Introduction
Wi-Fi is much different from Ethernet. In order to connect or eavesdrop on the wired portion of a network usually requires physical access to the router, a switch or port, or Ethernet cabling. However, the wireless portion of the network can be hacked, eavesdropped on, or interrupted anywhere within the coverage area, which can even be extended beyond the normal range with high-gain or directional antennas. Often times this includes areas outside of your physical security, such as in neighboring offices, buildings, and parking lots.
Furthermore, there are many myths that surround wireless security and techniques that can be used to secure Wi-Fi, such as not broadcasting the SSID, MAC address filtering, or IP address restrictions. However, here I share some of the better ways to secure your wireless LAN, techniques that truly offer good protection.
Enable WPA2 security for encryption
Some suggest using a layered approach to Wi-Fi security. I don’t really disagree, but I certainly suggest first ensuring you have enabled WPA2 security with AES encryption on any wireless network or SSID for private use. Keep in mind, many wireless routers and access points offer a WPA/WPA2 and AES/TKIP option. I suggest selecting to support only WPA2 security with AES encryption, since it’s the most secure option. This way there’s not a chance wireless devices will connect to the lesser secure option of WPA security with TKIP encryption, which is more vulnerable to cracking.
If you have any older devices that only support WPA with TKIP or the even older Wired Equivalent Privacy (WEP) security, which there are very few left these days, I suggest trying to see if a software update can offer WPA2 with AES. If updating isn’t possible or doesn’t enable the support, I suggest replacing the device or the wireless adapter of the device.
Utilize the enterprise mode of WPA2 security
As you may very well know, choosing between WPA and WPA2 isn’t the only choice you have. Each version can be used with two very different modes: personal mode, technically called Pre-shared Key (PSK) and the enterprise mode that utilizes a RADIUS server to enable 802.1X authentication.
Though the personal (PSK) mode is much easier to setup initially, the enterprise mode is typically the most appropriate and secure option for business type networks. Even given the effort required to set up a RADIUS server or service for the 802.1X authentication, the enterprise mode of WPA2 security can require less effort over time when compared with the personal mode.
The personal mode only offers a single or global password that all users must know in order to connect, and typically is saved on the devices. Once a device or employee leaves the organization, that saved password can be used by someone else in order to connect to the wireless network. Thus each time an employee or staff member leaves or a Wi-Fi device is stolen, the global password must be changed in order to remain secure. When using the enterprise mode, the login credentials for just the affected device or user would need to be changed.
Keep in mind that there are hosted RADIUS services out there, which are very useful for those that don’t want to setup and run their own server, or for situations where it isn’t practical, like on very small or remote office networks. Furthermore, these services can be great for IT or managed service providers (MSPs) to secure the network’s of multiple clients without having to setup and maintain a server at each location.
Change password often if using personal security
If you do utilize the personal or PSK mode of WPA2 security for whatever reason, perhaps maybe just for a handful of devices that don’t support the enterprise mode, you should change the global Wi-Fi password often. Changing the password often can help prevent wireless cracking and also is good to do in case the administrators aren’t aware of a lost or stolen device.
Properly secure any public access
Wireless security isn’t all about encryption. Think about the physical security of your network and facility as well. You can have the best encryption setup and change the password every hour, for instance, but still become hacked via other means. One way is by someone gaining physical access to your wireless router or an access point and then quickly performing a factory restore using the restore button on the device. This would remove all the router or access point settings, including any security passwords or methods setup, likely giving anyone nearby completely open access to the wireless and wired network.
Ensure all network equipment is out of reach from the public and even restrict access to employees and staff as well to reduce the chances of any insider from messing with the network too. Make sure access points placed throughout the building or located outside are mounted well out of reach and their network cables as well, to prevent someone from resetting or unplugging them. Place the network’s router, switches, and other network equipment in a locked cabinet or wiring room to prevent access and tampering. Ensure all network cabling is ran out of reach from the public and even users within the organization to reduce the chances of someone cutting the cable and tapping into the cable. Any open or unused Ethernet ports on switches or wall outlets through the building should be disabled to prevent someone from plugging into them.
