Hardening Wireless LAN Connections Part 1

Who in their right mind would allow a WLAN in their environment? Learn what extra measures you can take to give your users the access they request with the security the network requires. (From the book, Hardening Network Infrastructure, by Wesley Noonan, McGraw-Hill/Osborne, ISBN: 0072255021, 2004.)

noonanWireless LAN (WLAN) connections represent the classic struggle between security and usability. On one hand WLANs were created and are used to simplify the ability of users to connect to and access network resources. With a wireless NIC, a user can connect to a network anywhere on a campus, in an office, or at any neighborhood coffee shop. On the other hand, WLANs are by their very nature insecure. The data is sent over the airwaves, where anyone can potentially receive it. In addition, an illegitimate user can often connect to a WLAN with the same ease that a legitimate user can if the WLAN is left in the default mode. Indeed, no one in their right mind who has any kind of security focus would allow a WLAN in their environment. However, it is not a lost cause. As you will see, there are many things you can do to secure your WLANs.

At the same time, you may already have a WLAN or are planning one. Does this mean you aren’t concerned with security? Of course not. To the contrary, this illustrates how important it is to provide usability and functionality to your users. It also illustrates the simple reality that in the struggle between what users want and need and security, security frequently comes in second. This does not mean that we have to accept that we cannot secure our WLANs, though. Instead, it means that we need to take extra measures to ensure that we provide the access our users request while providing the security our network requires.

Banning WLANs Without IT/Management Approval

As mentioned in Chapter 1, wireless presents a unique problem to your networks. It is entirely too easy for someone to obtain a rogue WAP, connect it to your network (using DHCP to assign the WAP an IP address), and then allow anyone with a wireless client to be able to connect to your network, even though your wireless security policy should explicitly prohibit such actions. 

This is from Hardening Network Infrastructure, by Wesely Noonan (McGraw-Hill/Osborne, ISBN 0072255021). Check it out at your favorite bookstore today. Buy this book now.

{mospagebreak title=Preventing Rogue APs}

Preventing Rogue APs

No good, bulletproof technical method exists to prevent a WAP from being connected to your network. By that I mean that if someone wants to bring a rogue AP onto your network, they are always going to have a chance of being successful. This doesn’t mean that you should pack up the tent and head home, however. There are a few things you can do to prevent or greatly reduce the odds of a rogue WAP being successfully connected to your network:

  • Implement a wireless security policy. The first thing to do is to have a good wireless security policy. The problem of unauthorized WAPs is largely a people problem that requires a people solution in the form of enforceable security policies. Also, your wireless security policy is one that absolutely must have teeth. If someone brings a rogue WAP online, they need to be subject to termination of employment. Your wireless security policy also needs to define what the response to a rogue AP is. For example, will the AP be confiscated, and, if so, who is responsible for that?
  • Provide for physical security. A WAP has a limited range. You should implement physical security measures that prevent someone from being able to get within range of a WAP running in your organization. Unfortunately, oftentimes this is not a practical measure, and it’s useless in regard to people with unauthorized WAPs (they already aren’t paying attention to the security policy, so they probably don’t care about where they locate their WAP).

WLAN Modes of Operation and Components   Another aspect of your wireless security policy should define the mode of operation permitted for you WLANs. WLANs have two modes of operation. The first mode of operation is infrastructure mode, and it’s the conventional WLAN configuration. Infrastructure mode entails the wireless clients being connected to the existing wired infrastructure by way of a WAP or wireless router. The second mode of operation is ad hoc mode, sometimes referred to as peer-to-peer mode. In ad hoc mode, multiple wireless clients are connected to each other in a peer-to-peer fashion, allowing small workgroups of computers to connect to each other without any other infrastructure. You should not allow ad hoc connections in your environment.

You also need to explicitly define the physical WLAN components you will allow in your network. This will assist you in detecting and identifying unauthorized wireless devices. The three primary WLAN components to define in your environment are the following:

  • Wireless access point (WAP) A WAP (sometimes referred to as a base station) is the device that wireless clients connect to. A WAP can typically connect hundreds of wireless clients and effectively operates like a bridge, allowing the client access to the physical LAN segment the WAP is connected to. WAPs are typically used in enterprise environments to provide wireless access.
  • Wireless router Wireless routers combine the functionality of a WAP with a router, allowing wireless clients to connect to the router and then be routed to other networks. Wireless routers often include firewall functionality and are typically used in small office/home office (SOHO) environments to provide wireless access.
  • Wireless client Wireless clients include any device that uses a wireless network card to communicate with a WAP or wireless router.

