Wireless option needed

Buck · 12-22-2012, 09:42 AM

I need to add a wireless component to my LAN, but because of PCI compliance issues, I need to find something secure. (That may not exist, but I need to try!)

Anyone have any good options for me to check out? I'm basically looking for a router I can plug into my current network & extend it to a couple of wireless devices (iPod, printer) or one I can just add by itself, but keep secure.

Thanks!

*johnfl68* · 12-22-2012, 12:16 PM

Just about any router with WPA2 is about as secure as you can get right now if you are using WiFI in general.

http://www.wi-fi.org/discover-and-learn/security

Always make sure you change the default SSID, and admin passwords for the router as soon as you get one.

Also, many routers now have a MAC Address Whitelist feature, in which you can list all the devices in you location that you want to connect, and it will refuse connections to all others regardless of if they have the right WPA2 credentials. Of course, the MAC Address can be spoofed, but at least it is another layer of protection.

I also found these if you haven't already seen:

http://revolutionwifi.blogspot.com/2...hieve-pci.html

https://www.pcisecuritystandards.org...Guidelines.pdf

John

*skolnick* · 12-26-2012, 03:29 PM

A wireless component of a LAN that includes customer credit card data is a bad idea. You need much more than just a wireless router. You're going to need a serious firewall, and put the wireless bits between the inside network and your Internet connection.

You have a huge liability if you don't do this right.

**Kevin** · 12-26-2012, 04:10 PM

It is certainly possible to do wifi securely.

WPA2 with radius authentication is probably the best choice between security and convenience (the advantage of the radius authentication is that each user has their own key rather than just using a single key for everyone).

Personally, I like to run OpenVPN over my wifi. It is faster than WPA2, is much easier to upgrade if a vulnerability is ever found, and it is what I would use if I was on someone else's wifi and therefore I can use the same configuration whether my netbook and phone are at home or anywhere else.

Buck · 12-26-2012, 05:07 PM

I already meet my PCI compliance, both the annual review & monthly scans, so my LAN is configured properly for compliance. I will use WPA2 security, and I see that the AP I bought does have RADIUS support as well as MAC address filtering. There are only going to be 2 devices accessing the wireless signal (an iPod and a wireless printer) so it should be easy to monitor & control.
Thanks for the advice & links, all very helpful!

**Kevin** · 12-26-2012, 05:19 PM

Don't trust the MAC address filtering. It is trivial for an attacker to set whatever MAC address they want.

It sounds like you just want plain WPA2. You don't need the Radius authentication. The main purpose of that is so that each user has their own key so that when someone leaves you just delete their access rather than having to give everyone who remains a new key or staying with the key that someone who doesn't work there anymore knows.

Buck · 12-26-2012, 06:39 PM

OK, sounds good, thanks again!