Better Wi-Fi Network Security: Advanced Techniques: Page 2

There are many different intrusion detection and prevention systems out there that use a variety of techniques. Open source or free options include Kismet and Snort. Commercial products are also available from vendors such as AirMagnet, AirDefense, and AirTight.

#4 Create wireless usage policies

Along with other general computer usage guidelines, you should have a specific set of polices for Wi-Fi access which should at least include the following items:

• List devices authorized to access the wireless network: It's best to deny all devices and explicitly allow each desired device by using MAC address filtering on the network router. Though MAC addresses can be spoofed, this provides reasonable control of which devices employees are using on the network. A hard copy of all approved devices and their details should be kept to compare against when monitoring the network and for inputting into intrusion detection systems.
• List of personnel authorized with Wi-Fi access to the network: This could be regulated when using 802.1X authentication (WPA/WPA2-Enterprise) by only creating accounts in the RADIUS server for those who need Wi-Fi access. If 802.1X authentication is also being used on wired side, you should be able to specify whether users receive wired and/or wireless access by modifying the Active Directory or using authorization policies on the RADIUS server itself.
• Rules on setting up wireless routers or APs: For example, that only the IT department can set up more APs, so employees don't just plug in an AP from home to extend the signal. An internal rule for IT department might cover defining acceptable equipment models and configuration.
• Rules on using Wi-Fi hotspots or connecting to home networks with company devices: Since the data on a device or laptop can be compromised and the Internet activity be monitored on unsecured wireless networks, you may want to limit Wi-Fi connections to only the company network. This could be controlled by imposing network filters with the Network Shell (netsh) utility in Windows. Alternatively, you could require a VPN connection back to the company network to at least protect the Internet activity and to remotely access files.

#5 Use SSL or IPsec on top of Wi-Fi encryption

Though you might be using the latest and greatest Wi-Fi encryption (on Layer 2 of the OSI model), consider implementing another encryption mechanism, such as IPSec (on Layer 3 of the OSI model). In addition to providing double encryption on the wireless side, it can secure the wired communication too. This would prevent eavesdropping from employees or outsiders tapping into an ethernet port.

Eric Geier is the the author of many networking and computing books for brands like For Dummies and Cisco Press.