Basic WLAN security

Wireless access points and bridges must be secured. Management is often done using standard protocols that are not secure. This section will explain what basic steps must be taken to secure wireless infrastructure equipment. Figure provides some basic security recommendations for network management traffic.

Network equipment offers many additional protocols, which simplify network management and user access. Depending on the network configuration, only some of these protocols may be needed. This section will deal with protocols that might be unneeded. If a protocol is needed, it is important to understand the weaknesses of the protocol and how it can be secured.

Physical Access
Most wireless access points are easily accessible. They are usually located near users and outside of locked rooms. This puts wireless access points at special risk for theft and for compromise by malicious users. Network monitoring can be used to determine when an access point goes off. Proper procedures will need to be followed to determine what happened to the equipment. Almost all wireless vendors publish the methods of resetting an access point using reset buttons or the console port.

Firmware
The latest firmware will usually be the most secure. New firmware should be tested and then used. Security patches or upgrades should be applied when warranted.

Console Access
Administrator accounts and privileges should be setup properly . The console port should be password protected. Choose a secure password .

Telnet/SSH
Telnet is an insecure, unencrypted protocol. If at all possible, secure shell (SSH) should be used for all Command Line Interface (CLI) functions . Telnet and SSH should be password protected. For maximum security, disable Telnet and use only SSH.

A SSH client is required on the management PC or workstation in order to connect to an AP running SSH. Several freeware programs are available such as PuTTY, Teraterm SSH, and SecureNetTerm.

TFTP/FTP
Trivial File Transfer Protocol (TFTP) and File Transfer Protocol (FTP) are both used to send and receive files across a network. TFTP does not allow passwords to be used, and it is limited to files under 16 MB. FTP allows usernames and password, but it is still an unencrypted protocol.

SSID
As mentioned before, the SSID should not be considered a security feature. SSIDs may be used in conjunction with VLANs for allowing limited access to guests.

Lab Activity

Lab Exercise: Configure Basic AP Security through GUI

In this lab, the student will learn to secure the AP via GUI.

Lab Activity

Lab Exercise: Configure Basic AP Security through IOS CLI

In this lab, the student will learn to secure the AP via Cisco Internetworking Operating System (IOS).

How to upgrade client drivers and firmware

Cisco Aironet Client Release Notes

Cisco Aironet Wireless Software (CCO Software Center)

PuTTY