WiFi security settings

Hello...

I'm setting up a wireless network behind the firewall at
our corporate office. There's a DHCP server on the network,
so I need to be very careful with my security.

I was wondering if someone could improve on my setup.

Linksys WAP54G Access Point with...
-Non standard AP Name
-Static IP - within our private ip space (10.x.x.x)
-Non-standard SSID
-Channel 6 (default)
-SSID not broadcast
-WPA Pre-Shared Key (9 chars - upp/lower letters, and
numbers)
-TKIP
-Group Key Renewal 300 seconds (default)
-Filtering MAC addresses - only permitting known MACs

And of course a non-standard password for the web based
config utilities. Adapter cards may be a mix of
Linksys/Netgear/and whatever laptops came with. Win98/2k/XP
clients.

I'm willing to spend more money if necessary (RADIUS
server?).

Any suggestions? Any improvements?

Thx,
D.

On Fri, 02 Apr 2004 21:36:34 GMT, dsmcd <*email_address_deleted*> wrote:

>Hello...
>
>I'm setting up a wireless network behind the firewall at
>our corporate office. There's a DHCP server on the network,
>so I need to be very careful with my security.
>
>I was wondering if someone could improve on my setup.
>
>Linksys WAP54G Access Point with...
>-Non standard AP Name
>-Static IP - within our private ip space (10.x.x.x)
>-Non-standard SSID
>-Channel 6 (default)
>-SSID not broadcast
>-WPA Pre-Shared Key (9 chars - upp/lower letters, and
>numbers)
>-TKIP
>-Group Key Renewal 300 seconds (default)
>-Filtering MAC addresses - only permitting known MACs
>
>And of course a non-standard password for the web based
>config utilities. Adapter cards may be a mix of
>Linksys/Netgear/and whatever laptops came with. Win98/2k/XP
>clients.
>
>I'm willing to spend more money if necessary (RADIUS
>server?).
>
>Any suggestions? Any improvements?
>
>Thx,
>D.

D.,

Did you disable remote management on the router (do you need to use it?)? Is
the router management password non-trivial (complex / non-guessable)? If you
need to keep remote management, I would make the password very complex, and
regularly changed.

Have you enabled the router logs? Do you have procedures to examine them
regularly?

Do you have software firewalls on the computers?

Other than that, your setup looks pretty tight to me.

Please learn to munge your email address properly, to keep yourself a bit safer
when posting to open forums. Protect yourself and the rest of the internet -
never post your address unmunged.
http://www.mailmsg.com/SPAM_munging.htm

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

Chuck <(E-Mail Removed)> wrote:
>On Fri, 02 Apr 2004 21:36:34 GMT, dsmcd
><*email_address_deleted*> wrote:
>
>>Hello...
>>
>>I'm setting up a wireless network behind the firewall at
>>our corporate office. There's a DHCP server on the
>>network,
>>so I need to be very careful with my security.
>>
>>I was wondering if someone could improve on my setup.
>>
>>Linksys WAP54G Access Point with...
>>-Non standard AP Name
>>-Static IP - within our private ip space (10.x.x.x)
>>-Non-standard SSID
>>-Channel 6 (default)
>>-SSID not broadcast
>>-WPA Pre-Shared Key (9 chars - upp/lower letters, and
>>numbers)
>>-TKIP
>>-Group Key Renewal 300 seconds (default)
>>-Filtering MAC addresses - only permitting known MACs
>>
>>And of course a non-standard password for the web based
>>config utilities. Adapter cards may be a mix of
>>Linksys/Netgear/and whatever laptops came with.
>>Win98/2k/XP
>>clients.
>>
>>I'm willing to spend more money if necessary (RADIUS
>>server?).
>>
>>Any suggestions? Any improvements?
>>
>>Thx,
>>D.
>
>D.,
>
>Did you disable remote management on the router (do you
>need to use it?)?

>Did you disable remote management on the router (do you
>need to use it?)?

No, and not sure.

Is
>the router management password non-trivial (complex /
>non-guessable)? If you
>need to keep remote management, I would make the password
>very complex, and
>regularly changed

Yes, and yes..
>
>Have you enabled the router logs? Do you have procedures
>to examine them
>regularly?

Yes, and yes.
>
>Do you have software firewalls on the computers?

No. We have the netscreen firewall at the wired network's
perimeter.
>
>Other than that, your setup looks pretty tight to me.

Good to hear.


>Please learn to munge your email address properly, to keep
>yourself a bit safer
>when posting to open forums.

Usually do. This time the defaults got gunged up.

Thx,
D.

if you can find out how many machines you have connected to the network,
taking advantage of the DHCP server, count them and then enter that figure
into the DHCP pool size, this stops unwanted connections. if you find after
doing that, that there is a problem, with a couple of machines or one,
connecting, just up that figure by one, till all are ok.


HTH

Louis

"dsmcd" <(E-Mail Removed)> wrote in message
news:C1lbc.60$(E-Mail Removed)...
> Hello...
>
> I'm setting up a wireless network behind the firewall at
> our corporate office. There's a DHCP server on the network,
> so I need to be very careful with my security.
>
> I was wondering if someone could improve on my setup.
>
> Linksys WAP54G Access Point with...
> -Non standard AP Name
> -Static IP - within our private ip space (10.x.x.x)
> -Non-standard SSID
> -Channel 6 (default)
> -SSID not broadcast
> -WPA Pre-Shared Key (9 chars - upp/lower letters, and
> numbers)
> -TKIP
> -Group Key Renewal 300 seconds (default)
> -Filtering MAC addresses - only permitting known MACs
>
> And of course a non-standard password for the web based
> config utilities. Adapter cards may be a mix of
> Linksys/Netgear/and whatever laptops came with. Win98/2k/XP
> clients.
>
> I'm willing to spend more money if necessary (RADIUS
> server?).
>
> Any suggestions? Any improvements?
>
> Thx,
> D.
>