Securing wireless access against malware invasion

So, you've learned the lessons of SQL Slammer, Blaster and Welchia, right? You've deployed serious Internet firewall and e-mail filtering, thereby locking your front door. But, how are you defending against malware zooming in through your wireless LAN access points? Your front door might be locked tight, but are your wireless LANs wide open to invasion by worms carried by employees or even casual passers-by?

To defend your wireless infrastructure from malware infection, start treating the radio frequencies around your buildings as one large inter-network DMZ, with possible intruders on the outside. All traffic going across the wireless hop should be carefully filtered before it is allowed into the internal network.

Apply filters at the router, firewall or VPN gateway just inside each access point to block all traffic except those services that have a defined business need. The wireless users in your buildings likely only need access to the internal network for a handful of services, such as HTTP and e-mail. Filter everything else out. If your users require NetBIOS or SMB access for Windows file and print sharing, or Microsoft Exchange services, consider deploying filters that limit such access to valid internal servers, blocking all other destinations. That way, malware that spreads via network shares will find a much less hospitable environment on your internal network.

To be even more thorough in securing your wireless infrastructure against such attacks, consider deploying a VPN gateway that requires strong authentication and encryption before allowing a connection to the internal network is allowed. A wireless solution that requires token-based authentication for a VPN is a particularly good idea. Token-based authentication might even allow you to leverage your existing authentication infrastructure that you originally deployed for Internet VPN access.

Finally, your organization's policy and procedures should require the installation of an antivirus tool on every wireless-equipped laptop or PDA. With such defenses, malicious code or a meddlesome attacker will not be able to easily compromise a wireless device, hijack a connection or otherwise jump into the internal network.

About the author
Ed Skoudis is a security consultant with International Network Services, and the author of the books Malware: Fighting Malicious Code and Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Windows registry forensics: Investigating system-wide settings Weaponizing Kaminsky's DNS discovery Debian: A niche OS with a not-so-niche security flaw Web advertising exploits: Protecting Web browsers and servers Ransomware: How to deal with advanced encryption algorithms Hidden endpoints: Mitigating the threat of non-traditional network devices Protecting exposed servers from Google hacks (and Google 'dorks') Countermeasures against targeted attacks in the enterprise Windows registry forensics guide: Investigating hacker activities More built-in Windows commands for system analysis Wireless Access Control How to configure NAP for Windows Server 2008 Product review: AirDefense Enterprise 7.3 PCI DSS 1.2 clarifies wireless, antivirus use Lessons learned from TJX: Best practices for enterprise wireless encryption Should the enterprise be concerned with the Apple iPhone's automatic connection to Wi-Fi networks? Is it possible to identify a fake wireless access point? How 'evil twins' and multipots seek to bypass enterprise Wi-Fi defenses Wi-Fi simplicity edging out Wi-Fi security Should an enterprise network be regularly checked for rogue access points? Aruba bolsters mobile suite with security acquisition Wireless Access Control Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary evil twin  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.