Wednesday, June 16, 2010
How to secure your wifi
How To Secure Your Wifi
I told you earlier that the final episode of my wifi series is yet to come and that is the most important part of this series as this will tell you how to secure the wifi connections of everybody.
So lets go to that part:-
Wi-fi implementations vary from one application area to another. Like Home to Enterprise to Public Hotspots.
The Above Table summarises the minimum requirements that need to meet in each case in order to ensure adequate security.
I shall explain the terms very briefly to make this table meaningful to the users. Interested users may google these terms to get further detail very easily.
MAC Binding: This technology is used to allow only MAC addresses of few known devices to associate with the Access Point. This is suitable for very small sized network and is not scalable. Also this is prone to MAC spoofing attack.
Hide SSID: SSID is the identification string of a wi-fi network. The default behaviour of any access point is to broadcast SSID in beacon. This helps the users to easily identify the networks available to them. Wireless best practice guidelines suggests to hide SSID so that it is not visible through casual attempts to locate a wi-fi network. However there are plenty of scanners available those can detect hidden SSIDs.
Captive Portal: This is an authentication portal which is kept captive either inside the access point or any user authentication system. If this is implemented, whenever a user tries to use the wi-fi network for internet browsing for the first time, he is challenged with this portal by automatically redirecting his URL request in browser to the authentication portal page. On successful authentication, the originally requested URL is returned to the user's browser and access to the network is granted. However on failure access to the network is denied.
WPA2-PSK: Discussed earlier.
WPA2-802.1x: Discussed earlier. 802.1x implementation would require a RADIUS server and optional directory databases like LDAP/Active Directory/NDS etc.
SSL: SSL in this context is a PKI mechanism clubbed with 802.1x. This will require the presence of one or more digital certificate servers. This is applicable to different variants of EAP authentication - EAP/TLS, PEAP,LEAP etc.
SMS Auth: TRAI has mandated that in any public hotspot the owner must architect the user authentication process to prove the identification of the user against a photo identity card. Now an indirect process of complying this is SMS Auth. In this process an access PIN is system generated and consequently system delivered to the User’s mobile phone number upon successful user authentication. Now this indirectly takes care of the user’s identity verification against any valid photo-identity proof because the same has been done before this mobile phone number was allotted against the user’s name by the service provider.
Logging: Logging is a Facility to generate data and record the same to identify who with what MAC address and IP address had associated with which access point when for what duration. Most of the access points would generate such data. It is not a good idea to store the log data in the device itself. This will allow a hacker to remove all the traces of work very easily. It is required that the logs be stored on a Syslog server.
LWAP: Light Weight Access Points are APs those do not store the configurations locally on the devices. Rather the configurations are done and maintained in a central device called Controller. These are particularly required in a large wi-fi network. Centralised configuration ensures tight security policy enforcement all across.
AAP: Autonomous access points store configurations locally. These should be used in homes and very small office networks only.
I think it will be very helpful for you and please don't forget to say thanks to my friend Sudipto.