Secure Wireless for Business
I was working with a client yesterday. The IT guy that they employ had setup three access points around the office. He’d created three SSIDs and three separate WEP keys.
So, not everyone out there knows everything about wireless.
He wanted a way to roll out WEP keys in a script - like a login script. Never mind that the laptops won’t get the login script if they’re not associated to the network….
So, I bite: “Why do you need to roll out WEP keys with a script?” I then get the long and detailed description of a wireless network that’s an administrator’s nightmare.
So here we go kids: if you are running out of range, the solution is NOT a more “powerful” access point. First off, if you’re buying your access points from Best Buy or Circuit City, please let me know so I can come by your office and steal all your information. Second, the solution to wireless coverage is more access points - not repeaters, antennas, or more “powerful” access points.
If you have a building, you need to ensure that you have one access point for roughly every 1000 square feet. Now, some may see that and think I’m crazy - wireless can reach 100 feet and that can cover 30,000 square feet! Mind you, it probably can, in a warehouse with one laptop. Two things here: wireless never ever goes as far as you think it does, and the point with wireless is that you want saturation. This is because even the most robust access points can only support 10-12 devices at any one time.
Some may see that and still think I’m crazy. The fact is this, 54 megabit-per-second 802.11g (with which we’re all familiar) runs at a 54 megabit signaling rate - NOT actual bandwidth. 802.11g provides roughly 22 megabits of actual network throughput. Go ahead - try it yourself. With 10 associated users, everyone gets about 2 meg, which is fine for Internet access, but network applications will die.
More access points not only provides a stronger, more saturated signal, but it has the added benefit of providing more bandwidth for users. One 802.11g access point has 22 megs of available bandwidth, while two access points have 44 megs - twice as much bandwidth because you have twice as many access points!
The analogy is very simple: an access point is a switchport on a network switch. Having one access point is like hanging an eight-port switch off of a wall jack - everyone on that small switch competes for the one switchport back at the equipment rack. Not a good idea. So say to your access points, “be fruitful - and multiply!”
Next, make sure that all of your access points have the same SSID!!! Yes, this is a correct configuration and you can do it! Wireless clients are designed to detect one SSID and multiple MAC addresses of a group of access points that all have the same SSID - so DO THIS! Save yourself, and me, the headache.
Finally, here are pointers for securing your network - which you absolutely need to do or I will steal all your data:
1. Do NOT use MAC filters. They provide a false sense of security and they’re a pain to administer. Banish this technique from your mind. I can - and have - connected to MAC filtered networks in under 20 seconds. Cain & Able, and etherchange - look them up. You CAN change your MAC address on your wireless card with great ease - at that point, you have circumvented what some people use as their only line of defense.
2. WEP is crackable. Easily crackable. Don’t use it - you’re inviting attack if you do. Simply don’t use it. Get rid of devices that do not support higher-grade authentication, or if you must use older WEP-only devices, create a second SSID and tie it to a separate VLAN that is isolated on your network. If you don’t know how to do this, CALL ME for a consultation: www.orbistechnology.com.
3. WPA is crackable. It’s better than the above options, but if you’re a business - especially a hospital or a bank - you simply can’t rely on WPA or WPA2 - it’s not secure.
4. Get Elektron RADIUS from Periodik Labs. Yes, it’s pricey but remember that you get what you pay for. That $60 Linksys access point with WPA2 - you want to run your credit card over THAT connection? Let me know when and where you’ll be - I’ll be sniffing your bank account and email in no time. $750 is dirt cheap security. It provides point-and-click configuration, dead simple administration, it works with Active Directory, yadda yadda. Get it - it is the best wireless security solution bar none.