Our small office WLAN uses WEP encryption and MAC address filtering. Are we protected from wireless hackers, or should we be doing something more?
First, upgrade your WLAN from WEP to either WPA-PSK or WPA2-PSK. WEP has been broken for years, and new tools and techniques keep shortening the time required to crack WEP keys. This month, Darmstadt University researchers demonstrated a new tool, aircrack-ptw, which can guess your WEP keys in as little as one minute. While WPA/WPA2 PreShared Keys (PSKs) are not impossible to crack, choosing a good (random, complex) passphrase that's at least 20 characters long will defeat PSK crackers.
Second, don't rely too heavily on your MAC address filters. MAC addresses are easily spoofed, using readily available freeware like Technitium MAC Address Changer, SMAC, or EtherChange. Someone who wants to bypass your MAC address filters can just use a wireless sniffer like WaveShark to observe a valid MAC address, then change their own MAC address to match. MAC address filters are best viewed as a "keep out" -- a way of discouraging casual war drivers or accidental associations by nearby neighbors.
Third, make sure that your wireless AP and hosts aren't vulnerable to probes and attacks over the WLAN. People often focus on link encryption and access control, but forget about protecting those wireless endpoints. For example, make sure your AP can't be reconfigured by wireless clients. If you cannot disable that interface, at least choose a hard-to-guess admin login and password. Safeguard your wireless clients like you would any host connected directly to the Internet -- specifically, disable file sharing, run a personal firewall to block all incoming requests, connect only to known networks in infrastructure more, and update your wireless adapter to the latest firmware/driver.
To learn more about WLAN threats and countermeasures, check out our Wireless Lunchtime Learning series of webcasts and tips.
Dig Deeper on WLAN Security
Related Q&A from Lisa Phifer
A remote access VPN connects remote users from any location to a corporate network. A site-to-site VPN, meanwhile, connects individual networks to ... Continue Reading
Licensed and unlicensed frequency bands serve different purposes for wireless communications. Find out the differences between the two bands and the ... Continue Reading
As the remote workforce increases, network managers and users might opt to set up two concurrent VPN connections from the same remote device. But ... Continue Reading