  • Provide a supported WLAN infrastructure. If people want a WLAN and they don’t have one, they might be tempted to implement one on their own. On the other hand, if you make sure you implement a WLAN that supports your users’ needs, they will be much less likely to decide to go about it on their own. The truth is, most rogue WLANs are implemented by nonmalicious users who simply think that a WLAN will make their lives easier.

  • Implement 802.1x port-based security on your switches. As we will discuss in Chapter 9, you should implement 802.1x port-based security to prevent any unauthorized connections to your network by requiring all connections to be authenticated. This includes preventing an unauthorized WAP from being able to connect.

  • Limit the number of MAC addresses per port to only one. This will prevent switches from passing packets from rogue WAPs because the WAP and the client both have different MAC addresses. This is also a good measure if you want to prevent the users from plugging in a “rogue” switch or hub as well. You can implement this on many IOS-based switches by running the following command at the CLI:

    switch02(config-if)# switchport port-security maximum

Rogue WAPs   

I personally know of companies that have rogue WAPs that allow anyone on the freeway to access their internal production network, including potentially granting access to source code. A rogue WAP is a death blow to security because no matter how much you have hardened the perimeter, it has been instantly undermined by the WAP once it connects to your internal network.


Once you have undertaken procedures to prevent unauthorized WAPs, the next step is to implement procedures to detect unauthorized wireless connections.  

This is from Hardening Network Infrastructure, by Wesely Noonan (McGraw-Hill/Osborne, ISBN 0072255021). Check it out at your favorite bookstore today. Buy this book now.

{mospagebreak title=Implementing WLAN Discovery Procedures}

Just because we can’t really prevent unauthorized WAPs from being implemented on the network doesn’t mean we can’t detect and remove them. It just means that we need to get a little creative in how we approach the problem.

You have two primary methods of detecting unauthorized WAPs on your network. The first method attempts to detect them wirelessly. The second method attempts to detect them from the wired network.

Detecting Unauthorized WAPs Wirelessly

The most effective method of detecting unauthorized WAPs is by simply using a wireless client and locating the WAPs broadcasting in your environment. A few caveats must be considered when employing this method, however:

  • You have to be within range of the WAP in order to detect it.

  • It is very difficult to detect a WAP that does not broadcast its SSID.

  • It can be difficult to survey remote sites.

The good news is that because most unauthorized WAPs are not implemented by malicious users (and oftentimes are implemented by nontechnical users), the odds are high that the SSID broadcast has not been disabled. This leaves us with the problems of needing to be within range of the WAP to detect it and trying to survey remote sites. It is often impractical for someone in IT to spend the day walking around trying to determine if they can detect access points. One of the best solutions I have seen for this is to take advantage of someone who on a daily basis must walk around the environment—the mail delivery person. You can outfit this person with a laptop or handheld carrying extra batteries and while they make their normal rounds delivering the mail, the laptop can sit in the bottom of the mail cart quietly detecting any WAPs. A number of wireless analyzers can be used to detect the presence of unauthorized WAPs, including the following:

Netstumbler provides one of the easiest methods for detecting a rogue AP over the wireless network. Once you install Netstumbler, the program automatically begins scanning for WAPs with no configuration required on your part (other than providing the wireless NIC, of course). For example, the screen shown next depicts what I was able to capture while driving down a major freeway in the Houston area. I captured 175 WAPs, of which 113 were running no encryption whatsoever, and none of which were running WiFi Protected Access (WPA). Instead, they were all using WEP.

noonan

 

This is from Hardening Network Infrastructure, by Wesely Noonan (McGraw-Hill/Osborne, ISBN 0072255021). Check it out at your favorite bookstore today. Buy this book now.

{mospagebreak title=Detecting Unauthorized WAPs from the Wired Network}

Detecting unauthorized WAPs from the wired network is generally not as easy a process as it is to detect them wirelessly. After all, it doesn’t get much simpler than walking around with a laptop and a wireless card. At the same time, you can’t really do much about the biggest problem with trying to detect a WAP wirelessly — namely — detecting a WAP that is not broadcasting its SSID.

