This is the second in a short series of articles on the basics of deploying Wi-Fi security using the current level of standards and technology available. This is quickly becoming required as mainstream enterprise deployments ramp up - and as naïve employees bring "friendly" rogue devices into the office, unwittingly putting their companies at risk.
Last time, we gave a short list of components required to secure a wireless LAN:
- an authentication database/server,
- a strong authentication method,
- a data encryption mechanism and a regular Wi-Fi auditing mechanism.
Knowing this, then, what are the initial basic actions to take?
Michael Disabato, vice president and service director at The Burton Group, assisted me in developing this checklist:
- Install an authentication server, if you don't have one (usually a RADIUS server).
- Install Wi-Fi Protected Access 2 (WPA2) supplicant software on all of your wireless client devices.
WPA2 supplicant software is now available in the Microsoft Windows XP operating system (Service Pack 2) and in Funk Software Odyssey and Meetinghouse Aegis client software.
- Configure WPA2 in clients, access points and authentication server. This involves selecting an Extensible Authentication Protocol (EAP) method (your "strong authentication method" mentioned earlier), which will be discussed in the next newsletter. However, simply note for now that your supplicant software and your authentication server software must both support the same EAP method in order for your EAP-based authentication to work.
Use centralised admin where possible
For installing, configuring, and updating software in heterogeneous client environments, Funk and Meetinghouse offer centralised administration facilities. You can configure security profiles for all different locations where a mix of client device types might be used, and push the supplicant and settings out to the clients, rather than configuring security profiles device by device.
Note: When you install and configure WPA2 software, you will automatically activate 802.1x, the authentication transport framework specified by 802.11i, the most current set of IEEE 802.11 security standards. You'll also automatically be installing your strong data encryption mechanism, which is a version of Advanced Encryption Standard specified by 802.11i standards.