- Page 1:Introduction
- Page 2:Skill Level 0: Anyone with a wireless computer
- Page 3:Skill Level 0 Countermeasures - more
- Page 4:Skill Level 1: Anyone with commonly available wardriving tools
- Page 5:Skill Level 2: Anyone with WEP / WPA-PSK Cracking Skills
- Page 6:Skill Level 3: Expert Cracker
- Page 7:Conclusion
Skill Level 3: Expert Cracker
Up until this point, we have blocked an intruder from wirelessly doing the equivalent of plugging their laptop into an Ethernet port on your LAN. But despite your best efforts, someone with expert cracking skills may penetrate all of your wireless defenses. What do you do now?
There are wired and wireless LAN intrusion detection and prevention product available, but they are targeted at enterprise applications and come priced accordingly. There are also open source solutions that are unfortunately not user-friendly for networking novices. The most widely-used of these is Snort, which I hope to explore in a future article.
But general network security practices have long dealt with traditional wired LAN intrusions, and can be used to combat an expert wireless intruder.
Countermeasure 9: Implement general LAN security
Implement the following countermeasures to improve general LAN security:
1) Require authentication to access any network resource
Any server, network share, router, etc. should preferably require user-level authentication for access. Although you won’t be able to implement real user-level authentication without some sort of authentication server, you can at least password-protect all shared folders and disable Guest logins if you’re running Windows XP. And never share the contents of entire hard drives!
2) Segment your network
In the extreme case, a computer not attached to a network is safe from network-based intrusion. But there are other ways to keep network users away from where they shouldn’t be. A few properly-connected Inexpensive NAT-based routers can be used to establish firewalled LAN segments while still allowing Internet access. See this How To for the details.
Switches or routers with VLAN capabilities can also be used to separate LAN users. VLAN features can be found on most any "smart" or managed switch, but are harder to come by in consumer-priced routers and unmanaged switches.
3) Bulk up your software-based protection
At minimum, you need to run current versions of good anti-virus applications that automatically update their virus definition files. Personal firewalls such as ZoneAlarm can alert you to suspicious use of your network. And, unfortunately, the latest generaton of malware and spyware threats make adding an anti-spyware application also necessary. Webroot Software’s Spy Sweeper seems to be getting good marks lately, along with Sunbelt Software’s CounterSpy.
Note that you must install protection on every machine on your LAN in order to have effective protection!
4) Encrypt your files
Encrypting your files with strong encryption should provide effective protection in the event unauthorized users do gain access to them. Windows XP users can use Windows Encrypted File System (EFS). Mac OS X users can use FileVault. The downside to encryption is that it takes time and computing power to encrypt and de-crypt files, which could slow things down more than you’d like.