As an enterprise with a wireless network, it is also one of their jobs to protect wireless network security. So how to do, and what measures to protect the enterprise's wireless network? Then this article will give you an example of the detailed introduction, hope that some of the confused friends, can let you "read has been achieved."
Financial service providers are subject to a large number of customer data security rules. Like the Glba Act (Gramm-leach-bliley Act), which is broad and abstract, it requires that all types of networks be subject to risk identification and assessment, security measures and monitoring, including wireless networks. Other provisions, such as the well-known payment card industry Data Security Standard (PCI DSS), explicitly include standards that must be implemented in the context of WLAN, such as detection of abnormal operations and secure encryption of data transmitted wirelessly. Although the specifics of each rule are different, financial services institutions can establish a rule-based basis for industry compliance by adopting the following wireless network security best Practices:
1. Know Your Enemy
To reliably secure your wireless network, you must understand the threats you face. For example, the PCI DSS requires that each organization that processes cardholder data must assess the threat posed by unauthorized wireless access points (APs), including those that do not have a WLAN. You need to start by reviewing your wireless network security threats, identifying the threats that you might encounter in your business, and assessing the risks that sensitive data (such as personal financial information, cardholder information) faces.
2. Know who you are
Many of the safeguards used to reduce the threat of wireless network security are effective, depending on whether the topology of the network is accurately understood, including wired and wireless, and the ability to identify validated devices. In order to set standards for WLAN security audits and enforcement, you must maintain a list of recognized access points and customers, their users and their addresses, and the security measures they expect to implement.
3. Reduce exposure
When the use of WLAN is authorized and data traffic passes through a sensitive network segment, some rules such as PCI DSS will fully guarantee the user's security. You can reduce the risk by segmenting the traffic to reduce exposure. In particular, a firewall is used to check packets to prevent packets from entering a network segment that does not have the appropriate permissions to access, and to implement sequential synchronization logging to record the allowed and blocked wireless traffic. As a rule, those network segments that require wireless access need to be considered "quarantine" (DMZ): Default and deny everything, allowing only the necessary service and special purpose traffic to pass through.
4. Plug the Loophole
Traditional wireless network security best practices enable the security of all infrastructure exposed to wireless networks, such as access points, controllers, DNS/DHCP servers, to be enhanced. For example, change factory defaults, set strong administrator passwords, turn off unused services, apply patches, and test the system for penetration. In this step, you need to address the problem of wireless transmission-specific vulnerabilities, such as the need to select a Non-default network name (SSID) to prevent accidental intrusion, and to circumvent RF interference by dynamic frequency selection (frequency selection). At the same time, you can also take steps to prevent public access points from being physically disturbed (for example, removing cables, resetting to default settings).
5. Ensure transmission safety
The current access point supports WPA2 (AES-CCMP) Air (over-the-air) encryption, and you need to use it as much as possible. If the traditional client requires a WPA (tkip/mic) Callout, use this password with caution, preferably under a wireless local area network (SSID) condition that is isolated from other users. Avoid WEP encryption, because the updated security rule will no longer allow the use of this verbose, fragmented encryption protocol. In addition, the use of high-level encryption (for example, sslv3/tls,ipsec) can selectively protect sensitive application flows and transactions, and do not forget to enforce the security of the included servers and gateways.
6. Restricted access
The wireless network opens a window that outsiders can invade, to avoid this situation unless you can control it. Select and implement a strong WLAN authentication measure, preferably with a mutual authentication WPA2 enterprise Standard (802.1X). If your organization lacks the skills, infrastructure, or client support for 802.1X, you can also use the WPA2 personal Standard (PSK), but use at least a random password with a length of 13 characters and regular changes. Never rely on the MAC address filter as your only access control measure. If your WLAN provides guest-level access to the Internet, limit what it can access and log on that part of the network, reducing the risk to your company's business.
7. Wireless Monitoring
Protection of wireless network security there are many rules that are strongly recommended for 24x7 distributed wireless intrusion detection or defense systems (Wids/wips), but also for periodic scans of sites that handle controlled data. The former is more efficient, the effect is more obvious, especially suitable for large-scale wireless LAN. Whichever way you choose, you need to know that the object you are monitoring is not just wireless access point fraud, but also unauthorized clients, misconfigured devices, ambiguous security policies, security detection, attack traffic, and an exception client connected to or connected to an external WLAN.
8. Prepare for
Monitoring is just some means, you need to install a WLAN Incident response program. For example, how do you temporarily block out an abnormal AP? How do you find it and physically remove it? You need to review all scan results, wireless intrusion detection, or intrusion prevention system alerts and traffic logs to assess potential threats in a timely manner. In fact, using automated tools such as wireless intrusion detection or intrusion prevention systems to track and isolate network connections can stop intrusions in real time. Ensure that the monitoring tool collects sufficient data to make incident response and forensics investigations more precise.
9. Protection Terminal
A stolen point-of-sale terminal or a hacked laptop can easily be licensed and encrypted with a secure connection that invades the security of a tightly protected wireless network. At this point, you can use remote access security best practices, so that wireless terminals are isolated from each other, preventing lost and stolen mobile devices from unauthorized access to the wireless network. If your organization implements Network access control (NAC), you can check the integrity of your wireless connection device and use host intrusion detection or defense to block the terminal's unusual behavior (for example, connecting both wired and wireless networks).
10. Assessment and improvement
Never assume that security measures will be as expected, and your safety auditors will not think so. You need to test the network and device for wireless connections, which intentionally triggers wids/wips alerts, captures and analyzes the wireless communication traffic. You can try to connect unauthorized devices and users from different locations, record what happens, and then improve the security by patching the discovered vulnerabilities. You need to perform a regular or indefinite security assessment to find and fix newly discovered vulnerabilities, such as the use of security patches on access points, controllers, or clients to prevent new hacker attacks.
To sum up, if financial firms take the time to assess wireless security threats, manage access, secure transmission security, secure encrypted wireless data, and take other important measures, their own security can even exceed the auditor's expectations.