Up until this point, we have blocked an intruder from wirelessly doing the equivalent of plugging their laptop into an Ethernet port on your LAN. But despite your best efforts, someone with expert cracking skills may penetrate all of your wireless defenses. What do you do now?

There are wired and wireless LAN intrusion detection and prevention product available, but they are targeted at enterprise applications and come priced accordingly. There are also open source solutions that are unfortunately not user-friendly for networking novices. The most widely-used of these is Snort, which I hope to explore in a future article.

But general network security practices have long dealt with traditional wired LAN intrusions, and can be used to combat an expert wireless intruder.

Countermeasure 9: Implement general LAN security

Implement the following countermeasures to improve general LAN security:

1) Require authentication to access any network resource

Any server, network share, router, etc. should preferably require user-level authentication for access. Although you won't be able to implement real user-level authentication without some sort of authentication server, you can at least password-protect all shared folders and disable Guest logins if you're running Windows XP. And never share the contents of entire hard drives!

2) Segment your network

In the extreme case, a computer not attached to a network is safe from network-based intrusion. But there are other ways to keep network users away from where they shouldn't be. A few properly-connected Inexpensive NAT-based routers can be used to establish firewalled LAN segments while still allowing Internet access. See this How To for the details.
Switches or routers with VLAN capabilities can also be used to separate LAN users. VLAN features can be found on most any "smart" or managed switch, but are harder to come by in consumer-priced routers and unmanaged switches.

3) Bulk up your software-based protection

At minimum, you need to run current versions of good anti-virus applications that automatically update their virus definition files. Personal firewalls such as ZoneAlarm, Sunbelt Software's CounterSpy.
Note that you must install protection on every machine on your LAN in order to have effective protection!