Wireless access points and bridges must be secured. Management is often done
using standard protocols that are not secure. This section will explain what
basic steps must be taken to secure wireless infrastructure equipment. Figure
provides some
basic security recommendations for network management traffic.
Network
equipment offers many additional protocols, which simplify network management
and user access. Depending on the network configuration, only some of these
protocols may be needed. This section will deal with protocols that might be
unneeded. If a protocol is needed, it is important to understand the weaknesses
of the protocol and how it can be secured.
Physical
Access
Most wireless access points are easily accessible. They are
usually located near users and outside of locked rooms. This puts wireless
access points at special risk for theft and for compromise by malicious users.
Network monitoring can be used to determine when an access point goes off.
Proper procedures will need to be followed to determine what happened to the
equipment. Almost all wireless vendors publish the methods of resetting an
access point using reset buttons or the console port.
Firmware
The latest firmware will usually be the most secure. New
firmware should be tested and then used. Security patches or upgrades should be
applied when warranted.
Console Access
Administrator accounts and privileges should be
setup properly
. The
console port should be password protected. Choose a secure password
.
Telnet/SSH
Telnet is an insecure, unencrypted protocol. If at all
possible, secure shell (SSH) should be used for all Command Line Interface
(CLI) functions
. Telnet and SSH
should be password protected. For maximum security, disable Telnet and use only
SSH.
A SSH client is required on the management PC or workstation in
order to connect to an AP running SSH. Several freeware programs are available
such as PuTTY, Teraterm SSH, and SecureNetTerm.
TFTP/FTP
Trivial File Transfer Protocol (TFTP) and File Transfer
Protocol (FTP) are both used to send and receive files across a network. TFTP
does not allow passwords to be used, and it is limited to files under 16 MB.
FTP allows usernames and password, but it is still an unencrypted protocol.
SSID
As mentioned before, the SSID should not be considered a
security feature. SSIDs may be used in conjunction with VLANs for allowing
limited access to guests.