Set a suitable Wi-Fi wireless standard. Typically the current high-performance standards such as IEEE 802.11 g, n are for new installations and soon also ac, care is whether older devices involved in Wi-Fi play with”. It is important that both licensed frequency bands at 2.4 and 5 MHz are used. Selection of appropriate authentication methods. WPA2 are possible here (WiFi protected access) in the version WPA2-PSK (preshared keys) for smaller installations, as well as WPA2-Enterprise with user-specific logon via RADIUS server.
WPA2 is the successor of the insecure WEP standard. When using WPA2-PSK definition of a sufficiently long password with its regular change. It should consist of at least 20 characters with uppercase and lowercase letters as well as special characters and numbers, so that brute-force or dictionary attacks are more difficult. The password change is problematic when using preshared keys, as in the default all users use the same password and thus at the same time change the password must. When using WPA2-Enterprise, use a trusted certificate for the RADIUS server. Therefore, MITM-(man-in-the-middle-)Angriffe can be prevent correct client configuration. The Windows AD account used for logon, an attacker with a MITM attack can spy out the user name and password.
As a much safer alternative, the use of a client certificate is therefore recommended. In addition, an access restriction realized about MAC addresses on trusted devices should be carried out. Planning of the administration of the Wi-Fi infrastructure with use of a management system, processes for regular evaluation of the log information and planning systems. Development of an overarching network concept with expansion of the own LANs, setting up a separate guest network and security zones and VLAN differentiated subdivision of the network. Implement effective procedures for Rogue Access Point Detection, to selectively eliminate unauthorized access points (rogue APs). An emergency preparedness realize possible WLAN outage. These include in particular redundant communication links and arrangements for failure situations and countermeasures for security incidents.