Adequate infrastructure
The first thing to do when setting up a wireless network is to position intelligent access points depending on the area that you want to cover. It is not uncommon for the actual coverage is much greater than desired, in which case it is possible to reduce the power of the base station to adjust its scope to cover the area.
Avoid Defaults
During the first installation of an access point, it is configured with default values, including respect the password of the administrator. Many budding directors consider that from the moment the system works it is unnecessary to change the configuration of the access point. However the default settings are such that security is minimal. It is therefore imperative to connect to the administration interface (usually via a web interface on a port -specific access terminal) in order to define a password administration.
On the other hand, in order to connect to an access point it is necessary to know the identifier (SSID). Thus it is advisable to change the default network name and disable the broadcast (broadcast) of the latter on the network. Changing the default network ID is all the more important because it may give hackers of the information on the make or model of the access point used.
The MAC address filtering
Each network adapter (generic name for the network card ) has a physical address of its own (called MAC address ). This address is represented by 12-digit hexadecimal grouped in pairs and separated by dashes.
The access points typically allow their configuration interface to manage a list of permissions (called ACLs) based on MAC addresses of devices that connect to the wireless network.
This precaution a few constraints can restrict network access to a number of machines. In return it does not solve the problem of confidentiality of trade. This filtering is more easily bypassed by an experienced user.
WEP - Wired Equivalent Privacy
To address the confidentiality of trade networks without son, the 802.11 standard includes a simple mechanism to encrypt data, it is WEP, wired equivalent privacy.
WEP is a protocol responsible for the encryption of 802.11 frames using the RC4 symmetric algorithm with key length of 64 bits or 128 bits . The principle of WEP is to define a first time a secret key of 40 or 128 bits. This secret key must be declared at the access point and clients. The key is to create a pseudo-random length equal to the length of the frame. Each data transmission is encrypted and using pseudo-random number as a mask with an XOR between the pseudo-random and weft.
The session key shared by all stations is static, that is to say that to deploy a large number of wireless stations it is necessary to configure them using the same session key. Thus knowledge of the key is sufficient to decrypt communications.
In addition, 24-bit key is used only for initialization, which means that only 40 bits of the 64-bit key used to encrypt and actually 104 bits to 128 bits key.
In the case of 40-bit key, a brute force (that is to say by trying all possible keys) can quickly bring the pirate to find the session key. In addition, a fault detected by Fluhrer, Mantin and Shamir on the generation of pseudo-random string makes possible the discovery of the session key by storing 100 MB to 1 GB of traffic created intentionally.
WEP is not sufficient to ensure real privacy. However, it is advisable to at least implement a 128-bit WEP protection to ensure a level of confidentiality and prevent at least this way 90% risk of intrusion .
For a higher security level, it should use WPA or WPA2.
Improving authentication
To more effectively manage authentication, authorization and management of user accounts (in English AAA Authentication, Authorization, and Accounting) it is possible to use a server RADIUS (Remote Authentication Dial-In User Service). The RADIUS protocol (defined by RFC 2865 and 2866), is a client / server to centrally manage user accounts and access privileges.
Setting up a VPN
For all communications requiring a high level of security, it is preferable to use a strong encryption of data by establishing a virtual private network (VPN ).