Read here and below:
http://reviews.cnet.com/4520-6603_7-5023845-1.html
1. Control your broadcast area. Many wireless APs (access points) let you adjust the signal strength; some even let you adjust signal direction. Begin by placing your APs as far away from exterior walls and windows as possible, then play around with signal strength so you can just barely get connections near exterior walls. This isn't enough, though. Sensitive snooping equipment can pick up wireless signals from an AP at distances of several hundred feet or more. So even with optimal AP placement, the signal may leak. Keep reading.
2. Lock each AP. A lot of people don't bother changing the defaults on their APs, and maintaining the default administrator password (like admin for Linksys products) makes your system a good target. Use a strong password to protect each AP. For tips on creating substantial passwords, go to
www.pcmag.com/passwords and click on Password Dos and Don'ts
3. Ban rogue access points. If an AP is connected to your home or office network, make sure you or the network administrator put it there. Bob in Accounting isn't likely to secure his rogue AP before he connects it. Free software like NetStumbler (
www.netstumbler.com) lets you sweep for unauthorized APs.
4. Use 128-bit WEP. Passively cracking the WEP (Wired Equivalent Privacy) security protocol is merely a nuisance to a skilled hacker using Linux freeware. Still, the protocol does at least add a layer of difficulty.
5. Use SSIDS wisely. Change the default Service Set Identifiers (SSIDs) for your APs, and don't use anything obvious like your address or company name. For corporate setups, buy APs that let you disable broadcast SSID. Intruders can use programs such as Kismet (
www.kismetwireless.net) to sniff out SSIDs anyway (by observing 802.11x management frames when users associate with APs), but again, every bit of inconvenience helps.
6. Limit access rights. Chances are, not everyone in your building needs a wireless card. Once you determine who should take to the airwaves, set your APs to allow access by wireless cards with authorized MAC addresses only. Enterprising individuals can spoof MAC addresses, however, which brings us to the next tip.
7. Limit the number of user addresses. If you don't have too many users, consider limiting the maximum number of DHCP addresses the network can assign, allowing just enough to cover the users you have. Then if everyone in the group tries to connect but some can't, you know there are unauthorized log-ons.
8. Authenticate users. Install a firewall that supports VPN connectivity, and require users to log on as if they were dialing in remotely. The Linksys BEFSX41 router ($99 list) is a great choice for this. Tweak the settings to allow only the types of permissions that wireless users need.
As a side benefit, VPNs help prevent users from being fooled by malicious association attacks. In this type of assault, the perpetrator sets up a machine that pretends to be an authorized AP, in the hope that someone will be tricked into logging on. If you connect to an AP and don't get the VPN log-on prompt you expect, you know something's amiss.
9. Use RADIUS. Installing a RADIUS server provides another authentication method. The servers tend to be expensive, but there are open-source options, such as FreeRADIUS (
www.freeradius.org), for UNIX-savvy administrators.
10. Call in the big boys. If you have billion-dollar secrets to protect, such as the formula to Coca-Cola, you should have wireless-dedicated hardware security in place. For instance, AirDefense (
www.airdefense.net) is a server appliance that connects to sensors placed near APs. The system monitors activity and protects all traffic on your wireless LAN—but it doesn't come cheap. Prices start at $10,000 and can reach $100,000 depending on the number of sensors needed.
