Solving Common Security-geotrust

7/30/2019 Solving Common Security-geotrust

http://slidepdf.com/reader/full/solving-common-security-geotrust 1/14an Security eBook

Solving Common

IT SecurityProblems

®


http://slidepdf.com/reader/full/solving-common-security-geotrust 2/14

2 What to Do When a Laptop is Stolen

4 PC Security Tips or Corporate Executives

8 The 20 Most Eective Controls to Protect

Your Enterprise

10 Seven Simple Wireless Security Tips

12 Five Advanced Wi-Fi Network Security Tips

Contents…

This content was adapted from Internet.com’s eSecurity Planet and Enterprise IT Planet Web siteContributors: David Strom, Michael Horowitz, Sonny Discini.

4 8

12

2

10

Solving Common IT Security Problems



2 Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, IncBack to Contents


Ihad my laptop stolen once, about ve years ago,

rom the trunk o a locked car parked at a shopping

mall. You never orget that experience o being vio-

lated, o being stupid. (And it seems to be getting

more common, according to a story in the LA Times about

thieves who ollow customers home rom Apple Stores.)

So what can users do to be more proactive, given the

number o laptops that go missing every month? One way

is to use one o a growing number o recovery sotware

tools that automatically “phone

home” (in the Internet sense

o the word) and help you and

the authorities, should they be

interested, in trying to track

it down. Think o what LoJack

does or locating cars, with the

added inormation that hav-ing an Internet connection can

bring (indeed, the company is

one that oers a laptop tool).

While it sounds like a great idea,

there are several issues with us-

ing these tools.

First, most o them are de-

signed or individuals, not cor-

porations. Absolute Sotware’sComputrace has an enterprise version called Complete

in their LoJack or Laptops line, which has tools that oer

more asset tracking and remote hard disk destruction that

aren’t ound in an individual product. zTrace Technologies’

zTrace Gold, MyLaptopGPS or Windows, and Brigadoon’s

PC/Mac PhoneHome products all oer quantity pricing or

business customers, but not much else in terms o added

eatures over their individual versions.

Turn the TablesA second alternative is to look at central monitoring and

image automation tools, such as Symantec’s Altiris and

Kaseya that can be used in a stolen laptop situation. Greg

Hemig, a Sacramento Kaesya VAR, did exactly that and

was able to recover two independently stolen laptops by

using the remote control eatures.

“I was able to nd out not just an IP address, which is what

a typical anti-thet product like LoJack would provide, but

an actual physical address, the

names o the user’s girlriend

and amily, how to access thei

bank accounts, and even turn

on the microphone on the lap

top and listen to what they were

saying while they were typing,”

says Hemig. Scary stu, butwithin two weeks o contacting

law enorcement, he was able

to get back both machines to

their original owners.

OS-Based OptionsThird, the versions that are o-

ered dier as to eatures be-

tween Mac and Windows, with

the Mac (i it is supported at all)

usually being a poor cousin. I you have a mixed network

this could be a determining actor as to which product

you end up deploying. Taking Computrace as an example

again, the Mac version doesn’t include the special embed

ded BIOS agent that comes with their Windows product.

What to Do When a Laptop is StolenBy David Strom





Phoenix Technologies oers something similar or its OEM

BIOS customers called FailSae, but not or the general

public. And GadgetTrak has sotware or both Mac and

Windows, but prices them dierently.

Well-RoundedNext, these tools are just part o an overall laptop secu-

rity solution that should also include disk encryption and

password-protecting the boot drive. I these tools live on

the hard disk and i you haven’t enabled a rmware or disk

password, any intelligent thie can just reormat your hard

drive and remove this protection, or just remove the hard

drive itsel. So it makes sense to start by putting password

protection on all o your machines as rst line o deense.Disk encryption is especially important i you need to pro-

tect condential corporate or business data, not to men-

tion personal data, such as bank account passwords as

well.

That brings me to my last point: Do you really need a ven-

dor-operated central monitoring station, or can you set

up your own central place where alerts can be sent? Gad-

getTrak, Oribicule’s Undercover or Macs and iPhones, Prey

(or Mac, Windows, and Linux), and PC/Mac PhoneHome

are all tools that don’t make use o any central monitor

ing station. Instead, the sotware sends ino to your e-mai

(and or GagetTrak, to Flickr) accounts directly. With some

o these products, upon booting they look or the pres-

ence or absence o a special URL that indicates the laptop

has been stolen. I so, they send inormation, such as the

current IP address, a snapshot rom a Webcam, screen-

shots, and other details to your e-mail address.

