SAN Critical IT Controls # 14: Wireless Device Control

While many companies are adept at securing their enterprise networks with routers, intrusion prevention and intrusion systems, wireless devices remain a very vulnerable to hacker attacks. Wireless devices are ubiquitous, and there are several ways hackers can exploit your wireless systems to gain access to internal networks. Unauthorized wireless access points in your network are just waiting to be exploited by hackers, who can gain access to your internal network by simply bypassing your security perimeter and connecting with wireless devices to sensitive areas in your network. On top of this, usage of wireless devices by employees during travel and from or through other external sites means that they are targets to malware attacks.

Companies must deny access to wireless devices that don’t have an authorized configuration and security profile. You must scan your network frequently to identify unauthorized wireless access points connected to your network and disable rogue access points. There are several excellent open source tools that enable you to perform “war driving” to identify access points and clients accepting peer to peer connections.

Ensure that all wireless devices use at least AES encryption with a minimum of WPA2 protection. Use advanced authorization protocols such as EAP/ELS to protect user credential. Multi factor authentication credentials minimize your risk as well. Unless there’s a business need, you must disable wireless peripheral access of devices such as Bluetooth. Configure all wireless clients so they can’t connect to public wireless networks, unless there’s a business need.

Effective scanning will tell you if your wireless devices are using weak protocols and insecure encryption technologies. Implement automatic notification of any detection of new unauthorized wireless devices. You can use a wireless intrusion detection system (WIDS) to identify rogue wireless devices and detect intrusions. You should also configure wired IDS to monitor all wireless traffic flowing through your network.

Leave a Comment

Your email address will not be published. Required fields are marked *