Weak current College】 【wireless network security industry should comply with the rules of the top ten Foundation.

Summary: financial service providers are numerous customer information security rules restricting other provisions such as the famous of the payment card industry data security standard, clearly contains in a WLAN must be performed within the scope of standards such as the detection of abnormal action on wireless transmission of data security encryption.

Financial service provider subject to numerous customer information security rules restricting other provisions such as the famous of the payment card industry data security standard (PCIDSS), clearly contains in a WLAN must execute within the scope of the standards, for example, detection of abnormal action on wireless transmission of data security encryption. Although each of the specific situation of different rules, but the financial services sector through the adoption of the following wireless network security best practices you can build an entire industry to comply with the rules of the Foundation:
1. know your enemy
To ensure the security of a wireless network, you must know your threats. For example, PCIDSS requirements every processing cardholder data organization must to unauthorized wireless access point (AP) threat assessment, including those without WLAN company. You need to audit wireless network security threats, identifying your business may face threats, and assessment of sensitive data (such as personal financial information, cardholder information) the risks.
2. know yourself
Many used to reduce wireless network security threats and security measures are effective, depending on whether the accurate understanding of the topology of the network (including wired and wireless), and identify the verified devices. In order to develop WLAN security audits and implementation of standards, you must protect those who have been authorized access point and client list, their users and their address and their expected implementation of safety measures.
3, reduce exposure
When WLAN use has been authorized and data flow through a sensitive segment, few rules such as the PCIDSS will fully guarantee the security of the user. You can pass on traffic segmentation to reduce exposure to risk reduction. Specifically, use a firewall on the packet is checked to prevent packet entered into without the appropriate permissions to access the network segments, and achieve timing synchronization log feature to record those are allowed and blocked wireless traffic. As a rule, those who need a wireless access network segments need to be considered a "demilitarized zone" (DMZ): default and deny everything, only allow the necessary services, and special purpose flows through.
4, loopholes
The use of traditional network security best practices, can all exposed to the wireless network infrastructure (such as access points, controllers, DNS/DHCP server) for strengthening security. For example, change the factory default value, set the intensity high administrator password, turn off unused services, application patches and penetration testing to the system. In this step, you need to address wireless transmission unique vulnerabilities, for example, you need to select a non-default network name (SSID) to prevent accidental intrusion, and through dynamic frequency selection (dynamicfrequencyselection) to avoid radio interference. At the same time, you can also take measures to prevent public access points are physical interference (for example, remove the cable and reset to the default setting).
5. ensure that transport security
The current access point supports WPA2 (AES-CCMP) air (over-the-air) encryption, you need to use it as much as possible. If traditional client requirements is WPA (TKIP/MIC) annotations, please take care when using this password, it is isolated from other users of the wireless local area network (SSID) under the conditions of use. Please avoid the WEP encryption, because the update of safety requirement will no longer allow this lengthy fragmented encryption protocol. In addition, the use of high-level encryption (for example, SSLv3/TLS, IPSec) can selectively on sensitive application flow and transactions for protection, but also do not forget to include server and gateway to enhance security.
6. restricting access
Wireless network opens an outsider can invade Windows, if you want to avoid this situation unless you can gain control over it. Select and implement a strong WLAN authentication measures, it is best to choose a mutual authentication of the WPA2 standard (802.1X). If your organization lacks the skills, infrastructure, or 802.1 x-client support, you can also use standard WPA2-Personal (PSK), but please use at least the length containing 13 characters and random password regularly change. Never rely on the MAC address ** for as your only access control measures. If your WLAN provides guest-level of Internet access, limit the access of content, and that part of the network traffic logs, thereby reducing the company's business risk.
7, wireless monitoring
While many of the rules is strongly recommended to use 24/7 wireless intrusion detection or prevention systems (WIDS/WIPS), but also allows those who deal with controlled data site periodically scan. The former is more efficient, the effect is even more evident, especially suitable for large-scale wireless LAN. Whichever way, you need to know your monitor object is not just a wireless access point to fraud, unauthorized clients, configuration errors, equipment, ambiguity of security policy, security, spy, assaults traffic, and are connected to, or connected to external WLAN exception to the client.
8. ready
Monitoring is a tool, you need to install a WLAN incident response procedures. For example, how do you temporarily masking out the exceptions of AP? how do you find it, and physically removing it?, you need to review all of the scan results, wireless intrusion detection or intrusion prevention system alerts and traffic logs, thus timely assessment of potential threats. In fact, the use of automated tools (such as wireless intrusion detection or intrusion prevention system) on the network connection tracking and isolation, canReal time combat intrusions. Please ensure that the monitoring tool to collect sufficient data, incident response and forensics investigations more accurate.
9. protection of Terminal
A stolen point of sale terminal or a black laptop can easily obtain authorization and use an encrypted connection, which exploits have strong protection measures of the wireless network. At this point, you can use remote access security best practices, wireless terminal isolated to prevent the loss or theft of your mobile device to wireless networks from unauthorized access. If your organization has implemented a network access control (NAC), so you can connect to the wireless device to check the integrity of, and use a host intrusion detection or prevention means to block the terminal's unusual behavior (e.g., while on wired networks and wireless network connection).
10, assessment and improvement
Never think that security measures will be as expected, your Security Auditors does not think so. You need to connect to the wireless network and equipment to conduct penetration testing, it intends to trigger the WIDS/WIPS alert, capture through wireless letter traffic and analyze them. You can try from a different location to connect unauthorized devices and users, record what happens next, and then on the discovered vulnerabilities patched to raise safety standards. You need a regular or occasional security assessment to find and fix newly discovered vulnerabilities, for example, you can access point, the controller or the client on a security patch to block new hacker attacks.
To sum up, if financial enterprises willing to spend time evaluating wireless security threats, manage access permissions and security transport security, wireless data, strong security encryption as well as other important measures, its own security and even more than the expected audit staff.