One user o Undercover had his laptop stolen about two

years ago, also rom his car. (Have you realized never to

leave a laptop in a vehicle now?) “Within a ew days, we

had screenshots and camera images o the thie and work-

ing with local authorities, we were able to recover the

laptop within a week,” said Lenny, a riend o mine who

has run several major corporations and is a big an o their

sotware.

While options vary depending on need, OS, and budget

the ideal approach to protecting laptops is to cover your

bases: use password protection and disk encryption, and

employ a collection o tools, including a monitoring prod-

uct with a corresponding tracking piece on each laptop —

and remind users to never leave a laptop in a car.





T

he recent attacks against Google and other

companies highlighted “spear phishing” at-

tacks. The term reers to scam e-mail messages

designed to trick the recipient into inecting hisor her own computer with malicious sotware (malware).

The end result o the phony yarn, spun in the body o an

e-mail message, is that the duped user visits an inected

Web page, opens a maliciously

crated document, or runs a

malicious program.

Unlike regular phishing e-mails

that are blasted out to millions,

spear phishing, as the nameimplies, is specically targeted.

Anyone that works with secrets

that the bad guys want may be

sent an e-mail message tar-

geted specically at them. The

message will appear to come

rom someone they know and

the topic will be something that

the sender would normally dis-

cuss. Everything about the mes-

sage is raudulent, including theFrom address.

The raud is successul, in part, because people trust the

From address o an e-mail message. No one should; org-

ing the From address is child’s play. But, since the From

address is correct 99 percent o the time and many don’t

know that it is easily orged, this gets the spear phishing

message in the door, so to speak.

As I recently wrote, the most important aspect o Deen-

sive Computing is skepticism. Corporate executives may

be skeptical when dealing with people, but lack awareness

o common online scams.

Just a ew days ago, Roger Thompson o AVG described

the hacking o the Oklahoma Tax Commission Web site

To be inected, the end user simply had to agree to an

Adobe license agreement. The

agreement looked legit, but it

was rom bad guys rather than

Adobe, and agreeing to it in-

stalled malware.

Here I assume we are conguring a computer or some-

one with access to corporate

secrets, someone whose lack

o technical know-how makes

them an easy target or online

scammers. What steps can we

take to protect this person rom

themselves?

Restricted UsersRunning as a limited (a.k.a., re-

stricted or standard) user is job one. For the sake o back-

ward compatibility Windows users, by deault, run as Ad-

ministrators, which lets them change anything, anytime

anywhere. Despite this deault behavior, Microsot recom

mends, and all techies agree, that people are saer running

as limited users.

PC Security Tips forCorporate Executives

By Michael Horowitz





Other browsers are updated with bug xes when they are

needed. IE has to live in a huge bureaucracy that dictates it

only gets updated once a month. It makes headlines when

IE is patched when needed, as opposed to on schedule

Not good or security.

In addition to the slow IE patching imposed by the once-a-

month schedule, Microsot has a history o just being slow

For example, the IE bug that was exploited recently to at-

tack Google and others was initially called a zero-day vul

nerability; techie terminology or a newly discovered bug

It turns out not have been zero day at all, more like 120

days. Microsot was alerted to the problem our months

beore it was exploited on Google.

And, we’re still not done with IE issues. Computerworld

reports that design faws in the browser can let it expose

the entire C: disk.

There is no such thing as removing Internet Explorer, but

we can hide it. First, lock it down as best as possible. On

the Security tab (o Internet Options) set the Internet and

Local intranet zones to high security. Turn on protected

mode and DEP (note that DEP requires companion sup-

port in both the processor and BIOS).

Then get rid o all visible signs o Internet Explorer. Remove

it rom the desktop, task bar, and the Start button. It’s stil

there, only now the only way to run it is to navigate to

C:Program Files/Internet Explorer/iexplore.exe

Firefox and Adobe ReaderIn place o Internet Explorer, I suggest Fireox; no news

here. But, it does need some work out o the box.

