fraud, and replication of wireless network data. This agreement fills some of the drawbacks of the previous WEP protocol, but is slower than WPA2. WPA is now used in many wireless LAN products.
WPA2:WPA version 2 (WPA2), since 2004, all wireless network products have supported this agreement. Use 802.11i and AES (Advanced encryption standards) to ensure that data is transferred more securely. The vast majority of businesses now use WPA2, a more secure data privacy protocol.
Of course, now VPN is also used in wireless LAN. However, the cost of VPN is relatively high. The vast majority of businesses use WPA2 protocols within their offices, and data transfers outside the office use VPNs.
The third step is to control the use of enterprise network
To protect against network vulnerabilities, the various parts of the wireless network, from the AP (Access point of network access points) to the switch to send the connection, to the use of wireless enterprise networks, these must prevent unauthorized abuse.
The traditional security defense has influenced the security protection of wireless networks. For example, upgrading the patch to enhance the security of AP and network switches, close the unused network gateway, the use of security management operation interface. In wireless networks, firewalls and virtual local area networks (VLANs) are used based on SSID or user identity.
This is a good start, simple but not safe. A fuzzy AP plugged into a wired network will bypass the firewall and provide a long network connection to the internal server. Without further restrictions, customers and intruders will use your wireless LAN to steal Internet services, send phishing emails and spam, and even attack your wireless network.
Back to the column page: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/
Using a Non-default SSID when setting up the AP can reduce unexpected wireless network connections. But you can't just settle for this, deploying wireless network connections controls blocking access from unauthorized customers:
Because of the appearance of the address fool, can not rely solely on MAC address filter wireless network security
If you provide customer access, use the access port to track usage, implement time and bandwidth limits
In a small wireless LAN, use WPA with PSK or WPA2 to ensure that the connection is limited to authorized customers. This is a service for the vast majority of home wireless LAN users.
In enterprise-class wireless LANs, it is clearly not enough to rely solely on passwords for users to connect to the corporate network using 802.1X authorization and auditing. If used with server authentication, 802.1X can also prevent users from accidentally entering the fake honeypot ap.
Finally, it is necessary to perform wireless network data protection and access control options. Central Wireless LAN administrators can help reduce the error configuration of AP and speed up the system recovery after attack.
Step fourth, audit wireless network activity
No matter how carefully your network, client, and air security deployment is deployed, the likelihood of an unexpected situation is great. To achieve internal and external security auditing standards, you need to monitor all activity on the wireless network device.
Traditional security Audit Resources firewall log and wired network intrusion Detection System (IDS) in the face of wireless network traffic often appears to be stretched. These systems can only monitor traffic within the wired network. If the wireless network connection is illegal access to the neighboring network or the honeypot, they are indifferent. Faced with attacks against the wireless LAN itself, such as 802.1/802.1xdos flood attacks and wireless network password cracking, they are difficult to deal with. Another drawback is that they cannot record the compatibility of defined wireless network security policies or evaluate leaks caused by wireless misuse.
Each company, even if it does not use a licensed wireless LAN, should also find and record the first wireless network equipment and their address, behavior, violation of policy situation and attack behavior. These goals can be achieved by using a 24x7 wireless network IPs (WIPs Wireless Intrusion prevention system). WIPs uses distributed network monitors to scan wireless broadcast channels, analyze traffic to find abnormal network connections, and identify bad configuration and malicious behavior. WIPs will alert potential threats and visualize wireless network behavior in real time. Data managed by WIPs makes it easier to submit management reports.
Step fifth, implement wireless network security policy
Passive monitoring is of course not enough. If we wait for the wips to make an artificial response, the damage may have been done, and the perpetrators have fled. Proactive prevention is necessary to ensure enterprise network security.
The deployed wips should be able to quickly execute definition rules, disconnect unauthorized rogue AP, prohibit bad behavior of clients, prevent policy-violating traffic, and isolate Dos attacks. To achieve the appeal target, choose and configure the wips time to be cautious. Such as
Sensor settings to prevent blind spots--ensure full coverage
The configured wips should be able to automatically and accurately differentiate between newly discovered devices and ensure that their behavior complies with the requirements and does not invade neighboring wireless LANs.
Check the speed and accuracy of wips response to rogue AP, misbehaving clients, and other wireless network threats.
Note System-generated error alerts and inaccurate location estimates--it will waste you a lot of time and resources
Use restrictive data privacy authorizations to select WIPs tools that can respond to multiple security threats in real time
Finally, check to see if WIPs has strictly enforced the security policy, wips help you control the airspace of the wireless network, and how to use it depends on your use.
Summarize
Although the situation varies among companies, the five steps outlined above are common to all businesses in responding to wireless network security. But, remember, everything from the actual business of the security is the most effective, bookishness is not the best choice, this is not the original intention of this article.
Whether your company is banning the use of wireless networks, or has already been using wireless networks on a large scale, you need to pay attention to the safety of wireless networks. Define the use of wireless networks, what time, where, and in what circumstances, what people can use the wireless network, in the office or outside? Check all the devices that may be applied to the wireless network and the risk of abuse that they may face.
Next, consider the similarity between security risks and their assessment of possible losses to the enterprise. Remember, not all risks can be disposed of. It is also impossible to know how much to invest in risk management unless a complete set of risk-response options is established. Wireless network vulnerability assessment and business risk assessment help you to use good steel on the blade.
Once an enterprise has established a security strategy to deal with the largest wireless network risk faced by the enterprise, use the above five-step strategy to implement the security policy and manage business risk. Although wireless network security is not so simple, it can be achieved through effective policy implementation and good technical tools. In this network society where wireless network security is at serious risk, using the method suggested in this article will help you to ensure the security of the enterprise network as a whole!