Best practices for wireless network security (I)

Financial service providers are restricted by a large number of customers' data security protection rules. Gramm-leaching-Bliley Act (GLBA Act) is widely used and abstract, but it requires risk identification and evaluation for all types of networks, implement and monitor security measures, including wireless networks. Other regulations, such as the famous Payment Card Industry Data Security Standard (pci dss), clearly include the standards that must be implemented within the WLAN scope, such as detecting abnormal operations, encrypted data transmitted over wireless networks. Although the specific circumstances of each rule are different, financial service institutions can establish a rule base that is followed by the entire industry by adopting the following best practices for Wireless Network Security:

1. Understand your enemies

To ensure reliable wireless network security, you must understand the threats you are facing. For example, pci dss requires that each organization that processes cardholder data evaluate threats caused by unauthorized wireless access points (APS), including those without WLAN. You need to review wireless network security threats to identify potential threats in your business and evaluate the risks of sensitive data (such as personal financial information and cardholder information.

2. Understand yourself

The effectiveness of many safeguards to reduce wireless network security threats depends on the accuracy of understanding the network topology (including wired and wireless) and the ability to identify verified devices. To develop WLAN security audit and implementation standards, you must maintain the list of recognized access points and customers, their users and addresses, and their expected security measures.

3. Reduce exposure

When the use of WLAN is authorized and data traffic passes through a sensitive network segment, some rules such as pci dss will fully ensure the security of users. You can reduce risks by Dividing Traffic to reduce exposure. Specifically, the firewall is used to check data packets to prevent data packets from entering the CIDR block that can be accessed without corresponding permissions, it also implements the logging function of time series synchronization to record the allowed and blocked wireless communication traffic. As a rule, network segments that require wireless access must be considered as "isolated zones" (DMZ): by default, and deny everything, only necessary services and special purpose traffic are allowed.

4. Block the Vulnerability

Traditional network security best practices can enhance the security of all infrastructure exposed to wireless networks (such as access points, controllers, DNS/DHCP servers. For example, change the factory default value, set a strong administrator password, disable unused services, apply patches, and perform penetration testing on the system. In this step, you need to solve the vulnerability specific to wireless transmission. For example, you need to select a non-default network name (SSID) to prevent accidental intrusion, dynamic frequency selection is used to avoid RF interference. At the same time, you can also take measures to prevent physical interference to access points in public places (for example, remove the cable and reset it to the default setting ).

5. Ensure Transmission Security

Currently all access points support WPA2 (AES-CCMP) over-the-air encryption and you need to use it as much as possible. If the traditional client requires WPA (TKIP/MIC) labeling, use this password with caution, preferably in a wireless LAN (SSID) isolated from other users. Avoid WEP encryption because the updated security rules no longer allow this lengthy and fragmented encryption protocol. In addition, the use of high-level encryption (such as SSLv3/TLS, IPSec) can selectively protect sensitive application streams and transactions, at the same time, do not forget to enhance the security of the included servers and gateways.