Keep track of mobile devices
As touched, lost or stolen Wi-Fi devices are a security threat. Whether using the personal or enterprise mode of Wi-Fi security, the password is usually stored on the devices. Using the enterprise mode allows you to easily change an individual’s login credentials. However, you first must know the device is lost or stolen. Thus you should keep close tabs on any device that connects to the wireless network. Tell employees and staff who they should inform of vulnerable devices.
Also discuss the network policies, including which devices they can connect to the network. Also understand that they can usually connect their personal devices, such as their tablet from home or personal smartphone, with or without your permission since the password might be public knowledge within the organization and that it also might be easily revealed on devices where the password is stored.
Monitor for rogue APs
In addition to people restoring access points to factory defaults, other wireless routers or access points could be plugged in without permission, possibly opening up wireless access to the network. This could even be done innocently by employees or staff to help increase Wi-Fi coverage, for instance. To help catch this and other rogue or mis-configured access points, consider enabling some type of monitoring. Some access points include built-in rogue or intrusion detection scanning. If your access points don’t, consider implementing a third-party solution.
Summary
Remember, it’s best to enable support for just WPA2 security with AES encryption and most likely using the enterprise mode so devices or users have their own unique login credentials. If you do utilize the personal mode, however, change the password regularly to make cracking more difficult, and especially after staff leave the organization or devices are lost or stolen. Last but not least, don’t forget about physical security of the network and components, including keeping tabs on the mobile devices used on the Wi-Fi.
Question; I’m using the brand new yet archaic and 5th in 3 months DSL router Verizon has recently provided (can’t get FiOS in Boondocks of Boston) and with it of course the new SSID and PW using WPA 2 and AES encryption. The minute it’s plugged in the SSID is broadcast to encrypted local wifi neighbors (I work from home) and I’d like to change it . The issues is that I’ve had unending & worsening problems with Verizon copper LL & DSL/ISP over the past 5 years, horrific ISP issues. Bad to worse, in Dec. 2016 Verizon sold Email Division to AOL (worst of the ISPs) proming nothing wd change if we stay with our verizon.net email address. Except now when I try to log into MS Office Home&Biz Outlook email account , my main email account is no longer registered :”Your email credentials are not recognized by the Server (AOL) please contact your ISP” WHICH ONE ? But I can retrieve the sub account email (a backup account) – it makes no sense. Stuck w/DSL I dread making a change to this 5th Verizon modem (the prior 4 didn’t work with their Central offices). Off topic, or perhaps not.., during this time frame I’ve lost access to 20 years of Quicken Home&Business files – one day I could download and review on-line banking information as I do daily. Two days later, nothing. The whole Quicken system had crashed. That was on June 12th. I’ve been able to “access & jerririg my 3 external hard drive backup files (2 hard and 1 Cloud) and have begun the arduous task of rebuilding & reentering bookkeeping info into files which are older than files I’d been using which seem to be gone-what happened to them ? Q. program and it’s files on C:drive has almost crashed, I’ve reinstalled disk 10 times and finally got it to open but I can’t update using Mondo12 Patches bc “The Parameter String is too long” nor can I get help with it bc “Cannot Connect To the Quicken Server at this time” or this regular error when I’m online “Sorry we cannot connect to Quicken at this time because you have no Internet Connection”. There is no resource I’ve left untapped -Quicken/Intuit (also recently sold) was the most useless) and on my own have performed every possible test and fix on my PC -short of Factory Restore or last resort, throwing it out the window. Do you think there’s a direct link between the verizon sale to AOL, my DSL fails and numerous modem changes, problems with the copper lines running into my office affecting connection to Verizon Central all concurrent with Quicken sale to Intuit ? I think I was hacked and really wish I’d changed the modem name immediately.