Wireless network security with HP MSM765 access controller

Hi All,

We have MSM765 wireless access point controllers. We have two ssids for internal and guest wifis. The internal ssid isn't boardcasted and it is configured with WPA2 (AES/CCMP) and the key source is set to Dynamic. We have MAC address list configured on proxy which can only use the internal lan.

Is there anyway we can do better to secure the network? How have you guys set up your lan and what is the benefits they way you guys set it up?

I know there are ways to MAC address spoofing and someone was saying that even after stopping the boardcasting there are ways people can find out the lan.

Please let me know.

Thanks
LVL 1
skyjumperdudeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Aaron TomoskySD-WAN SimplifiedCommented:
Wpa2 enterprise with a radius server allows you to use usernames and passwords and/or machine certificates to authenticate.

So certs are better than a Mac filter and logins are always better than a psk
0
btanExec ConsultantCommented:
Minimally have
- 802.1X for any wireless authentication, leverage 802.1X as the means to implement EAP at Layer 2 for wireless clients, EAP-TLS is one of the most secure as it uses digital certificates as authentication credentials, which means that every AP and wireless client must have a certificate generated and signed by a common certificate authority (CA).
- each AP will need to be registered with your RADIUS server as a RADIUS client and configured on both sides with the shared secret
- ensure the extend of wireless VLANs through the network is out to the specific port the AP is attached to that network
- if possible, adjust AP and antennae placement to the specific locality and not use high powered unnecessarily, site survey of locality help to see blind spots as well as the extend reach which can be over exposure (that you will want to avoid or reduce)

See this summary - ProCurve Networking Wireless LANs: planning the site assessment
http://www.hp.com/rnd/pdf_html/wirelessLANsite_assessment.htm

May want to take a look at "Controller-based with Split Traffic"

- Most often, this behavior is desired when organizations want to drop authenticated wireless traffic on the wired network, while tunneling guest traffic to the controller and directly out to the Internet. In other scenarios, this configuration might be used to secure specific types of traffic to and from protected resources in the network, since this behavior can allow for encryption all the way to the controller, protecting data on most of the wired network as well as on the RF side.
http://securityuncorked.com/2011/11/the-4-wireless-controller-architectures-you-need-to-know/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.