Using a wired detection process can alleviate some of the disadvantages to trying to detect an unauthorized WAP wirelessly. For example, a wired detection process is not susceptible to missing WAPs that do not broadcast their SSIDs. In addition, a wired detection process can be used to survey remote sites and can even be scheduled and scripted to increase ease of use.

Unfortunately, there are some drawbacks to this method. It can be difficult to locate all the unauthorized access points. This is largely due to the lack of mature or specialized products for this task. Currently, most techniques rely on using MAC addresses (because all vendors are assigned a MAC address range) or OS fingerprinting to identify the WAP, both of which are an imprecise science. Here are two tools that can assist you in identifying an unauthorized AP by monitoring MAC addresses:

Here are some tools that can assist you in OS fingerprinting:

Both of these methods share the common problem of generating false positives. For example, Nmap recognizes a Linksys WAP54G as a Linux device because it actually runs Linux for the OS. This can make it difficult to determine whether the device is indeed a WAP or just a Linux host running on your network. MAC address tools rely on identifying a device due to it having a MAC address that has been assigned to a wireless vendor. That can make it difficult to distinguish between a Cisco AP and a Cisco switch if the database of MAC addresses has not been accurately updated.

Detecting WAPs from the Wired Network   

While I was writing this, I got into a discussion with a colleague about the inconsistencies and difficulties of detecting a rogue wireless AP on the network. He mentioned that he was testing an alpha version of Network Associates ePolicy Orchestrator (EPO; http://www.nai.com/us/products/mcafee/mgmt_solutions/epo.htm) that has the ability to detect rogue wireless APs. When I asked him how well it worked, he mentioned that he had tested EPO with a number of different wireless APs and that it detected all of them within 5–8 minutes of being brought online. The technology is definitely improving, and the accuracy of the detection algorithms is getting much better.

 

Removing Rogue WAPs

Once you have detected a rogue WAP, you have a couple of methods you can use to shut it down. One option is to attempt to physically locate and disconnect the WAP from the network. However, this can be both time consuming and prone to failure. The obvious difficulty in this method is that it can be very difficult to locate the WAP, usually through a trial-and-error process. (Is the WAP here? No. Is it here? No.)

Another option is to locate the switch port that the MAC address is connected to and shut that switch port down. Similarly, you can determine the IP address of the WAP and attempt to block the IP address. Personally, I recommend shutting down the switch port. In many cases, this will cause the person to seek you out, saving you the time and effort of trying to find them.

User: Uh, yes, I can’t access anything on the network anymore. I don’t know what happened.

You: No problem. We know exactly what is going on. What office are you in?  

This is from Hardening Network Infrastructure, by Wesely Noonan (McGraw-Hill/Osborne, ISBN 0072255021). Check it out at your favorite bookstore today. Buy this book now.

{mospagebreak title=Hardening Wireless Access Points}

Although all wireless access points have unique interfaces, they share common functions and processes that can be hardened. This section focuses on what you can do to harden the WAP itself. We will look at the following hardening steps:

  • Hardening remote administration

  • Configuring the Service Set Identifier (SSID)

  • Configuring logging

  • Configuring services

  • Configuring wireless mode

It would be impossible to detail the procedures for hardening every type of wireless access point manufactured; therefore, I will illustrate the specific hardening steps for the following WAPs:

  • Cisco Aironet 1200 running IOS version 12.2(13)JA2

  • Linksys WAP54G running firmware version 2.06

  • Dell TrueMobile 2300 running firmware version 3.0.0.8 in access point mode

Heads Up!

Many of the configuration changes you make to the Dell TrueMobile 2300 require a restart before they take effect. This can make it difficult to make changes during production hours or while clients are connected to the WAP.

The instructions in this chapter assume that you have configured the device with an IP address that is relevant for your network and that you have already connected to the respective web-based management GUI and successfully logged on. In addition, the screen references refer to the menus you would need to click to access the given screen. For example, “go to the Security | Admin Access screen” means that you must click the Security menu and then the Admin Access menu to be presented with the screen in question.

 

Hardening Remote Administration

Like all our network devices, we should secure our WAPs against unauthorized remote administration. Unfortunately, unlike many network devices, virtually all WAPs fail miserably at providing secure remote administration. This is due to most of them providing only an unencrypted management protocol such as Telnet or HTTP for connecting to the device. Even with that gross oversight in security, certain steps can be taken to harden remote administration. The most important task is to change the default administrative username and to implement passwords that conform to your password security policy.  

