The hottest WLAN Security Management Guide

  • Detail

Wireless local area network (WLAN) security management guide

for some people, they may think that the security of wireless networks is very complex. Setting up a secure wireless network may require very professional basic knowledge and complex settings. Some people will also say, "I just use my computer and don't do anything else important. Why should I bother about security?" Therefore, they will give up their plans in terms of security, which will lead to their own network "wide open". For the answer to this question, you may not have such an idea after reading the following content

note: WLAN is the abbreviation of wireless LAN, that is, wireless local area. Wireless local area network is a technology that uses wireless technology to realize fast access to Ethernet

first, there are three risks faced by WLAN without security measures:

1. Network resources are exposed.

once some people with ulterior motives connect to your WLAN through the wireless network, they will have certain access rights to the whole network like those users who are directly connected to your LAN switch. In this case, unless you have taken some measures in advance to restrict unknown users' access to resources and shared documents in the network, intruders can do anything authorized users can do. On your network, files, directories, or the entire hard disk drive can be copied or deleted, or worse, those such as keyloggers, Trojans, spyware or other malicious programs can be installed into your system and manipulated by those intruders through the network. The consequences can be imagined

2. Sensitive information is leaked

as long as appropriate tools are used, the web page can be rebuilt in real time, so that the URL of the web site you have browsed can be captured. Some important passwords you just entered in these pages will be stolen and recorded by intruders. If it is those credit card passwords, hehe, think about the consequences and know what's going on

3. Act as a springboard for others

in foreign countries, if the open WLAN is used by intruders to transmit pirated movies or music, you are very likely to receive a letter from RIAA's lawyer. The more extreme fact is that if your Internet connection is used by others to download child pornography or other inappropriate content from an FTP site, or use it as a server, you may face more serious problems. Moreover, open WLAN may also be used to send spam, DoS attacks or spread viruses

Second, protect our WLAN

after understanding the problems faced by an unprotected WLAN, we should take some corresponding 606.5 Countermeasures before the problem occurs, and don't wait until serious consequences occur before we realize how important safe network maintenance is. The following content is to introduce various countermeasures for various intrusion modes at different levels

1. Ordinary users with wireless cards

in front of a wireless LAN without any protection, if they want to attack it, they don't need to take any special means. As long as any machine is equipped with a wireless card, the person who can turn on the wireless card on the computer is a potential intruder. In many cases, people inadvertently turn on their computers equipped with wireless devices, which are just within your WLAN coverage, so that their machines are either automatically connected to your AP or see it in the "available" AP list. Carelessly, their world's first solar aircraft Solar Impulse 2 has completed its maiden flight cruise, and has entered your undefended "field". In fact, in ordinary statistics, a considerable part of unauthorized connections come from such situations, which are not intentional violations of your network by others, but sometimes unintentionally driven by curiosity

the following countermeasures can protect your network from inadvertent access, but these are quite elementary content, and cannot provide real-time protection against more skilled intruders. Although these contents are "rookies", most of them are so simple, but if your wireless device can support them, I still suggest you make relevant settings

countermeasure 1: change the default setting

at least, change the default administrator password, and if the device supports it, it is best to change the administrator's user name together. For most wireless network devices, the administrator's password may be universal. Therefore, if you don't change this password, and other people can easily log in to your wireless network device with the default user name and password to obtain the management permission of the whole network. Finally, you may find that you can't log in to your WLAN. Of course, Control can still be regained by restoring factory settings

change the default SSID of your AP or wireless router. When there are other adjacent APS near your operating environment, it is particularly necessary to change the default SSID. When there are multiple APS of the same manufacturer in the same area, they may have the same SSID, so the client will have a considerable chance to connect to the AP that does not belong to them. In particular, do not use personal sensitive information in SSID

changing the default number of channels can help you avoid conflicts with adjacent wireless LANs, but as a security method, it has little effect, because wireless clients usually automatically scan all available channels for possible connections

countermeasure 2: update the firmware of AP

sometimes, the security of AP can be improved by refreshing the latest version of firmware. The new version of firmware often fixes known security vulnerabilities, and may add some new security measures in terms of functions. With the emergence of updated consumer AP, the new version of firmware can be verified and upgraded with a few simple clicks. Compared with the previous AP, Old products require users to manually find, download and update the final version of firmware from the manufacturer's technical support site with a not very friendly interface

many APS that have been used for several years have passed their warranty period, which means it is difficult to find a new version of firmware. If you find that the last version of firmware does not support WPA (Wi Fi protected access) with improved security performance, in fact, the better version is WPA2, then it is best to seriously consider whether to replace your device

in fact, current 802.11g devices should at least support WPA and have the ability to update to WPA2 technically, but manufacturers will not always be committed to supporting their old products based on evaluation, so if you want to check whether AP can support WPA2, Either check in the Wi Fi alliance is certification database (link is: or search in Google.

countermeasure 3: block SSID broadcasting

many APS allow users to block SSID broadcasting, which can prevent netstumbler scanning, but this will also prohibit Windows XP users from using their built-in wireless zero configuration applications and other client applications. If you select the one shown in Figure 1 below "Hide ESSID" blocks SSID broadcasts on a Parker vision AP. (in fact, SSID and ESSID refer to the same thing.)

note: blocking SSID broadcasts in a wireless network does not prevent attackers using Kismet or other wireless detection tools (such as AirMagnet), which do not rely on SSID to detect an existing network

countermeasure 4: turn off the machine or wireless transmission

turn off the wireless AP, which may be the simplest method for ordinary users to protect their wireless network. During the whole night without work, we can use a simple timer to turn off our AP. However, if you have a wireless router, the Internet connection will also be cut off, which is a good way

if you can't or don't want to turn off the Internet connection periodically, you have to manually disable the wireless transmission of the wireless router (of course, your wireless router should also support this function). As shown in Figure 2 below

countermeasure 5: MAC address filtering

ma5c address filtering is to write the legal MAC address list in the AP in advance. Only when the MAC address of the client matches the address in the legal MAC address table, the AP allows the client to communicate with it and realizes physical address filtering. This can prevent some inexperienced intruders from connecting to our WLAN. However, for sophisticated attackers, it is easy to intercept data frames from open radio waves, analyze the MAC address of legitimate users, and then use the MAC address of this machine to disguise as a legitimate user and illegally access your WLAN. As shown in Figure 3 below:

countermeasure 6: reduce the transmission power

although only a few APS have this function, reducing the transmission power can still help to limit intentional or accidental unauthorized connections. But now the sensitivity of wireless cards is constantly improving, and even such cards can be purchased by any junior user, especially if you try to block some unnecessary connections in a building or dormitory, it may not be of much value. (end)

Copyright © 2011 JIN SHI