Wi-Fi 802.11 wireless networks require a service ID (ESSID/SSID) to gain access to the wireless network. It works something like a workgroup under Windows. When you try to access a wireless network, you need to have a specific service ID to participate in that network. While this sounds like a password, in reality it is more of a way to keep track of which access point a card should be using in cases where overlapping wireless access points exist. In fact, there are "snoop" programs that will listen for the SSID that is being used so someone can gain access with that ID to your wireless network. When you keep your ESSID/SSID identifiers secure (as best you can despite snoop programs) you can better control who has access to your network and keep unwanted visitors out.
Every wireless network card has a factory-assigned Media Access Control (MAC) number assigned to it. This MAC number, or address, is used by the card to announce itself to the network and to provide a way to get information to and from the card at the lowest levels of communications. Because every card has a unique MAC Address assigned to it, this address can be used to permit or deny users access to the wireless network or printing zone. To take advantage of MAC address security and add yet another layer of access control to your security, you'll need to configure each wireless access point to permit specific MAC addresses to access the network. By default, anyone not on that list will be denied entry to the network.
While this sounds like a fantastic way to manage access to the network, it can quickly become unmanageable. Companies with a handful of laptops, PDAs, or other wireless devices may be able to manage the list for a while, but eventually it will become difficult to keep track of which devices are legitimately allowed to access the network. With laptops that are stolen or cards that are lost, the potential for unauthorized access using just the MAC address becomes greater.
Tip: It pays to come up with an efficient and effective system for tracking your MAC addresses and their related devices. A simple spreadsheet or database is a good start, and will be easier to manage if you put it in place early.
A final method for protecting your network from unauthorized access is to create a virtual private network that utilizes IPSEC encryption to create a "tunnel" between a client and a network resource. This can be implemented to protect the data from prying eyes, but does not prevent access to the wireless network or wireless printing zone. If you have extremely sensitive data, you may want to choose this method of access to ensure that your data is secure as it is transmitted from a client laptop to a network server or printer.
Keep in mind, however, that limiting access control via ESSID/SSID identifiers and MAC addresses is just one facet of your total security system. In addition to controlling access, you want to be sure the information floating around your wireless networks is also encrypted.
To combat the potential of someone either guessing or "snooping" the airwaves to find the SSID, as well as to protect data transmitted to and from wireless devices using 802.11, manufacturers have developed WEP encryption. By using either a 40-bit or 128-bit key (choose a longer key to provide better protection), devices connected to the wireless network encrypt data bi-directionally to provide a secure connection. Bluetooth also provides 128-bit security, which allows unknown devices to be blocked from the network. In both cases, the keys need to be known to the wireless devices that need to gain network access. This pre-configuration with a known key is necessary to protect the network. Of course, with every type of protection, it must be enabled before it can be effective. Just having the potential to encrypt the network traffic is not enough until you've actually implemented it.
Warning: A complete wireless security plan involves a combination of the solutions covered here. Learn more about your security options in the white paper linked at right.
Printable version