This is from Hardening Network Infrastructure, by Wesely Noonan (McGraw-Hill/Osborne, ISBN 0072255021). Check it out at your favorite bookstore today. Buy this book now.

{mospagebreak title=Changing the Default Administrator Name and Password}

The Cisco Aironet 1200 implements a full IOS feature set. Consequently, it can be hardened for remote access by requiring all CLI connections to use SSH, as you do for your Cisco routers (refer to Chapter 6). In addition, out of the box the Cisco Aironet 1200 uses the default authentication mechanism of a global password (enable secret). You can change the password at the Security | Admin Access screen, as shown next. I recommend that you use an authentication server, where possible, and individual local users if an authentication server is not an option. By default, the WAP ships with a default username of Cisco and a default global password of Cisco. You should change both of these as well. Click Apply in each section when you are finished.

 
noonan 

If you want to use an authentication server, you must first configure the WAP to use a RADIUS or TACACS+ server at the Security | Server Manager screen in the Corporate Servers section, as shown next. Make sure you scroll down to the Default Server Priorities section and select the newly added authentication server for the Admin Authentication setting. When you are finished, click Apply.

 
noonan

The Linksys WAP54G does not implement username and password security. Instead, it uses a password only. You can configure the password at the Setup | Password screen, as shown here. When you are finished, click Save Settings.

noonan

The Dell TrueMobile 2300 utilizes both a username and password. By default, the username is admin. You should change both the username and password according to your security policy. This can be done at the Advanced Settings | Administration Settings screen, as shown next. When you are finished, click Submit.

noonan

The system administration section shown here is used when the WAP is operating in router mode. The settings allow you to permit an external host (that is, across the Internet) to be able to make remote administration connections to the WAP. You should never enable this functionality because Dell does not support HTTPS for remote administration connections.  

This is from Hardening Network Infrastructure, by Wesely Noonan (McGraw-Hill/Osborne, ISBN 0072255021). Check it out at your favorite bookstore today. Buy this book now.

{mospagebreak title=Securely Configuring the Service Set Identifier (SSID)}

The service set identifier (SSID) is a unique identifier used in the packet header of wireless packets as a password for authenticating the client. The SSID is also known as the network name. By default, most WAPs will broadcast the SSID so that wireless clients can identify the WAP to which they should connect. This creates an obvious security vulnerability, however, because anyone with a wireless client can immediately determine a WAP is in the area by using a tool such as NetStumbler.

To address this issue, it is recommended that you disable the SSID broadcast.


Heads Up!

In my experience, I have found that some wireless clients will not connect to a WAP that is not broadcasting the SSID. This is particularly true of Microsoft PocketPC 2003 devices using the SanDisk SDIO WiFi NIC (or any other NIC based on the Socket chipset and driver). I have, as of yet, been unable to determine why this is, though my suspicion is that it’s due primarily to the immaturity of the SDIO cards and drivers.


Another problem with the SSID is that many people configure it with a value that makes it easy to locate where the WAP is physically located. This is both good and bad. It is good in the sense that it allows you to quickly identify where a WAP is. It is bad, however, in that it can let hackers know that they have connected to a WAP at their target company. As a result, when you configure the SSID, you should never include any information that might identify your company, location, or brand of WAP.

The last aspect of SSID hardening you should configure is the beacon interval, which is the amount of time that transpires before the WAP advertises the SSID via broadcast. By setting the beacon interval to its maximum setting, you increase the difficulty of performing passive scanning. It is important to understand that disabling SSID broadcast or increasing the SSID beacon interval is not an end-all security solution. In fact, Microsoft claims that this is not a security measure at all. This is due to the fact that even if the SSID is not broadcast, it can still be determined if someone is using a sniffer in the area where a WAP is in operation. Changing these settings is still an effective method of obscuring your WAP from casual threats, however. All these SSID settings can be configured as follows.

