Securing your WLAN

Von Sean Bacher

At the Networkers conference held two weeks ago in South Africa, one of the core focuses was that of security -- more to the point, security in the WLAN space. According to many Cisco Systems Inc. engineers, companies are in the process of setting up a WLAN, but, however, are not too clued up on the security implementations.

According to Martin Walshaw, security systems engineer at Cisco, there are a few basic guidelines that companies can follow to ensure that their WLANs are secure. ?At the end of the day a WLAN is quite similar to a standard LAN -- without the cables, of course,? he says. All that a hacker needs to gain access to a network is a valid IP address and subnet mask.

?This is usually easy to get, as quite a few companies use a DHCP server that automatically assigns IP addresses to users,? he says. It is, however, a lot easier on a WLAN, as the hacker merely has to be in range of an access point to gain network access.

?This is why network administrators have to continually monitor access points, taking note of things such as their broadcast range, physical location and monitoring the type of traffic being routed by the access point,? he says.

?Administrators should also be on the lookout for rogue access points, and/or devices that could extend an access point?s broadcast range outside the building?s structure.?

Walshaw recommends that IT administrators use software to monitor and fine-tune the access points, as well as to watch out for nonauthentic devices operating on the network.

Another problem companies operating a WLAN could face is that of network sniffing.

?Because hackers do not need a physical network point to gain access, they can merely sit on the side and ?sniff? the traffic on the network,? he says. ?There are, however, various solutions to fight this problem though; firstly companies can implement stringent authentication processes such as the Lightweight Extensible Authentication Protocol (LEAP), and, secondly, they can implement data encryption policies, such as the Temporal Key Integrity Protocol (TKIP),? he suggests.

LEAP is used in conjunction with the IEEE 802.1X standard, and a PC or any network device will not be able to pass traffic through a WLAN unless it is successfully authenticated. The device must actually prove that it is an authorized network user before it is allowed to use the network.

TKIP encrypts data with a 128-bit key. Further to this 128-bit encryption TKIP employs a further 64-bit key for authentication. Thus only the designated audience, which possesses the correct decryption key, will be able to understand the data.

?There are numerous other encryption and authentication protocols available to companies, but there is no ?best-of-breed? approach,? says Walshaw. All companies have different requirements and the best advice for them is to implement the tightest encryption and authentication protocol as possible. Apart from this, companies need to monitor their access points, turn off unneeded ports and overall practice safe networking.

?After all, a company?s security is only as strong as its weakest link,? concludes Walshaw.