The first thing to start from when deploying and securing a corporate wireless network is a design of a proper wireless security policy. The best source of information on writing a detailed and formal wireless security policy is the Appendix of the Official CWSP Guide. We concentrate on what the wireless security policy must cover and some specific technical aspects it should reflect.

1 Device Acceptability, Registration, Update, and Monitoring

Because of backward compatibility features, a WLAN is only as secure as the least secure client on the network. If you are reliant on Layer 2 802.11 security features such as WEPPlus or (in the future) 802.11i, you have to ensure that all devices on the network support these features.

If some sort of MAC address filtering or RADIUS-based MAC authentication is employed, then the databases of all wireless clients' MAC addresses should be maintained and updated in a timely manner.

When new security features are implemented in new firmware releases, the firmware updates across the network have to be synchronized. Hosts that are not updated should be denied network access.

Finally, perhaps the easiest way to gain access to a WLAN if the authentication is device-based is stealing, or finding a client device. Thus, every device lost or stolen should be reported to the security system administrator and denied network access immediately.

2 User Education and Responsibility

Users should be informed about the contents of the corporate security policy and the basics of using the security features employed (so that they don't turn them off by accident). They should also be encouraged to report any lost or stolen devices immediately. The same applies to any unfamiliar devices the users might find by accident (e.g., a USB wireless client plugged into one of the machines on LAN or a PDA of an unknown origin). An unauthorized installation of any wireless device, including Bluetooth clients by users, must be strictly prohibited. Corporate users should also be told not to lend wireless-enabled hosts to others and avoid leaving them unattended.

The users should know an approximate physical limit of the network coverage zone and avoid connecting to the corporate WLAN from a distance exceeding this limit. This might help reduce "near-far" and "hidden node" RF problems.

As part of a more general corporate security policy, users should be informed about social engineering attacks and not disclosing information about the network to potential attackers. Such information includes 802.1x authentication credentials, secret keys, closed ESSIDs, positioning of access points, and physical network boundaries.

When running a public hotspot, make sure that a disclaimer outlining the security policy-defined rules of user behavior is presented to all connecting parties first. Users should be required to click to agree with the disclaimer before proceeding any further. This simple security measure can save you from a lot of legal trouble if the hotspot is abused by irresponsible users launching attacks or downloading illicit materials.

3 Physical Security

Access points, wireless bridges, antennas, and amplifiers should be positioned and mounted in such a way as to prevent theft or damage. Security guards should be aware of the outdoor equipment position and informed about wireless equipment appearance and the possibility of attacks. They should be able to spot a suspicious car with an antenna in a company parking lot or an attacker with a laptop on the bench next to the corporate offices.

4 Physical Layer Security

The EIRP must be in the legal power output range. A reasonable emission power level should be used to restrict the spread of the network far beyond the useful boundaries. The antenna's position should be chosen to minimize signal spread to the necessary coverage areas. If needed, parabolic reflectors can be used to block wireless signal propagation in undesirable directions. Finally, all sources of interference should be checked and eliminated, if possible.

5 Network Deployment and Positioning

The deployment of several access points on the WLAN increases the network resilience to DoS and man-in-the-middle attacks, besides providing additional fallback bandwidth.

The WLAN should be on a different broadcast domain from the wired LAN. In the case of multiple access points linked to different switches, VLANs should be used and all APs positioned on the same VLAN if possible. A wireless-to-wired gateway should ensure proper network separation, support implemented authentication and data encryption features, and be resilient to possible cracker attacks itself.

6 Security Countermeasures

WLAN ESSIDs should not contain any useful information about the corporation and access points. Baseline security measures such as WEP and closed ESSIDs should be used. MAC address filtering should be used when applicable. This includes restricting clients' association to the corporate access points by the AP address (BSSID). Protocol filtering could be used if available or applicable.

Baseline security measures should not be relied on for WLAN protection. Further security safeguards including 802.1x and VPNs should be implemented. Their choice and implementation procedure should be thoroughly documented and maintenance responsibility assigned. If proprietary security features such as improvements to WEP are relied on, their efficiency must be verified by an external security auditor before the production deployment stage. WEP key rotation time should be verified and documented.

A proper password security policy for wireless access should be ensured, and the baseline for secure password and secret key selection should be enforced. No unnecessary protocols should traverse the WLAN, and use of shared resources (e.g., NFS) across the WLAN should be restricted.

7 Network Monitoring and Incident Response

Network operations must be monitored and baselined. All significant deviations from the baseline must be addressed and documented. A wireless-specific IDS should be deployed and be interoperable with the centralized logging system. If the network size is significant and multiple access points are deployed, remote IDS sensors should be used to ensure complete network monitoring. The responsibility for monitoring both logs and IDS alarms should be assigned and maintained. Secure log storage should be provided in accordance with the general corporate security policy. Any cases of intrusion should be identified, verified, confirmed, and documented. An incident response team consisting of preassigned specialists should be assembled and must take immediate action. The action must involve a report to the appropriate legal authorities. All evidence discovered (including logs, penetrated hosts, rogue wireless devices, or other devices left by attackers or confiscated from them) should be handled with extreme care so the chain of custody is not broken. Ensure that your incident response team is familiar with the local rules and regulations for evidence handling.

8 Network Security and Stability Audits

Corporate wireless security audits should be performed on a regular basis by external professionals with an established reputation in the field and appropriate specialization and industrial accreditations. Network security and stability audits should include the following:

• Wireless site surveying

• Overall network operations and stability assessment

• Wireless security policy assessment

• Rogue wireless device detection and identification

• Proper systematic wireless penetration testing similar to that outlined in the Wireless Network Security and Stability Audit Checklist Template

• Detailed audit report submission

• Cooperative work with the wireless network management and administration to resolve the issues discovered