WLAN Security Management Guide

For some people, they may think that the security of wireless networks is very complicated. Setting a secure wireless network may require very professional basic knowledge and complex settings. Some may also say: "I just used my computer to access the Internet and didn't do anything important. Why do I have to worry about security issues? ", Therefore, they will give up their security plans, which will lead to the wide opening of their network portals ". For the answer to this question, you may not have this idea after reading the following content.

Note: WLAN is short for Wireless LAN. Wireless LAN uses wireless technology to achieve fast Ethernet access.

I. Three major risks of WLAN with no security measures:

1. Exposed Network Resources

Once someone with ulterior motives connects to your WLAN over a wireless network, they have access permissions to the entire network, just like those who are directly connected to your LAN switch. In this case, unless you have taken some measures in advance to restrict access by unknown users to resources and shared documents on the network, intruders can do anything that authorizes users to do. On your network, files, directories, or the entire hard drive can be copied or deleted, or in other worse cases, such as key records, Trojan horses, spyware, or other malicious programs that can be installed into your system and manipulated by intruders through the network, the consequences can be imagined.

2. Sensitive Information exposed

As long as appropriate tools are used, WEB pages can be reconstructed in real time, so that the URLs of WEB sites you have browsed can be captured, some important passwords you entered on these pages will be stolen and recorded by intruders. If they are credit card passwords or the like, you will know what is going on.

3. Act as a stepping stone for others

In foreign countries, if an open WLAN is used by intruders to transmit pirated movies or music, you are very likely to receive a letter from RIAA's lawyers. What's more, if your Internet connection is used by someone else to download child pornography or other inappropriate content from an FTP site, or use it as a server, you may face more serious problems. Moreover, open WLAN may also be used to send spam, DoS attacks, or spread viruses.

2. Protect Our WLAN

After understanding the problems faced by an unprotected WLAN, we should take corresponding measures before the problem occurs, do not wait until serious consequences occur to realize how important security network maintenance is. The following describes various measures taken to cope with different levels of intrusion.

1. Common users with wireless network interfaces

To attack a wireless LAN without any protection, you do not need to take any special measures, as long as any machine with a wireless Nic is configured, the person who can enable the wireless network card on the computer is a potential intruder. In many cases, people accidentally turn on computers that are equipped with wireless devices and are within your WLAN coverage, in this way, their machines are not automatically connected to your AP, or they are seen in the "available" AP list. If you are not careful, they will break into the "Domain" You have not set up. In fact, in normal statistics, a considerable number of unauthorized connections come from this situation. It is not intended for others to infringe on your network, it is the behavior that is sometimes inadvertently driven by curiosity.

The following measures can protect your network from accidental access. However, these measures are basic content and cannot provide real-time protection to prevent more skilled intruders. Although these contents are very "cainiao", most of them are so simple, but if your wireless device can support them, I suggest you make relevant settings.

Countermeasure 1: Change the default settings

At the very least, you need to change the default administrator password, and if the device supports it, you 'd better change the administrator username together. For most wireless network devices, the administrator password may be generic. Therefore, if you have not changed the password, others can easily log on to your wireless network device with the default user name and password, get the management permission of the entire network, and finally, you may find that you cannot log on to your WLAN. Of course, you can regain control by restoring the factory settings.

Change the default SSID of your AP or wireless router. It is especially necessary to change the default SSID when there are other neighboring APS near your operating environment, when there are multiple APS of the same manufacturer in the same region, they may have the same SSID, so that the client will have a considerable chance to connect to the AP that does not belong to them. Do not use personal sensitive information in the SSID.

Changing the default number of channels can help you avoid conflicts with the neighboring Wireless LAN, but as a security defense method, because wireless clients automatically scan all available channels for possible connections.

Countermeasure 2: update the Firmware of the AP

Sometimes, refreshing the latest Firmware version can improve the security of the AP. The new Firmware version often fixes known security vulnerabilities and may add some new security measures in terms of functions, with the emergence of the updated consumer AP, you can check and upgrade the new Firmware with a few simple clicks. Compared with the previous AP, old products require users to manually search, download, and update the final version of Firmware from the vendor's technical support site, which is not very friendly.

Many APs that have been used for several years have already passed their warranty period, which means it is difficult to find a new Firmware version, if you find that the last version of Firmware does not support WPA (Wi-Fi Protected Access) that improves security, the better version is WPA2, it is best to carefully consider whether to replace your device.

In fact, the current 802.11g device should support at least WPA and be technically updated to WPA2, but the manufacturer will not always be dedicated to supporting their old products, therefore, if you want to check whether the AP supports WPA2, or if you want to connect to the Wi-Fi Alliance is certification database (link: wi-fi.org/OpenSection/certified_products.asp? TID = 2), or google.

Countermeasure 3: Shield SSID Broadcast

Many APS allow users to block SSID broadcasts, which can prevent netstumbler scanning. However, this will also prevent Windows XP users from using their built-in Wireless Zero Configuration applications and other client applications. If the displayed "Hide ESSID" is selected in section 1, the SSID broadcast is blocked on a ParkerVision AP. (In fact, SSID and ESSID are the same thing ).

Note: shielding SSID broadcast in a wireless network does not prevent attackers using Kismet or other wireless detection tools (such as AirMagnet, these tools do not rely on SSID to detect an existing network.

Countermeasure 4: Disable machine or wireless launch

Disable Wireless AP, which may be the easiest way for general users to protect their wireless networks, you can use a simple timer to close our AP. However, if you have a wireless router, the Internet connection is also disconnected, which is also a good solution.

If you cannot or do not want to Periodically disable the Internet connection, You have to manually disable the wireless launch of the wireless router (of course, you also need your wireless router to support this function ). See figure 2.

Countermeasure 5: MAC address filtering

MAC address filtering is performed by writing a valid MAC address list to the AP in advance. Only when the MAC address of the client matches the address in the Legal MAC address table can the AP communicate with the client, implements physical address filtering. This can prevent beginners from intruding from connecting to our WLAN. However, for experienced attackers, it is easy to intercept data frames from open radio waves, analyze the MAC address of a valid user, and use the MAC address of the Local Machine to pretend to be a valid user, illegal access to your WLAN. See figure 3.

Countermeasure 6: Reduce transmit power

Although only a few APs have this function, lowering the transmit power can still help limit intentional or accidental unpermitted connections. However, the sensitivity of wireless network cards is constantly improving, and even any beginner users can purchase these network cards, especially if you try to block unnecessary connections in a building or dormitory, this may be of little value.

In the next part of this article, we will introduce further wireless security techniques that can be used by intermediate and advanced wireless users and how to prevent them from using professional cracking tools.

Related Articles]

• Seven security challenges and solutions for wireless LAN
  

• Security risk analysis and solutions for wireless LAN
  

• Network Security Technology Application Guide for wireless LAN