Wireless Network security issues should not be generalized. The corresponding security policies should be changed for different network structures and environments. For example, for home wireless networks, encryption is relatively simple and complicated for enterprise networks. We will introduce wireless network security in the data exchange service industry.
Financial service providers are restricted by a large number of customers' data security protection rules. Gramm-leaching-Bliley Act (GLBA Act) is widely used and abstract, but it requires risk identification and evaluation for all types of networks, implement and monitor security measures, including wireless networks. Other regulations, such as the famous Payment Card Industry Data Security Standard pci dss, clearly include the standards that must be executed within the WLAN scope, such as detecting abnormal operations, encrypted data transmitted over wireless networks. Although the specific circumstances of each rule are different, financial service institutions can establish a rule base that is followed by the entire industry by adopting the following best practices for Wireless Network Security:
1. Understand your enemies
To ensure reliable wireless network security, you must understand the threats you are facing. For example, pci dss requires that each organization that processes cardholder data evaluate threats caused by unauthorized wireless access points (APS), including those without WLAN. You need to review wireless network security threats to identify potential threats in your business and evaluate the risks of sensitive data such as personal financial information and cardholder information.
2. Understand yourself
The effectiveness of many safeguards to reduce wireless network security threats depends on the accuracy of understanding the network topology (including wired and wireless) and the ability to identify verified devices. To develop WLAN security audit and implementation standards, you must maintain the list of recognized access points and customers, their users and addresses, and their expected security measures.
3. Reduce exposure
When the use of WLAN is authorized and data traffic passes through a sensitive network segment, some rules such as pci dss will fully ensure the security of users. You can reduce risks by Dividing Traffic to reduce exposure. Specifically, the firewall is used to check data packets to prevent data packets from entering the CIDR block that can be accessed without corresponding permissions, it also implements the logging function of time series synchronization to record the allowed and blocked wireless communication traffic. As a rule, network segments that require wireless access must be considered as "isolated zones" (DMZ): by default, and deny everything, only necessary services and special purpose traffic are allowed.
4. Block vulnerabilities using traditional network security best practices
Security can be enhanced for all infrastructure exposed to wireless networks, such as Access Points, controllers, and DNS/DHCP servers. For example, change the factory default value, set a strong administrator password, disable unused services, apply patches, and perform penetration testing on the system. In this step, you need to solve the vulnerability specific to wireless transmission. For example, you need to select a non-default network name SSID to prevent accidental intrusion, dynamic frequency selection is used to avoid RF interference. At the same time, you can also take measures to prevent physical interference to access points in public, such as removing cables and resetting them to the default setting ).
5. Ensure Transmission Security
The current access points all support WPA2 (AES-CCMP) over-the-air encryption, and you need to use it as much as possible. If the traditional client requires WPATKIP/MIC, use this password with caution. It is best to use it in a wireless lan ssid isolated from other users. Avoid WEP encryption because the updated security rules no longer allow this lengthy and fragmented encryption protocol. In addition, the use of high-level encryption such as SSLv3/TLS, IPSec) can selectively protect sensitive application streams and transactions, at the same time, do not forget to enhance the security of the included servers and gateways.
Financial service providers are restricted by a large number of customers' data security protection rules. Gramm-leaching-Bliley Act (GLBA Act) is widely used and abstract, but it requires risk identification and evaluation for all types of networks, implement and monitor security measures, including wireless networks. Other regulations, such as the famous Payment Card Industry Data Security Standard pci dss, clearly include the standards that must be executed within the WLAN scope, such as detecting abnormal operations, encrypted data transmitted over wireless networks.