The Cisco Aironet 1200 uses a default SSID of “tsunami” in what is called guest mode, which means the SSID is broadcast in the beacon. The default SSID should be removed and replaced with a new one for your environment. This can be done at the Security | SSID Manager screen shown next. If you want to make sure the SSID is not broadcast, ensure that no SSID is configured in the Guest Mode field in the “Global Radio0-802.11B SSID Properties” section of the SSID Manager screen. When you are finished, click Apply.

noonan

For the Linksys WAP54G, you can configure the SSID at the Setup | Basic Setup screen, shown next. When you are finished, click Save Settings.

 
noonan

The beacon interval can be configured at the Advanced | Advanced Wireless screen, shown next. When you are finished, click Save Settings.

noonan

For the Dell TrueMobile 2300, you can configure the SSID and the beacon interval at the Advanced Setting | Advanced Wireless screen, as shown next. To turn off the SSID broadcast, check the box labeled Hide My Wireless Network. When you are finished, click Submit.

noonan

 

This is from Hardening Network Infrastructure, by Wesely Noonan (McGraw-Hill/Osborne, ISBN 0072255021). Check it out at your favorite bookstore today. Buy this book now.

{mospagebreak title=Configuring Logging}

Like with your firewalls, it can be extremely beneficial to configure your WAP for logging. The objective is for the logging to show you what is going on with the WAP, particularly in regard to unauthorized access attempts. Cisco and Linksys support conventional syslog. Dell does not support any logging facility.

For the Cisco Aironet 1200, you can configure logging to a syslog server at the Event Log | Notification Options screen, shown next.

noonan

For the Linksys WAP54G, you can configure logging at the Setup | Log screen, shown next. Simple enable logging and enter the syslog server to which events should be sent. When you are finished, click Save Settings.

noonan

Hardening Services

Not many services need to be hardened for most WAPs, with the notable exception of Cisco. The most common services you might run across are as follows:

  • Simple Network Management Protocol (SNMP)

  • Network Time Protocol (NTP)

  • Dynamic Host Configuration Protocol (DHCP)

Configuring SNMP

Cisco and Linksys support using SNMP for management of the WAP; however, neither supports using SNMPv3. Also, both SNMPv1 and SNMPv2 have no security features. Therefore, if you do not need SNMP, you should disable it.

By default, the Cisco Aironet 1200 ships with SNMP disabled. However, you can enable this service at the Services | SNMP screen.

You can configure SNMP support for the Linksys WAP54G at the Advanced | SNMP screen, shown next. Simply enable SNMP, specify a read-only and a read-write community string, and enter the appropriate information in the identification fields. When you are finished, click Save Settings.

noonan 
 
Heads Up! — Because the Linksys WAP54G displays the SNMP community strings in clear text, you should ensure that no one is looking over your shoulder while you are at this screen. 

This is from Hardening Network Infrastructure, by Wesely Noonan (McGraw-Hill/Osborne, ISBN 0072255021). Check it out at your favorite bookstore today. Buy this book now.

{mospagebreak title=Configuring NTP}

The Cisco Aironet 1200 supports the use of NTP primarily to facilitate accurate timestamps for the syslog facility. You can configure NTP at the Services | NTP screen, shown next.

noonan 

Disabling the DHCP Server

Because the Dell TrueMobile 2300 is sold as a SOHO wireless access router, it is shipped with a DHCP server configured and active by default. You should disable DHCP at the Advanced Settings | DHCP Server Settings screen by unchecking Enable DHCP Server Functions and then clicking Submit.

Configuring Miscellaneous Services on the Cisco Aironet 1200

In addition to the previously mentioned services, the Cisco Aironet 1200 ships with a whole slew of additional services you need to be aware of. They can all be accessed at the Services screen, as shown next (in this case, the screen shows the default status of all the services after I disabled Telnet and permitted only SSH access, as previously recommended).

noonan

As you can see, many of the services are disabled by default. In general, you should disable any service you do not need. The Cisco Discovery Protocol (CDP) and Domain Name Service (DNS) are two specific services you should consider configuring.

Cisco Discovery Protocol As previously discussed, CDP is used by Cisco to locate other Cisco devices. Unless you are using a network management system that takes advantage of CDP, you should disable it. If you do require CDP, you should consider whether you need the CDP broadcasts to be sent over the WLAN. If you do not, you should disable CDP on the Radio0-802.11B radio, as shown next. Click Apply when you are finished.

noonan 

Domain Name Service DNS is used to allow the WAP to resolve names to IP addresses. It does not allow the WAP to operate as a DNS server. DNS is largely a service of convenience, allowing you to enter device names at various fields so that the WAP can automatically resolve and convert those names to IP addresses. Like all services, however, if you do not require this functionality, you should disable it. Remember, any running service is potentially vulnerable to current exploits as well as unknown future exploits.  