A great security tweak to Fireox is to orce the address

bar to turn green on all secure HTTPS Web pages. It

shouldn’t be hard to train anyone that green is sae and

anything else is not. This tweak is done by editing a le

called userchrome.css.

Windows Vista and Windows 7 users may eel that UAC

protects them, even when logged on as an administrator.

It does not.

I’ve been testing lie as a restricted user or a while on both

Windows XP and Windows 7. It works better on Windows

7; XP has a number o quirks in the implementation. But

regardless o any quirks, this is perhaps the biggest weap-

on in the Deensive Computing sotware arsenal. Barring

severe bugs in Windows, it should prevent the installation

o any sotware (assuming the bigshot is not given an Ad-

ministrator password).

I, or whatever reason, running as a limited user is not an

option, Windows XP users can still get most o the protec-

tion it oers with the ree DropMyRights program. This Mi-

crosot program is used to ront-end another program and

drop its rights. For example, an Administrator class user

can click on an icon or the Adobe Reader, which actually

runs DropMyRights. It, in turn, runs the Adobe Reader, but

only ater dropping the rights down to those o a limited

user. Thus, i an inected PDF le tries to install sotware,

it ails.

Running as a limited user however does not prevent mali-cious sotware rom running, just rom running out o cer-

tain olders (and rom being permanently installed). More

steps are needed.

Internet ExplorerIt took security expert Steve Gibson a while to come around

to my Deensive Computing posture, but he nally did. No

more Internet Explorer.

Just say no. Friends don’t let riends use Internet

Explorer.

In part this is unair to Microsot, as IE is not necessarily any

buggier than competing browsers. But it is buggy enough,

and it has a huge target painted on its back. Plus, Micro-

sot makes a bad situation worse by being slow to x bugs.

I or no other reason than this, any other Web browser is

saer than IE.





Another possibility is using the portable version o Fire-

ox rather than a normally installed copy. Not only does

this allow a limited/restricted/standard user to update the

browser with new patches, it also makes the sotware hard-

er to nd by any malware looking to inect it.

Another program that I’d ban rom the computer o anyone

involved with corporate secrets is Adobe Acrobat Reader.

Like Internet Explorer, the Adobe Reader has a big tar-

get painted on it. It has also been rather buggy over the

last couple years. At one point, Adobe thought it was a

good idea to only issue bug xes every three months. And

the procedure or updating the sotware is harder than it

needs to be.

In addition to the Reader itsel, Adobe installs two pro-

grams that run every time Windows starts, which is an acci-

dent waiting to happen. In act, simply hovering the mouse

over the name o a PDF le causes an Adobe program (Ac-

roRd32Ino.exe) to run, no clicking required. This is true

even i the Adobe Reader is not the deault program or

opening PDFs (tested on Windows XP with Adobe Reader

8.2.0).

It’s all just too intrusive or my taste.

There are many other PDF readers, any one o which will be

a lesser target. I use the one rom Foxit Sotware. It doesn’t

do everything that Adobe Reader does, but it should be

enough or almost everyone. I, or some reason, Adobe

Reader can’t be uninstalled, then at least don’t make it the

deault program or opening PDFs, and be sure to turn o

Javascript.

Other Software IssuesFor years viruses have spread on USB fash drives (a.k.a.

pen drive, thumb drive, etc.) and they continue to do so.

Windows 7 is more locked down in this respect than XP,

but it is not bullet-proo.

The good news is that with a simple update to the regis-

try, you can oer 100 percent protection rom all Autorun/

AutoPlay vulnerabilities.

While Internet Explorer and Adobe Reader are the most

requently targeted applications, bad guys also exploit

other popular sotware. Thus, the less sotware installed

the better. With this in mind, I would uninstall QuickTime,

Java, Shockwave, Real Player, and any other popular sot-

ware that is not absolutely needed.

Flash is a dicult choice. Because it’s popular, you can ex-

pect bad guys to exploit known vulnerabilities as they are

discovered. But, it’s also needed requently. As a compro-

mise, consider the Flashblock Fireox extension. It works by

blocking Flash objects on Web pages and replacing them

with placeholders. I a particular Flash object is needed

all you need do is click on it to run it. As I write this, the

Flashblock extension has been downloaded nearly 8 mil-

lion times.

