w soph52 - How to Secure Your Wireless Network, Książki IT

[ Pobierz całość w formacie PDF ]
//-->How to SecureYour Wireless NetworkBalancing security, manageability and accessibility for employeesand guestsHow to Secure Your Wireless NetworkIt isn’t hard to set up security for the wireless router in your basement: change the SSID,pick a strong password and perhaps install VPN software for remote access.But securing wireless networks in a business environment is much more demanding.Systems administrators must:ÌÌÌÌÌÌEnsure that wireless access points are secure from unauthorized access.Protect communications coming from remote and mobile employees.Provide controlled access for guests and contractors.Deploy and manage multiple wireless access points in central offices.Deploy and manage wireless access in remote offices (ideally, without travel or local ITstaff).Integrate wireless traffic into the company’s core network security infrastructure.In this short paper, we will suggest best practices that can help administrators go beyondthe basics of wireless security to provide advanced security, manageability and accessibility.We will also show how Sophos UTM Wireless Protection and related products help addressthese issues.Watch Out!"I admit, one of myfavorite things to doin backtrack is tocrack a good ole WIFI.… I guess it’s justthrilling, it gives mesort of a high to be inplaces I shouldn’t. Tobe able to completelyexploit an entirenetwork as a localuser is definitelysomething that’s funand exciting.”Blog post: CrackingWEP with BackTrackThe BasicsCertain security practices are essential for wireless networks of all types. These include:Strong encryption, preferably WPA2. An eavesdropper can pick up wireless signals from thestreet or a parking lot and break older security algorithms like WEP in minutes using toolsreadily available on the Web.Complex passwords. Cybercriminals can use cloud computing resources to test millions ofpasswords in minutes, so wireless passwords should be 10 characters or longer and includenumbers and special characters.Unique SSIDs. SSIDs are part of the password used for WPA2 encryption. Hackers use“rainbow tables” to test common SSIDs, so administrators should pick unique network names(but not ones that identify their organization).VPNs for remote access. Virtual private networks are essential to protect communicationsfrom mobile employees (who can put a VPN client on their devices) and remote offices(which can use economical, point-to-point VPN connections).A Sophos WhitepaperJanuary 20132How to Secure Your Wireless NetworkEmployee education and published policies. Employees need to be educated on securenetworking practices. In companies with bring-your-own-device (BYOD) policies, thisincludes acceptable uses of personal devices for company business. Organizations thatpublish policies and systematize training not only improve security, but also enhance theircompliance posture by showing auditors that they are taking action to protect confidentialinformation.1Provide Controlled Access for GuestsUncontrolled access to wireless networks is a common security issue. Often, customers,suppliers and other office visitors are given IDs and passwords that provide perpetual accessto internal networks. Stories abound of contractors whose passwords remained valid forweeks or months after they moved on to other employers.Some organizations address this problem by providing a separate guest network with limitedaccess to core IT systems. This approach addresses the issue of transient guests, but it isexpensive and not always useful for contractors and long-term guests.Another approach is to find tools that restrict guest and contractor access to appropriateperiods of time and place limits on their activities.Manage Multiple Access Points in CentralOfficesDeploying and managing wireless access points can be time-consuming. Large offices andcampuses may require many access points to cover all office areas, conference rooms andmeeting spaces used by employees. Multiple wireless networks for different groups and forguests can add to the work.Not only does complex administration raise staffing costs, but it also increases the likelihoodof accidental misconfigurations that cause security vulnerabilities.Enterprises need to find tools that simplify tasks such as deploying new access points,checking on the status and settings of these devices, and changing parameters. A best-casescenario is to find tools that do not require specialized knowledge or a long learning curve, sothe work can be done by network administrators rather than wireless networking specialists.1For more best practices, see “Hot Tips for Securing Your Wi-Fi Network.” To see short videos on cracking WEP and weak passwords,go to “WEP Encryption Isn’t Secure” and “WPA Encryption Can Be Cracked.” For advice on wireless security policies, see“Creating a wireless security policy.”A Sophos WhitepaperJanuary 20133How to Secure Your Wireless NetworkManage Access Points in Remote OfficesProviding technical support to remote and branch offices is also a challenge. Constant travelis rarely an option, and it is difficult to work through remote personnel, particularly if no localIT staff is available.Administrators need to find tools that allow them to deploy, monitor and update remoteaccess points from a central console.Integrate Wireless Traffic into the NetworkSecurity InfrastructureCybercriminals are increasingly targeting wireless traffic as an avenue to penetrateenterprise networks. They are exploiting:ÌÌÌMore opportunities to find weak points because of the growing number of remoteand mobile workers.Home computers and mobile devices that lack the endpoint protection tools foundon workstations that reside in company offices.BYOD policies that limit the control that companies have over the selection andconfiguration of mobile devices (a trend amplified by the increasing number oforganizations with bring-your-own-computer policies).To prevent wireless traffic from becoming a major threat vector, enterprises should ensurethat wireless traffic flows through the full network security infrastructure so it can bescanned for malware. Probes and attacks can also be detected.Ideally, the connection should be two-way, so traffic that goes out through the wirelessnetwork must first pass through the core security infrastructure. That allows URL andcontent filtering tools to prevent employees from visiting websites that contain malwareor are related to phishing and social engineering attacks. It may also help detect data beingexfiltrated as part of an advanced persistent threat.A Sophos WhitepaperJanuary 20134How to Secure Your Wireless NetworkSecurity with Manageability: Sophos UTMWireless Protection and Sophos Access PointsSophos UTM Wireless Protection and Sophos Access Points offer full wireless security whileproviding flexible access for employees and guests.Management is greatly simplified. Companies with Sophos UTM appliances get plug-and-play deployment: When new wireless access points are turned on, they appear automaticallyon the central console. They can be configured and placed into operation in minutes. A built-in wireless controller allows administrators to monitor and change security policies centrallyfor access points throughout the office or campus.Figure 1: Plug-and-play deployment of new access points and central management of remote access points.These tasks can be handled by the same administrator who manages the unified threatmanagement (UTM) appliances, so no dedicated specialist or detailed training is required.Wireless mesh networking capabilities can improve the economics and resiliency of wirelessnetworks by using wireless LAN bridges and repeaters to link together multiple WLANswithout the use of Ethernet cabling.Sophos also greatly simplifies the management of WLANs in remote offices. A SophosRemote Ethernet Device and a Sophos Access Point together can provide a branch officewireless network and a full set of UTM security services very economically. Travel and localIT support are not needed, because all security and wireless networking features can bemanaged remotely from the central office.A Sophos WhitepaperJanuary 20135 [ Pobierz całość w formacie PDF ]