Wi-Fi is much different from Ethernet. In order to connect or eavesdrop on the wired portion of a network usually requires physical access to the router, a switch or port, or Ethernet cabling. However, the wireless portion of the network can be hacked, eavesdropped on, or interrupted anywhere within the coverage area, which can even be extended beyond the normal range with high-gain or directional antennas. Often times this includes areas outside of your physical security, such as in neighboring offices, buildings, and parking lots.
Furthermore, there are many myths that surround wireless security and techniques that can be used to secure Wi-Fi, such as not broadcasting the SSID, MAC address filtering, or IP address restrictions. However, here I share some of the better ways to secure your wireless LAN, techniques that truly offer good protection.
Enable WPA2 security for encryption
Some suggest using a layered approach to Wi-Fi security. I don’t really disagree, but I certainly suggest first ensuring you have enabled WPA2 security with AES encryption on any wireless network or SSID for private use. Keep in mind, many wireless routers and access points offer a WPA/WPA2 and AES/TKIP option. I suggest selecting to support only WPA2 security with AES encryption, since it’s the most secure option. This way there’s not a chance wireless devices will connect to the lesser secure option of WPA security with TKIP encryption, which is more vulnerable to cracking.
If you have any older devices that only support WPA with TKIP or the even older Wired Equivalent Privacy (WEP) security, which there are very few left these days, I suggest trying to see if a software update can offer WPA2 with AES. If updating isn’t possible or doesn’t enable the support, I suggest replacing the device or the wireless adapter of the device.
Utilize the enterprise mode of WPA2 security
As you may very well know, choosing between WPA and WPA2 isn’t the only choice you have. Each version can be used with two very different modes: personal mode, technically called Pre-shared Key (PSK) and the enterprise mode that utilizes a RADIUS server to enable 802.1X authentication.
Though the personal (PSK) mode is much easier to setup initially, the enterprise mode is typically the most appropriate and secure option for business type networks. Even given the effort required to set up a RADIUS server or service for the 802.1X authentication, the enterprise mode of WPA2 security can require less effort over time when compared with the personal mode.
The personal mode only offers a single or global password that all users must know in order to connect, and typically is saved on the devices. Once a device or employee leaves the organization, that saved password can be used by someone else in order to connect to the wireless network. Thus each time an employee or staff member leaves or a Wi-Fi device is stolen, the global password must be changed in order to remain secure. When using the enterprise mode, the login credentials for just the affected device or user would need to be changed.
Keep in mind that there are hosted RADIUS services out there, which are very useful for those that don’t want to setup and run their own server, or for situations where it isn’t practical, like on very small or remote office networks. Furthermore, these services can be great for IT or managed service providers (MSPs) to secure the network’s of multiple clients without having to setup and maintain a server at each location.
Change password often if using personal security
If you do utilize the personal or PSK mode of WPA2 security for whatever reason, perhaps maybe just for a handful of devices that don’t support the enterprise mode, you should change the global Wi-Fi password often. Changing the password often can help prevent wireless cracking and also is good to do in case the administrators aren’t aware of a lost or stolen device.
Properly secure any public access
Wireless security isn’t all about encryption. Think about the physical security of your network and facility as well. You can have the best encryption setup and change the password every hour, for instance, but still become hacked via other means. One way is by someone gaining physical access to your wireless router or an access point and then quickly performing a factory restore using the restore button on the device. This would remove all the router or access point settings, including any security passwords or methods setup, likely giving anyone nearby completely open access to the wireless and wired network.
Ensure all network equipment is out of reach from the public and even restrict access to employees and staff as well to reduce the chances of any insider from messing with the network too. Make sure access points placed throughout the building or located outside are mounted well out of reach and their network cables as well, to prevent someone from resetting or unplugging them. Place the network’s router, switches, and other network equipment in a locked cabinet or wiring room to prevent access and tampering. Ensure all network cabling is ran out of reach from the public and even users within the organization to reduce the chances of someone cutting the cable and tapping into the cable. Any open or unused Ethernet ports on switches or wall outlets through the building should be disabled to prevent someone from plugging into them.
Keep track of mobile devices
As touched, lost or stolen Wi-Fi devices are a security threat. Whether using the personal or enterprise mode of Wi-Fi security, the password is usually stored on the devices. Using the enterprise mode allows you to easily change an individual’s login credentials. However, you first must know the device is lost or stolen. Thus you should keep close tabs on any device that connects to the wireless network. Tell employees and staff who they should inform of vulnerable devices.
Also discuss the network policies, including which devices they can connect to the network. Also understand that they can usually connect their personal devices, such as their tablet from home or personal smartphone, with or without your permission since the password might be public knowledge within the organization and that it also might be easily revealed on devices where the password is stored.
Monitor for rogue APs
In addition to people restoring access points to factory defaults, other wireless routers or access points could be plugged in without permission, possibly opening up wireless access to the network. This could even be done innocently by employees or staff to help increase Wi-Fi coverage, for instance. To help catch this and other rogue or mis-configured access points, consider enabling some type of monitoring. Some access points include built-in rogue or intrusion detection scanning. If your access points don’t, consider implementing a third-party solution.
Remember, it’s best to enable support for just WPA2 security with AES encryption and most likely using the enterprise mode so devices or users have their own unique login credentials. If you do utilize the personal mode, however, change the password regularly to make cracking more difficult, and especially after staff leave the organization or devices are lost or stolen. Last but not least, don’t forget about physical security of the network and components, including keeping tabs on the mobile devices used on the Wi-Fi.