Wireless Security Checklist for Small and Medium Businesses

This page uses style sheets created by Ruthsarian Labs

Use this general checklist as a guide to implementing Security for your Wireless LANs:

Perform a site survey.
Evaluate radio transmission and coverage, to reduce unnecessary exposure. Continue to monitor RF and coverage for rogue access points and possible channel contention with other companies.
Perform a WLAN security audit to identify existing vulnerabilities.
Prune points in the topology where broadcast traffic is unnecessary.
Inventory WLAN MAC addresses: deny access to non-inventoried MAC addresses on your Access Points.
Enable IEEE 802.1x port-based authentication and key distribution

(Note: this requires a RADIUS server with 802.1X, a digital certificate for the EAP-TLS server, and one of the WinXP supported EAP types (for Microsoft networks, EAP-TLS, Protected EAP/MSCHAPv2).
Use WiFi Protected Access (WPA) to provide short-lived session keys, message confidentiality and integrity.
Take measures to prevent unauthorized clients from acquiring dynamically assigned addresses from your Access Points (e.g., use static IPs, allocate IPs tied to MAC ACLs on your AP or WLAN switch. Use DHCP reservations, or use DHCP only after IEEE 802.1x MAC authentication). Monitor for unauthorized client MAC addresses (even a freeware product like AirSnare can be effective).
Apply all available measures on your Access Points or WLAN switches to secure them from unauthorized access (e.g., disable SNMP/Telnet access, configure strong passwords and access controls, restrict systems from which management access is permitted).
Consider placing firewalls or application proxies between client and server subnets. Consider network admission - "scan on connect" - technologies offered by WLAN switch vendors.
Add policies to your firewall to restrict the Intranet servers that (mobile) WLAN clients can access.
If you offer guest (visitor) use of wireless service, separate this WLAN from your trusted network. Place guest WLAN outside your trusted network, on your optional/DMZ interface, or separate traffic using VLAN/802.1q tagging. Use guest accounts and require login (guest authentication). Log and audit guest activity.
If appropriate, add policies to your firewall to allow WLAN clients access other sites in your organization.
If appropriate, add policies to your firewall to allow WLAN clients access to the public Internet.
Configure your interdepartmental firewall policies so that traffic both WLAN and wired clients are subjected the same policy.
Make certain all WLAN clients are protected with anti-virus, anti-spyware and personal firewall software.
Deploy VPN clients on mobile WLAN devices, to encrypt traffic and provide stronger authentication when workers access trusted networks from public access and home networks. Assign addresses to VPN clients from a secondary IP subnet to segregate and control WLAN client traffic.
Expand your intrusion detection measures to encompass WLAN clients.
Log and audit at all layers where you apply security.

You can find more information about 802.1X, EAP, and wireless security at Lisa Phifer's WLAN CORner

Dave Piscitello founded Core Competence, Inc. in 1993 and is now an occasional consultant for the company. He is currently ICANN's Senior Security Technologist and serves on the ICANN Security and Stability Advisory Committee (SSAC). A 30-year network, Internet and security veteran, Dave provides advisory and consulting services to security and broadband access companies, *SPs, and Fortune 100 companies. An enthusiastic writer, Dave has published hundreds of articles, product reviews, and editorials for print and online publications, including BCR, ENISA Journal, Infoworld, Information Security Magazine,LOOP, Network World, SecurityPipeline, USENIX ;login, and WatchGuard Technologies' Live Security. Dave maintains a security infoblog at securityskeptic.typepad.com