Perhaps the king o popular sotware is Microsot Oce

Consider replacing it with Open Oce, the theory being

again, sotware that is a lesser target. Open Oce is not as

unctional as Microsot Oce, but or non-techies, such as

corporate bigshots, it should be unctional enough.

Did you know that the recent bug in Internet Explorer, the

one that was so critical that Microsot released an immedi-ate x without waiting or the second Tuesday o the month

also aected Microsot Oce? This didn’t get much press

In Microsot’s own words:

“We are also aware that the vulnerability can be exploit

ed by including an ActiveX control in a Microsot Access

Word, Excel, or PowerPoint fle. Customers would have to

open a malicious fle to be at risk o exploitation. To pre

vent exploitation, we recommend that customers disable

ActiveX Controls in Microsot Ofce.”

Support or ActiveX controls in Oce documents is a se-

curity accident waiting to happen. I read the instructions

or disabling ActiveX controls in Microsot Oce 2003

They were so conusing, I couldn’t ollow them. The sa-

est thing to do is replace Microsot Oce with competing

sotware.





Hardware EncryptionOn the hardware side, I have two suggestions. First, set a

password or the hard drive in the computer. This shouldbe a simple thing to do and hard drive passwords are more

secure than both BIOS level startup passwords and oper-

ating system passwords.

The best encryption is, arguably, ull disk encryption and i

an executive has sensitive les on his or her computer, this

might make sense. But sensitive les should not be kept on

a laptop or desktop computer. They are best stored on an

external hard drive, one that can travel with the bigshot to

places that a computer can’t go.

Two encrypted hard drives, the Lenovo ThinkPad USB

Secure Hard Drive and the Aegis Padlock, stand out or

not needing any sotware running on any computer; thus

they can work with computers running Windows, OS X, or

Linux.

Each has built-in buttons that are used to enter a pass-

word. Until a valid password is given, the computer can’t

see anything on the drive. Ater the password is validated,

the drives work like normal unencrypted hard drives. The

computer is totally unaware o the encryption. For the user,there is no learning curve, just a password.

Another big advantage to an external encrypted hard drive

is that it can be easily and quickly locked just by unplug-

ging it rom the computer.

Exploiting FriendsIs all this too much trouble? Am I over reacting?

The operation that Google uncovered at the end o 2009

was very sophisticated. The Financial Times reported tha

“personal riends o employees at Google, Adobe, and

other companies were targeted by hackers.”

Friends? The article, by Joseph Menn, says

“...the attackers had selected employees at the compa

nies with access to proprietary data, then learnt who thei

riends were. The hackers compromised the social net

work accounts o those riends, hoping to enhance the

probability that their fnal targets would click on the links

they sent.”

Yikes.





S

ecuring the enterprise against cyber attacks has

become one o the highest priorities o corpo-

rate leadership. To achieve this objective, net-

works, systems, and the operations teams thatsupport them must vigorously deend against a variety o

threats, both internal and external. Furthermore, or those

attacks that are successul, deenses must be capable o

detecting, thwarting, and responding to ollow-on attacks

on internal enterprise networks as attackers spread inside

a compromised network.

Following in theFootsteps of the FedsFor inspiration and guidance in

how to combat these threats,

look no urther than the U.S.

government. The ederal gov-

ernment revamped The Federal

Inormation Security Manage-

ment Act (FISMA) to address

the needs o securing Federal

computer systems. FISMA, the

U.S. ICE Act o 2009, speci-

cally addresses the same issues

many corporate security practi-

tioners ace. I you read through

the legislation, you come across

an interesting snippet o ver-

biage, “monitor, detect, ana-

lyze, protect, report, and respond against known vulner-

abilities, attacks, and exploitations” and “continuously test

and evaluate inormation security controls and techniques

to ensure that they are eectively implemented.”

What this really means is that oense and deense must

keep each other inormed, and as such, the overall ounda

tion o security is built on this fow o communication. En-

terprise security teams have struggled with this, but nowthey may have an eective model to apply.

The Path to Effective ControlsBeore we list specic technical controls, it’s important to

understand that because organizations do not have unlim-

ited unding, the only rational way they can hope to be

successul is to establish a prioritized baseline o inorma-

tion security measures and con-

trols that can be continuously

monitored through automated

mechanisms.

