What are the important WLAN security issues to be aware of?

Frank, the foundation of your WLAN security should be to set it up using the strongest key exchange and encryption available and that would be WPA2 with AES. Just about any wireless hardware out there now will support these standards and Windows XP with SP3 or later will support them with the built-in wireless client. The earlier standards (WEP and WPA) are just too easy to hack and should no longer be used.

The more complex decisions come when you decide which authentication mechanism you want to use. If you will be deploying your WLAN in a corporate environment then I think you should stay away from any security scheme that uses a pre-shared key. This would be the most common configuration regardless of whether you are using WEP, WPA or WPA2 security because it is the easiest to configure and is supported by all wireless network gear. The reason it is undesirable is that employees sometimes leave or are careless about handing out this key and then you would need to change the key (and have all authorized users change the configuration on their PCs) to keep the network secure. Even worse, you would probably never know if an unauthorized person had obtained the key and was connected to your network.

The more advanced wireless networking devices such as the gear sold by Cisco can tie in to whatever security scheme you use on your corporate network such as Microsoft AD, Radius, etc. so that each user has a unique username and password that is required to connect to the wireless network. If you use Microsoft AD then the wireless authentication process is transparent to your Windows users. When the employee leaves then his AD account is shut down as part of your HR processes and he can no longer access the wireless network. Even better, most companies have a password policy that forces users to change their passwords on a regular basis and that makes your wireless network even more secure.

The wireless equipment that supports these advanced security mechanisms is considerably more expensive than the consumer level wireless routers you can pick up at the local computer store so it is sometimes hard to justify the extra expense. You will also need a competent engineer to set it up. Avoiding the possibility of introducing additional security risks to your corporate network will probably outweigh the extra expense for most companies.

You might also consider configuring your WLAN to not advertise itself by broadcasting an SSID. This will keep casual snoopers from seeing your WLAN but is not a very strong security measure because there are still ways to discover your WLAN using software downloaded from the internet. Not advertising the SSID can also make it harder to configure and troubleshoot the wireless connections to your legitimate devices.

Ted