This is from Hardening Network Infrastructure, by Wesely Noonan (McGraw-Hill/Osborne, ISBN 0072255021). Check it out at your favorite bookstore today. Buy this book now.

{mospagebreak title=Restricting Wireless Mode}

Many WAPs support operating in 802.11a, 802.11b, 802.11g, or any combination thereof. If you do not need to support multiple wireless access modes, you should disable any unnecessary ones. For example, if you only need to support 802.11b in your environment, you should disable 802.11a and 802.11g. This will ensure that only individuals using the wireless mode you have defined have any chance of connecting to your environment.

The Cisco Aironet 1200 supports using multiple wireless modes through the implementation of multiple physical radio modules.

You can configure the wireless mode on the Linksys WAP54G at the Setup | Basic Setup screen, shown next. Simply select the access mode you want to use, or select Mixed to support both. Click Save Settings when you are finished.

noonan

You can configure the wireless mode on the Dell TrueMobile 2300 at the Advanced Settings | Advanced Wireless screen, shown next. Simply select the wireless mode from the drop-down selection and click Submit.

noonan

 

This is from Hardening Network Infrastructure, by Wesely Noonan (McGraw-Hill/Osborne, ISBN 0072255021). Check it out at your favorite bookstore today. Buy this book now.

{mospagebreak title=Using MAC Address Filtering}

One of the most valuable hardening steps you can undertake with your WAP is to implement MAC address filtering. MAC address filtering enables you to specify the MAC addresses that will be allowed to connect to the WAP. At that point, even if someone manages to obtain all the information necessary to connect to the WAP, if their MAC address is not permitted, they still cannot connect. The drawback to this method, however, is that it may require significant overhead for managing all the MAC addresses that may need to be permitted. In addition, MAC addresses can be spoofed, so it is not a panacea but rather another component of the hardening process.

The Cisco Aironet 1200 uses the well-documented Cisco access-list function to restrict/permit clients from establishing an association with the WAP. The first step is to build the access list. You can do this at the Services | Filters screen by selecting the MAC Address Filters tab, shown next.

noonan

Enter the appropriate filter index (ACL number) for the MAC address filter. Next, enter the MAC address you want to specify and a wildcard mask. Keep in mind that for Cisco, a value of “0” in the mask means that the corresponding bit in the MAC address must precisely match the filter entry. A value of “H” in the mask means that the corresponding bit in the MAC address is ignored for the purposes of filtering. This can be used, for example, to grant all of a certain vendor’s MAC addresses. Once you have entered this information, the next step is to decide whether the MAC address will be forwarded or blocked. My recommendation is to make the default action Block All and then configure a Forward action for the MAC addresses you explicitly want to forward. When you are finished, click Apply.

The next step is to apply that ACL to the WAP. You can do this at the Security | Advanced Security screen by clicking the Association Access List tab, shown next. Select the filter from the drop-down list and then click Apply.

noonan
 
Heads Up! — Once you have implemented this procedure on your Cisco Aironet 1200, you may find that wireless clients that are not permitted by the ACL still appear to associate with the WAP. Appearances are deceiving, however, because these wireless clients are unable to send and receive any data through the WAP.

You can enable MAC address filtering on the Linksys WAP54G at the Advanced | Filters screen, shown next. Simply select Enable from the drop-down box and specify how you want to perform the filtering. You can either filter to prevent the listed MAC addresses from being able to connect or to permit the listed MAC addresses to be able to connect. I recommend the latter in most circumstances, because it is generally easier to figure out who you want to allow to connect, as opposed to figuring out who you want to prevent. You can filter up to 40 MAC addresses by using the drop-down box to select MAC 21-40. When you have finished entering the MAC addresses to filter, click Save Settings.

noonan

The Dell TrueMobile 2300 uses a simplified MAC filtering process. You simply enter the MAC addresses you want to permit to connect. This is done at the Advanced Settings | Access Control Settings screen, shown next. Check the box Enable MAC Access Control and then add the MAC addresses you want to permit. When you are finished, click Submit.

noonan

  

This is from Hardening Network Infrastructure, by Wesely Noonan (McGraw-Hill/Osborne, ISBN 0072255021). Check it out at your favorite bookstore today. Buy this book now.

One thought on “Hardening Wireless LAN Connections Part 1

[gp-comments width="770" linklove="off" ]