When devising controls, the

ollowing guiding principles

should be considered. Deenses

should ocus on addressing the

most common and damaging

attack activities occurring today

and those anticipated in the

near uture. Enterprise environ

ments must ensure consisten

controls across an enterpriseto eectively negate attacks

Deenses should be automated

where possible, and periodically

or continuously measured using automated measurement

techniques where easible. To address current attacks oc-

curring on a requent basis against numerous organiza-

tions, a variety o specic technical activities should be

undertaken to produce a more consistent deense.

The 20 Most Effective Controls toProtect Your Enterprise

By Sonny Discini





Now, when tailoring your controls to be enterprise-speci-

ic, consider the ollowing sub controls.

Low Hanging Fruit: The intent o identiying “low hanging

ruit” areas is to highlight where security can be improved

rapidly. That is, to rapidly improve its security stance gen-

erally without major procedural, architectural, or technical

changes to its environment.

Improved Visibility and Attribution: Improving the pro-

cess, architecture, and technical capabilities o organi-

zations so organizations can monitor their networks and

computer systems, gaining better visibility into the IT op-

erations. In other words, these controls help increase an

organization’s situational awareness o its environment.

Hardened Confgurations: This type o control ocuses on

protecting against poor security practices by system ad-

ministrators and end users who could give an attacker an

advantage in attacking target systems. Hardened system

conguration aims to reduce the number and magnitude

o potential security vulnerabilities as well as improve the

operations o networked computer systems.

There are 15 controls that can be handled via automationand ve that require manual application. The SANS Institute

provides specic details about each o these controls.

The 15 that can take advantage o automation are:

Inventory o Authorized and Unauthorized Devices1.

Inventory o Authorized and Unauthorized Sotware2.

Secure Congurations or Hardware and Sotware on Laptops,3.Workstations, and Servers

Secure Congurations or Network Devices such as Firewalls,4.Routers, and Switches

Perimeter Deense5.

Maintenance, Monitoring, and Analysis o Security Audit6.Logs

Application Sotware Security7.

Controlled Use o Administrative Privileges8.

Controlled Access Based on Need to Know9.

Continuous Vulnerability Assessment and Remediation10.Account Monitoring and Control11.

Malware Deenses12.

Limitation and Control o Network Ports, Protocols, and13.Services

Wireless Device Control14.

Data Loss Prevention15.

And the ve that must be done manually are:

Secure Network Engineering16.Penetration Testing17.

Incident Response Capability18.

Data Recovery Capability19.

Security Skills Assessment and Appropriate Training20.

The consensus eort to dene critical security controls

is an evolving eort. In act, changing technology and

changing attack patterns will necessitate uture changes

even ater the current set o controls has been nalized. In

a sense, this will be a living document moving orward, butthe controls described in this version are a solid start in the

quest to make undamental computer security deenses a

well understood, repeatable, measurable, scalable and re-

liable process throughout the ederal government.

Although there is no such thing as absolute protection

proper implementation o the security controls identied

will ensure an organization is protecting against the most

signicant attacks. As attacks change, additional controls

or tools become available, or the state o common security

practice advances, it is critical to review these controls andmake changes as needed. Treat this list as a living docu-

ment with requent evaluations to ensure that the most e

ective practices are indeed in place.





These days wireless networking products are so

ubiquitous and inexpensive that just about any-

one can set up a WLAN in a matter o minutes

with less than $100 worth o equipment. This

widespread use o wireless networks means that there may

be dozens o potential network intruders lurking within

range o your oce WLAN.

Most WLAN hardware has gotten easy enough to set up

that many users simply plug it in and start using the net-

work without giving much thought to security. Neverthe-

less, taking a ew extra minutes to congure the security

eatures o your wireless router or access point is time well

spent. Here are some o the things you can do to protect

your wireless network:

1. Secure Your Wireless Administration

InterfaceAlmost all routers and access points have an administrator

password that’s needed to log into the device and mod-

iy any conguration settings. Most devices use a weak

deault password like “password” or the manuacturer’s

name, and some don’t have a deault password at all. As

soon as you set up a new WLAN router or access point,

your rst step should be to change the deault password

to something else. You may not use this password very o-

ten, so be sure to write it down in a sae place so you can

reer to it i needed. Without it, the only way to access the

router or access point may be to reset it to actory deault

settings, which will wipe away any conguration changes

you’ve made.

