There’s a lot more to wireless security than setting a password. In this article, we will review some fundamentals of wireless security and ways you can secure your wireless networks.
With the deployment of wireless networks in most businesses, the risk of network security issues increases. This is for a number of different reasons, but it mainly stems from a lack of wireless network knowledge. Wireless is one entry point that hackers can use to gain access to your network without setting foot inside your office.
The wireless network name (SSID)
Wireless devices identify wireless networks using a service set identifier (SSID) along with a set of security options. On most wireless deployments, the SSID is broadcast to anybody who is listening. When choosing an SSID, you should avoid the following:
- Using a common SSID (for example, the vendor’s default name). This can make your wireless network more vulnerable as a hacker may target a wireless network with a default SSID on the likelihood that the owner has taken less care in securing their network generally, including disclosing that you may not have changed default credentials for well-known brands of equipment
- An SSID that is easily identifiable (for example, the company name or address). A hacker is more likely to target a wireless network that is easiest to identify and could help them understand what they might gain by hacking it, and that gives them clues that would help with "social engineering" attacks.
It is possible to turn off SSID broadcast, which should make the name of your network invisible as users would be forced to manually enter the SSID to connect. However, this can have negative performance effects and somebody with the right tools can still capture the SSID by sniffing other network traffic.
A wireless access point (WAP) is a device that allows a Wi-Fi device to connect to a wired network. Most wireless access points have a reset button that somebody can press to restore factory default settings. This may remove any wireless security you have configured and allow anybody to connect. Therefore, it is vital to physically secure any wireless access point to prevent tampering.
All wireless access points should be hidden in places that are not reachable, with physical access being restricted for staff as well as office visitors. This applies to network and power cables as well, to prevent somebody from disconnecting them.
Another physical security concern is when somebody adds an unauthorised wireless access point to the network. This could be done for legitimate reasons (for example, to boost wireless coverage) or in an attempt to hack into the network. To protect against this, you should consider the following:
- Ensure any unused network ports are disabled
- Implement 802.1X authentication so any device plugging into a network port has to enter log-in credentials to gain network access.
Passwords and authentication
To prevent unauthorised guests from connecting to your wireless network, various wireless security protocols have been developed. In addition to authenticating access to the wireless network, these protocols will also encrypt your private data so it cannot be viewed as it is being transmitted over the airwaves. The three main wireless security protocols are listed below:
- Wired Equivalent Privacy (WEP) was the original encryption protocol developed for wireless networks. However, WEP had serious security weaknesses and can be easily hacked. The likely reason WEP is still used is because it may be the default configuration on wireless access points or because these devices are older and do not support higher security.
- Wi-Fi Protected Access (WPA) was introduced as an interim security enhancement over WEP while the new 802.11i wireless security standard was being developed. WPA addressed vulnerabilities in WEP while still utilizing previous hardware.
- Wi-Fi Protected Access version 2 (WPA2) was based on the 802.11i wireless security standard and finalised in 2004. The most significant enhancement to WPA2 over WPA is the use of the stronger encryption method called AES (Advanced Encryption Standard). WPA2 should always be used where possible.
WPA can be used in Personal or Enterprise mode. Personal mode is appropriate for most home networks. A password is set on the wireless access point that must be entered by users when connecting to the wireless network. Enterprise mode provides enhanced security and should be used in business environments. Each user is authenticated individually and has their own username and password. This enhances security as individual credentials can easily be revoked if required. Enterprise mode is more complicated to configure as a RADIUS server would be required for authentication purposes.
It is common practice to allow guests and contractors access to wireless networks to enable them to work while in your offices to download files or access online resources. It is very much recommended that you do not give open access to your wireless network, instead setting up a dedicated guest wireless network with no access to your systems and only providing managed and throttled access to the internet. Many users still give out the wireless access credentials if they have access to them, however, as often they don't understand the risk that this poses. Changing the wireless access credentials periodically can help mitigate the risk however having a sound policy in place whereby users understand the risks and penalties of giving out access to the corporate network can be equally as effective.
Rogue-AP detection or wireless intrusion prevention
An unauthorised wireless network could go undetected by IT staff for a long period of time if proper protection is not put in place. Therefore, it is a good idea to enable any type of rogue detection offered by a wireless access point. Detection methods and functionality vary, but most will scan the airwaves and send you an alert if a new wireless access point is detected within the range of authorised wireless access points.
Some wireless access points will also offer a wireless intrusion detection system (WIDS) that can sense a range of wireless attacks and suspicious activity on the network. If your wireless access point does not provide these features, third-party solutions are available.
Security is vital for any wireless network. However, default configuration on wireless devices can be very insecure and easily exploited by hackers. Any wireless network can be made relatively secure with a small amount of knowledge and minimal cost.
When securing any wireless network, you should always consider the following:
- Choosing a custom SSID
- Restricting physical access to wireless access points and the network
- Implementing WPA2 security in Enterprise mode
- Enabling a guest wireless network
- Rogue access point detection and a wireless intrusion detection system
EC2 IT specialises in implementing secure and reliable wireless networks. We work with all the major wireless brands in the IT industry and our technical knowledge ensures we can provide the best solution for your business needs.
Please get in touch if you would like us to design a wireless solution for you.