8. Isolate the wireless network from the rest of the LAN
To protect your wired internal network from threats coming over the wireless network, create a wireless DMZ or perimeter network that's isolated from the LAN. That means placing a firewall between the wireless network and the LAN. Then you can require that in order for any wireless client to access resources on the internal network, he or she will have to authenticate with a remote access server and/or use a VPN. This provides an extra layer of protection.
9. Control the wireless signal
The typical 802.11b WAP transmits up to about 300 feet. However, this range can be extended by a more sensitive antenna. By attaching a high gain external antenna to your WAP, you can get a longer reach but this may expose you to war drivers and others outside your building. A directional antenna will transmit the signal in a particular direction, instead of in a circle like the omnidirectional antenna that usually comes built into the WAP. Thus, through antenna selection you can control both the signal range and its direction to help protect from outsiders. In addition, some WAPs allow you to adjust signal strength and direction via their settings.
10. Transmit on a different frequency
One way to "hide" from hackers who use the more common 802.11b/g wireless technology is to go with 802.11a instead. Since it operates on a different frequency (the 5 GHz range, as opposed to the 2.4 GHz range in which b/g operate), NICs made for the more common wireless technologies won't pick up its signals. Sure, this is a type of "security through obscurity" — but it's perfectly valid when used in conjunction with other security measures. After all, security through obscurity is exactly what we advocate when we tell people not to let others know their social security numbers and other identification information.
A drawback of 802.11a, and one of the reasons it's less popular than b/g, is that the range is shorter: about half the distance of b/g. It also has difficulty penetrating walls and obstacles. From a security standpoint, this "disadvantage" is actually an advantage, as it makes it more difficult for an outsider to intercept the signal even with equipment designed for the technology.
Talkback
Another option that people should consider is to provide an additional open unencrypted free access to the internet. Restrict the access to LAN resources by providing an additional authentication step. If necessary, restrict the bandwith allocated to the free access so as not to degrade the other users access.
Someone who is trying to access "your network" is probably simply trying to get an internet connection. So simply make it easy for them to get one. Most likely they will then be happy and not spend days trying to break through your security... at which point they would have full access to all your sensitive information.
Providing an additional unsecured Wi-Fi access to the internet might stop casual intruders. Maybe a corporation with a huge amount of bandwidth could spare a little to support such an approach but what of the small business or home user? Do you really have bandwidth to spare? Do you trust strangers to share your connection? In an age of cyberterrorism, internet fraud, spam and paedophilia do you really want to allow others to use your bandwidth for their unapproved and possibly nefarious activities? I don't... I certainly don't want the police turning up on my doorstep having determined my WAN IP address is linked to crimes. I don't want to explain 'it wasn't me' as someone dismantles my PC. I enjoy the benefits of wireless access but I want the exclusivity of Ethernet. It's my bandwidth, mine all mine.
Hi,
I regard myself as tolerably PC literate and act as the PC 'help desk' for my village. In your opening line you state state 'wireless networking is easy to set up'. I agree. However, I suggest you should have then said setting up wireless security is a nightmare and takes us back to the worst days of poor instructions and indecipherable geeky words. There is no common methodology for setting up security. If you get it wrong it can be incredibly difficult to go back and start again because you cannot get the laptop to talk to the router to make the changes. OK, I hear you say connect via an ethernet/USB cable, Where does it tell you to do this - usually by thought transfer or similar.
My advice to most people is enable wirelss securituy at your peril. It might work for a while then you go out log on to somewhere else and guess what, you get home and you cannot log on no matter what you do unless you remove all security and start again.
I would plead for a real campaign to make the wireless router companies write user 'wizards' which hide all the geeky stuff and make it simple to set up. Llike you I do believe it is necessary to enable security. However, for the moment in our quiet rural village its open house for wirelss users.
Simon
scwyatt@tiscali.co.uk
I agree with 'Anonymous iTV Consultant' completely. I have a wireless network at home with 3 devices on it, which was an absolute doddle to set-up.
Then came the security configuration and despite being very PC literate I couldn't even begin to configure the security because whatever I tried effectively 'broke' the wireless connection.
I PM website production and if a site is unusable by Joe Public you can bet that it's a resounding failure, so I'd very much like someone to tell me why PC software companies get away with building unusable rubbish that seems designed specifically to leave security holes through the average user not being able to configure it.