2. Don’t Broadcast the SSIDMost WLAN access points and routers automatically (and

continually) broadcast the network’s name, or SSID (Ser-

vice Set IDentier). This makes setting up wireless clients

extremely convenient since you can locate a WLAN with-

out having to know what it’s called, but it will also make

your WLAN visible to any wireless systems within range

o it. Turning o SSID broadcast or your network makes it

invisible to your neighbors and passers-by (though it wil

still be detectable by WLAN “sniers”).

3. Enable WPA Encryption Insteadof WEP802.11’s WEP (Wired Equivalency Privacy) encryption has

well-known weaknesses that make it relatively easy or a

determined user with the right equipment to crack the en

cryption and access the wireless network. A better way to

protect your WLAN is with WPA (Wi-Fi Protected Access)

WPA provides much better protection and is also easier to

use, since your password characters aren’t limited to 0-9

and A-F as they are with WEP. WPA support has been built

into Windows since XP.

Seven Simple Wireless Security TipsBy eSecurity Planet Sta





4. Remember That WEP is BetterThan Nothing

I you nd that some o your wireless devices only sup-port WEP encryption (this is oten the case with non-PC

devices, such as media players, PDAs, and DVRs), avoid the

temptation to skip encryption entirely because, in spite o

its faws, using WEP is still ar superior to having no encryp-

tion at all. I you do use WEP, don’t use an encryption key

that’s easy to guess like a string o the same or consecu-

tive numbers. Also, although it can be a pain, WEP users

should change encryption keys oten — preerably every

week.

5. Use MAC Filtering for Access ControlUnlike IP addresses, MAC addresses are unique to specic

network adapters, so by turning on MAC ltering you can

limit network access to only your systems (or those you

know about). In order to use MAC ltering you need to nd

(and enter into the router or AP) the 12-character MAC ad-

dress o every system that will connect to the network, so

it can be inconvenient to set up, especially i you have a lot

o wireless clients or i your clients change a lot. MAC ad-

dresses can be “spooed” (imitated) by a knowledgeable

person, so while it’s not a guarantee o security, it does

add another hurdle or potential intruders to jump.

6. Reduce Your WLAN TransmitterPower

You won’t nd this eature on all wireless routers and access points, but some allow you to lower the power o you

WLAN transmitter and thus reduce the range o the sig

nal. Although it’s usually impossible to ne-tune a signa

so precisely that it won’t leak outside your home or busi-

ness, with some trial-and-error you can oten limit how a

outside your premises the signal reaches, minimizing the

opportunity or outsiders to access your WLAN.

7. Disable Remote AdministrationMost WLAN routers have the ability to be remotely admin

istered via the Internet. Ideally, you should use this eatureonly i it lets you dene a specic IP address or limited

range o addresses that will be able to access the router

Otherwise, almost anyone anywhere could potentially nd

and access your router. As a rule, unless you absolutely

need this capability, it’s best to keep remote administra-

tion turned o. (It’s usually turned o by deault, but it’s

always a good idea to check.)





I

you’ve ever Googled “Wi-Fi security,” (or you’ve

been reading this eBook) you probably have the ba-

sics down: don’t use WEP, use WPA or WPA2; disable

SSID broadcasting; change deault settings. I you’relooking or more advanced security tips or your WLAN,

consider these the ollowing ve tips or bringing enter-

prise-level protection to even the smallest o networks.

1. Move to Enterprise EncryptionI you created a WPA or WPA2 encryption key o any type

and must enter it when connecting to the wireless network,

you are only using the Personal or Pre-shared key (PSK)

mode o Wi-Fi Protected Access (WPA). Business networks

— no matter how small or big — should be protected with

the Enterprise mode, which adds 802.1X/EAP authentica-tion to the wireless connection process. Instead o enter-

ing the encryption key on all the computers, users would

login with a username and password. The encryption keys

are derived securely in the back-

ground and are unique or each

user and session.

This method provides central

management and overall better

Wi-Fi security.

Instead o loading the encryp-

tion keys onto computers where

employees and other users can

recover them, each user logs into

the network with their own ac-

count when using the Enterprise

mode. You can easily change or

revoke access when needed. This

is especially useul when employees leave the company o

a laptop is stolen. I you’re using the Personal mode, you’d

have to manually change the encryption keys on all the

computers and access points (APs).

