The following checklists provide an overview of all of the important security settings. Most of the points in this checklist are uncritical for simple configurations. In these cases, the security settings in the basic configuration or that were set with the Security Wizard are sufficient.
- Have you secured your wireless network with encryption and access control lists?
- With the help of 802.11i, WPA or WEP, you can encrypt the data in your wireless network with different encryption methods such as AES, TKIP or WEP. LANCOM recommends the strongest possible encryption with 802.11i and AES. If the WLAN client adapters do not support these, then you should use TKIP or at least WEP. Make sure that the encryption function in your device is activated, and that at least one passphrase or WEP key has been entered and selected for application.
Important: For security reasons, LANCOM strongly advises you not to use WEP! You should only ever use WEP under exceptional circumstances. When using WEP encryption, use additional security mechanisms additionally.To check encryption settings in LANconfig, go to and select the settings for the logical WLAN interfaces. With the access control list (ACL) you can permit or prevent individual clients accessing your wireless LAN. The decision is based on the MAC address that is permanently programmed into wireless network adapters. To configure the access-control list in LANconfig, go to Station rules under . The LANCOM Enhanced Passphrase Security (LEPS) uses an additional column in the ACL to assign an individual passphrase consisting of any 8 to 64 ASCII characters to each MAC address. The connection to the access point and the subsequent encryption with IEEE 802.11i or WPA2 is only possible with the right combination of passphrase and MAC address. See also Configuration. Access control is takes place in phases. First, a search is made for a LEPS-MAC entry. If no such entry exists, a search is made for a LEPS-U entry. Finally, a search is made for a passphrase set for the WLAN under .Note: When operating LEPS-U and/or LEPS-MAC, this passphrase should be kept secret and preferably not used at all. Users or MAC addresses removed from the system should not be able to gain access by means of the WLAN passphrase instead.
- Have you protected the configuration with a password?
- The simplest way of protecting the configuration is to agree upon a password. If no password has been agreed for the device, the configuration is open to be changed by anybody. In LANconfig, the field for entering the password is located under . It is absolutely imperative to assign a password to the configuration if you want to enable remote configuration!
- Have you permitted remote configuration?
- If you do not require remote configuration, please ensure to switch it off. If you need to make use of remote configuration, ensure that you do not fail to password-protect the configuration. In LANconfig, the field for disabling remote configuration is located under Configuration access ways set all protocols to denied. You also have the option of blocking the HTTP port for web-server services. To do this, go to the section Access to web server services and under select the option disabled. . In the section
- Have you allowed configuration from the wireless LAN?
- If you do not need to configure the device from the wireless LAN, switch this function off. In LANconfig, the field for disabling configuration from a wireless LAN is also located under Configuration access ways set all protocols to denied. You also have the option of blocking the HTTP port for web-server services. To do this, go to the section Access to web server services and under select the option disabled. . In the section
- Have your password-protected the SNMP configuration?
- Protect the SNMP configuration with a password too. The field for password-protecting the SNMP configuration is also to be found in LANconfig under .
- Have you activated the firewall?
-
The stateful inspection firewall of devices ensures that you local network cannot be attacked from the outside while your WLAN controller is operating as a Public Spot. Activate the firewall in LANconfig under Important: Note that firewall security mechanisms (incl. IP masquerading, port filters, access lists) are active only for data connections that are transmitted via the IP router. Direct data connections via the bridge are not protected by the firewall!
.
- Are you using a "deny all" firewall strategy?
- Maximum security and control is initially achieved by denying all data traffic from passing the firewall. The only connections to be accepted by the firewall are those that are to be explicitly permitted. This ensures that "Trojan horses" and certain types of e-mail virus are denied communication to the outside. The firewall rules in LANconfig are located under and or .
The stateful inspection firewall of devices ensures that you local network cannot be attacked from the outside while your WLAN controller is operating as a Public Spot. Activate the firewall in LANconfig under .
Important: Note that firewall security mechanisms (incl. IP masquerading, port filters, access lists) are active only for data connections that are transmitted via the IP router. Direct data connections via the bridge are not protected by the firewall!
- Have you activated IP masquerading?
- With "IP masquerading", local computers remain invisible to the outside while they access the Internet. All that is revealed to the Internet is the IP number of the router module of the device. The IP address can be fixed or dynamically assigned by the provider. The computers in the LAN use the router as a gateway and are not visible individually. The router separates the Internet from the intranet like a wall. The application of IP masquerading is set in the routing table for every route individually. The routing tables for IPv4 and IPv6 in LANconfig are located under .
- Have you used filters to close critical ports?
- The firewall filters in the device offer filter functions for individual computers or entire networks. It is possible to set up source and destination filters for individual ports or port ranges. Furthermore, filters can be set for individual protocols or any combination of protocols (ICMP). It is especially convenient to set up the filters with the aid of LANconfig. You can create and modify filter rules under and or .
- Have you excluded certain stations from accessing the device?
- A special filter list can be used to limit access to the device's internal functions via TCP/IP. The phrase "internal functions" refers to configuration sessions via LANconfig, WEBconfig, Telnet or TFTP. As standard this table contains no entries, meaning that computers with any IP address can use TCP/IP and TFTP to commence accessing the device. The first time an IP address is entered with its associated netmask, the filter is activated and only the IP addresses contained in this entry are entitled to make use of internal functions. Further entries can be used to extend the circle of authorized parties. The filter entries can describe individual computers or even entire networks. The access lists in LANconfig are located under and .
- Do you store your saved configuration to a safe location?
- Protect your saved configurations in a location that is safe from unauthorized access. Otherwise, byway of example, an unauthorized person may load your stored configuration file into another device and they can access the Internet at your expense.
- Concerning the exchange of your particularly sensitive data via wireless LAN; have you set up the functions offered by IEEE 802.1X?
- If you move especially sensitive data via wireless LAN you can provide even stronger security by using the IEEE 802.1X technology. In LANconfig, the IEEE 802.1X settings are configured under .
- Have you activated the protection of your WAN access in case the device is stolen?
- After being stolen, the device can theoretically be operated at another location by unauthorized persons. Password-protected device configurations do not stop third parties from operating RAS access, LAN connectivity or VPN connections that are set up in the device: A thief could gain access to a protected network. The device’s operation can be protected by various means; for example, it will cease to function if there is an interruption to the power supply, or if the device is switched on in another location. GPS location verification enables a geographical position to be defined within the device. After being switched on the device automatically checks if it is located at the "correct" position. Only after a positive check is the router module activated. The scripting function can store the entire configuration in RAM only so that restarting the device will cause the configuration to be deleted. The configuration is not written to the non-volatile flash memory. A loss of power because the device has been relocated will cause the entire configuration to be deleted.
- Is the storage of configuration files adapted to your security requirements?
- For "standalone operation", the configuration for a WLAN interface being managed by a WLAN controller is stored in flash memory for a certain time only, or even in the RAM only. This device configuration is deleted if contact to the WLAN controller is lost or if the power supply is interrupted for longer than the set time period.
- Have you ensured that the reset button is safe from accidental configuration resets?
- Some devices simply cannot be installed under lock and key. There is consequently a risk that the configuration will be deleted by mistake if a co-worker presses the reset button too long. The behavior of the reset button can be set so that a press is either ignored or it causes a re-start, depending on the time for which it is held pressed.