Layered consideration of Wireless LAN security

The security of the wireless LAN is one of the problems that every enterprise Network Administrator attaches importance to. It is hard to determine when selecting the wireless LAN security solution. Different LAN security policies and their encryption settings are different. Next we will discuss with you some questions about the layer-by-layer Wireless LAN security solution.

In the face of a variety of Wireless LAN security solutions, users need to stay awake: Even the latest 802.11i also has defects, no solution can solve all security problems. For example, many Wi-Fi solutions currently provide 128-bit encryption technology, which cannot prevent malicious attacks. Many users often make some simple mistakes, such as forgetting to enable WEP, so that wireless connections become undefended connections. users do not set an AP outside the enterprise firewall, as a result, attackers can use wireless connections to bypass firewalls and intrude into the LAN. For users, rather than relying on a security technology, it is better to select a wireless LAN security solution suitable for the actual situation and establish a multi-layer security protection mechanism to help avoid the security risks brought by wireless technology.

Enterprise Users generally regard wireless connections as part of a system. Such a system must be able to meet the needs of its network infrastructure and provide high-level protection functions, to ensure the security of enterprise information, user identities, and other network resources. Enterprise users need to evaluate the threats to the wireless LAN and the security level required by the wireless LAN, especially the open network servers containing sensitive data, they often require more security protection than other servers on the network. At the same time, enterprise users need to establish a multi-layer wireless connection between the AP and the client to enhance security.

The 40-bit WEP and 128-bit shared key encryption technologies provide basic Wireless LAN security requirements and are able to withstand the lowest level of risks. The IT administrator can also create and maintain the MAC address table of the wireless client device in the AP, and manually change the MAC address table when replacing or adding wireless devices. Because WEP is a shared key, hackers may obtain private information and network resources if the user key is damaged. As the network scale continues to expand, IT administrators need to strengthen the management of Wireless LAN.

To enhance the wireless LAN security mechanism, enterprises can use the "user-based" authentication mechanism instead of "device MAC address-based. In this way, even if the user's laptop is stolen, the thieves will not be able to access the network without the user name and password of the laptop. This method is easy to use and reduces the management burden because you do not need to manually manage the MAC address table. However, you need to evaluate and deploy the AP to support user-based authentication databases. The verification database can be maintained locally in the AP.

Enterprises can enable the dynamic key management function executed by the AP. Some wireless vendors provide this management feature as an additional security layer.

This multilevel policy enables each user to have a unique key, which can be changed frequently. Even if a hacker destroys the encryption mechanism and obtains network access, the validity period of the key obtained by the hacker is short, thus limiting the possible damages. This method simplifies the management burden of increasingly scalable IT resources because IT has the ability to design dynamic key management in the AP. Compared with the 128-bit shared key encryption technology, the dynamic key management function is more powerful, because frequent key changes further increase the difficulty for hackers to intrude into the system.

Specifically, users only need to take the following measures to greatly reduce the security risks of Wireless LAN.

First, control the wireless client to standardize the WLAN Nic to prevent any changes to the WLAN Nic;

The second is to treat WLAN like the Internet, install a firewall between the WLAN and the wired network, and prevent unauthorized WLAN users from sending Layer 2 packets to the wired network;

The third is to protect access points and hide them in areas not easily discovered to prevent unauthorized tampering;

The fourth is to prevent radio waves from being "leaked" outside the site. Users can use various measures to "change" the form of radio waves. This is especially required at the site edge;

Fifth, do not rely solely on WPA because WPA still uses a stream password to encrypt wireless data streams, rather than a safer group password;

Sixth, Using VPN, IPSec VPN or ssl vpn is still regarded as the best protection technology;

7. Use a third-party Wireless LAN security controller to improve the VPN;

8. Select the appropriate EAP method;

9. The monitoring network uses analyzer and monitor to analyze WLAN wireless data streams, discover unauthorized access points, block or Disconnect Clients as needed, and detect intruders.

In short, users can avoid the risks of Wireless LAN and enjoy the convenience of wireless access as long as they combine security mechanisms with the actual situation of the enterprise.