The special ingredient o the Enterprise mode is a RADIUS/

AAA server. This communicates with the APs on the net-

work and consults the user database. Consider using the

Internet Authentication Service (IAS) o Windows Server

2003 or the Network Policy Server (NPS) o Windows Sev

er 2008. I you want to go vendor-neutral, try the popular

open source server, FreeRADIUS. I you nd setting up an

authentication server requires more money and/or exper-

tise than you have, consider using an outsourced service.

2. Verify Physical SecurityWireless security isn’t all technical. You can have the best

Wi-Fi encryption, but have someone plugging into an Eth-

ernet port that’s in plain sight

Or someone could come by and

hold in the reset button o an ac-

cess point, restoring it to actory

deaults and leaving your net

work wide open.

Make sure all your APs are welout o the reach o the public

and out o sight rom employees

too. Instead o sitting an AP on

a desk, mount it on the wall o

ceiling — better yet, put them

above a alse ceiling.

Five Advanced Wi-FiNetwork Security Tips

By Eric Geier




You might consider mounting the APs out o sight and in-

stalling external antennas where you’ll get the most signal.

This will let you conne the AP even more while taking

advantage o the increased range and perormance o an

atermarket or higher gain antenna.

APs aren’t the only piece o equipment to be worried

about. All networking components should be secured.

This even includes Ethernet cabling. Though it might be a

little aretched to some, a determined hacker could cut an

Ethernet cable to tap into the line.

Along with mounting, you should keep track o the APs.

Create a spreadsheet logging the AP models used along

with the MAC and IP addresses, and note where the APs

are located. This way you know exactly where the APs

should be when perorming inventory checks or when

tracking down a problem AP.

3. Setup an Intrusion Detection/Prevention System (IDS/IPS)These systems usually consist o a sotware program that

uses your wireless adapter to sni the Wi-Fi signals or

problems. They detect rogue APs, whether a new AP is

introduced to the network or an existing one is reset to de-aults or doesn’t match a set o standards you’ve dened.

These systems also analyze the network packets to see i

someone might be using a hacking or jamming technique.

There are many dierent intrusion detection and preven-

tion systems out there that use a variety o techniques.

Open source or ree options include Kismet and Snort.

Commercial products are also available rom vendors,

such as AirMagnet, AirDeense, and AirTight.

4. Create Wireless Usage PoliciesAlong with other general computer usage guidelines, you

should have a specic set o policies or Wi-Fi access that

should at least include the ollowing items:

•List devices authorized to access the wireless network: It’s

best to deny all devices and explicitly allow each desired device

by using MAC address ltering on the network router. Though

MAC addresses can be spooed, this provides reasonable control o which devices employees are using on the network. A

hard copy o all approved devices and their details should be

kept to compare against when monitoring the network and o

inputting into intrusion detection systems.

• List o personnel authorized with Wi-Fi access to the net

work: This could be regulated when using 802.1X authentica

tion (WPA/WPA2-Enterprise) by only creating accounts in the

RADIUS server or those who need Wi-Fi access. I 802.1X au

thentication is also being used on wired side, you should be

able to speciy whether users receive wired and/or wireless ac

cess by modiying the Active Directory or using authorizationpolicies on the RADIUS server itsel.

• Rules on setting up wireless routers or APs: For example

that only the IT department can set up more APs, so employ

ees don’t just plug in an AP rom home to extend the signal. A

internal rule or IT department might cover dening acceptable

equipment models and conguration.

• Rules on using Wi-Fi hotspots or connecting to home net

works with company devices: Since the data on a device o

laptop can be compromised and the Internet activity be moni

tored on unsecured wireless networks, you may want to limi

Wi-Fi connections to only the company network. This could becontrolled by imposing network lters with the Network She

(netsh) utility in Windows. Alternatively, you could require a

VPN connection back to the company network to at least pro

tect the Internet activity and to remotely access les.

5. Use SSL or IPsec on Top of Wi-FiEncryptionThough you might be using the latest and greatest Wi-F

encryption (on Layer 2 o the OSI model), consider imple-

menting another encryption mechanism, such as IPSec

(on Layer 3 o the OSI model). In addition to providingdouble encryption on the wireless side, it can secure the

wired communication too. This would prevent eavesdrop-

ping rom employees or outsiders tapping into an Ether-

net port.

Documents

Solving Common Security-geotrust