Win7 How to protect your wireless network

1, to enterprise-level encryption

If you create a WPA or WPA2 encryption key, and you must enter this key when connecting to a wireless network, you are using the WPA pre-shared key (PSK) mode. Enterprise-class networks, large or small, should be protected with enterprise mode, as this protection mode adds 802.1x/eap authentication to the wireless connection process. Instead of entering encryption keys on all computers, users log in with a username and password. Encryption keys are used securely in a hidden way and are unique to each user and session.

This approach provides centralized management capabilities and better wireless network security.

In short, employees and other users are logged into the network through their own account when using the Enterprise model. Administrators can easily change or revoke their access when needed. This is useful when employees leave or laptops are stolen. If you are using personal mode now, you will need to change the encryption key on all the computers and access point AP.

A special factor in the enterprise model is the RADIUS/AAA server. It communicates with the access point AP in the network and queries the user's database. Here, I recommend that you use Windows Server 2003 's IAS or Windows Sever 2008 Network Policy server NPS. Of course, you can also consider using open source servers, such as the most popular Freeradius. If you think it will take too much money to establish an authentication server or exceed your budget, consider outsourcing services.

2, verify the physical security

Wireless security is not just a technical issue. You can have the most robust Wi-Fi encryption, but how can you prevent someone from connecting the cable to the exposed Ethernet port? Or someone through an access point to press the reset button, restore it to the factory settings, so that your wireless network four doors open, what should you do?

So be sure to keep your access point AP away from the public's reach, and not allow employees to manipulate it. Don't put your access point on the table, at the very least put it on the wall or ceiling, preferably place it above the ceiling.

You can also consider installing the AP in a place where it is not easy to see and installing an external antenna, which will also get the strongest signal. In this way, the access point AP can be restricted to a greater extent, while two benefits can be obtained, one is to increase the coverage, and the other is to use a higher antenna.

Of course, you can't just focus on the access point. All network connectivity components should be secured. This even includes connections to Ethernet cables. Although this may be a little far-fetched, but some "not to the Yellow River," the guy does not cut off the cable access to their own equipment?

All access point APs should be at your fingertips during the installation process. It is best to make a table that records all the access point modules, along with their MAC address and IP address. Also indicate where it is located. In this way, it is possible to know exactly where the access points are when the device is inventoried or when a problematic access point AP is tracked.

3. Install intrusion detection and/or intrusion prevention systems (i.e. IDs and IPs)

These two systems usually work on one software and use the user's wireless card to sniff the wireless signal and find the problem. This system can detect fraudulent access points. Both IDs and IPs can be detected either by accessing a new access point to the network or by changing its settings to a default value or to a user-defined standard.

The system can also analyze network packets to see if anyone is using hacker technology or is interfering.

There are many kinds of intrusion detection and defense systems, and the technologies used by these systems are different. Here, I recommend to you two open source or free system, that is, the famous Kidmet and Snort. Now there are a lot of tutorials on the two systems online, you might as well try. Of course, if you are willing to spend money, you can also consider airmagnet, airdefence, airtight and other foreign companies ' products.

4, the construction of wireless use strategy

As with the use guidelines for other network devices, you should also have a use strategy for wireless access, including at least the following:

① lists devices that are authorized to access wireless networks: It is a good idea to disable all devices and use MAC address filtering on routers to explicitly indicate which devices are allowed to access the network. Although MAC addresses can be spoofed, doing so clearly controls which devices employees are using on the network. The hard copy and details of all approved equipment should be retained so that comparisons can be made when monitoring the network and providing data for intrusion detection systems.

② lists people who can access the network over a wireless connection: When using 802.1X authentication, this control can be implemented in a RADIUS server only to create accounts for those who need wireless access. If you also use 802.1X authentication on a wired network, you must indicate whether the user wants to receive wired or wireless access, which can be achieved by modifying the Active Directory or using the authentication policy on the RADIUS server.

③ the establishment of a wireless router or access point AP: For example, only the IT department is allowed to establish more access point APS, and thus does not allow employees to arbitrarily insert access point AP to enhance and extend the signal. For internal IT departments, it is best to include the definition of acceptable device patterns and configurations.

④ rules for connecting to a home network using Wi-Fi hotspots or company devices: Because the data on a device or laptop can be compromised, and you need to monitor Internet activity on an unsecured wireless network, you may want to limit Wi-Fi connections only to corporate networks. You can use the Netsh utility in Windows and control it by using a network filter. There is another option, that is, you can ask for a VPN connection to the corporate network so that you can at least protect Internet activity and remotely access files.

5. Use SSL or IPSec encryption

While you may be using the latest, most robust Wi-Fi encryption (located on the second layer of the OSI model), consider implementing another encryption mechanism, such as IPSec (on the third layer of the OSI model). In doing so, not only can the wireless network provide dual encryption, but also to ensure the security of wired communications. This prevents employees or external personnel from randomly inserting into the device's Ethernet port for eavesdropping.

Although most of the five technologies discussed here are already mature on a wired network, they are not implemented in many units of wireless networks. In order to make your wireless network access more secure, you might as well try.