(Note that the IEEE is working on a proposal [802.11w] to strengthen management frame security.) Some security professionals recommend disabling the SSID broadcast in beacon frames and disabling the probe response frame for the broadcast SSID. The first action increases WLAN traffic because it forces all stations on the network to scan for a valid AP by periodically transmitting probe requests.The second action forces a network administrator to manually configure the SSID on every station.
Intruders can use shareware, such as Net Stumbler, combined with a high-gain antenna to scan for the existence of WLANs.
Unfortunately, it is nearly impossible to hide the existence of a WLAN or the SSID because management and control frames are not encrypted.
The most common type of wireless network intrusion is that of a rogue AP.
Another intrusion attack is an ad hoc connection whereby a station can associate with another station independent of an AP.
We recommend the following best practices: This lesson describes best practices for maintaining strong user authentication and data privacy on a WLAN.
Authentication Establishing a user's identity is the first step to controlling access to network resources.
WPA2 provides strong encryption (with the Advanced Encryption Standard [AES]), dynamic key exchange, and strong authentication (with 802.1X).
We recommend the following best practices: Note that PSKs are vulnerable to offline dictionary attacks and can be compromised by employees who share the PSK, either accidentally or deliberately, with non-employees.
For example, "use Wi-Fi Protected Access 2 (WPA2) security" is a technology best practice, whereas "train employees not to connect to ad hoc WLANs" is a procedural best practice.