S 4.294 Secure configuration of access points

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Under no circumstances must access points be used with the configuration set to the factory default settings or with the same settings as specified in the manuals of the products for the SSID (Service Set Identifier), access passwords, or cryptographic keys.

The following settings should be performed and/or changed to customised, secure values:

• To the greatest extent possible, administrative access to the access points using the wireless interface should generally be deactivated.
• All administration passwords should be as complex as possible and should be changed regularly.

• Insecure administration accesses (e.g. over Telnet, HTTP) should be disabled whenever possible. Administrative access must always be established using an encrypted connection (e.g. via SSL or SSH).
• The default settings of SSIDs, cryptographic keys, and passwords must be changed immediately after initial operation.
• The SSID should not provide any information on the owner of a WLAN or its purpose. Likewise, the SSID should not be set to "Any", because any WLAN component will be able to communicate in the WLAN otherwise.
• The broadcast of the SSID should be disabled so that the existence of the WLAN cannot be communicated unnecessarily. Furthermore, association using SSID broadcasts should be disabled so that the client is required to specify the desired SSID explicitly when associating.
• Suitable encryption mechanisms must be enabled. At the same time, it must be ensured that all components in the WLAN support the mechanisms. It must be impossible to establish connections with WLAN components that do not have any encryption mechanisms or only inadequate encryption mechanisms.
• Cryptographic keys should be selected as randomly as possible and should be changed regularly. A complex pre-shared key (PSK) should be used when using WPA-PSK or WPA2-PSK. If cryptographic keys like the PSK are generated using a password, the password selected for this purpose should be very complex and have at least 20 characters.

• To restrict the communication partners permitted to access an access point, access control lists (ACLs) should be used at the MAC address level. This is particularly helpful for small to very small WLAN installations. In general, though, this instrument alone cannot provide a sufficient level of security, especially in a WLAN (since the WLAN is easy to listen in on) since MAC addresses are easy to change. ACLs in the WLAN can therefore only be viewed as weak, additional safeguards whose use only makes sense in special situations. Since the additional security gained is limited, it must be examined for large networks if the additional security is worth the administrative work required.
• The DHCP (Dynamic Host Configuration Protocol) server in the access point should be switched off (if there is one and if this is technically possible), i.e. static IP addresses should be assigned and the range of available IP addresses should be kept as small as possible. Otherwise the DHCP server will automatically assign a valid IP address to the intruder.
• When using several access points, the frequency channels used by neighbouring access points should be selected in such a way that they do not overlap, as far as possible.
• Changes to the system configuration must be tested and documented.
• It must be checked regularly if all security-relevant updates and patches have been installed. This must also be checked for the corresponding device drivers for the WLAN hardware on the WLAN clients as well. A new software version or a patch should only be installed in the WLAN after appropriate testing. It has happened in actual operations that software updates have resulted in making WLAN communication extremely limited or even completely impossible.
  
  Notification and information procedures should be specified in the change management describing who needs to be informed of such changes and how they are to be informed. Likewise, the documentation of the WLAN infrastructure must be changed accordingly.
• If WLAN components are not used for an extended period of time, they should be switched off. Access points should be disabled automatically outside of the working hours (for example at night and on the weekends).

Support for and monitoring of these tasks can be carried out using a WLAN management software package or by integration into a central network management system.

Review questions:

• Has the SSID of the access point been selected in such a way that it does not provide any clues as to the owner and the purpose?
• Has the SSID broadcast been disabled?