Introduction
There’s much more you can do to secure your wireless LAN than turning on encryption. No I’m not taking about the old hidden SSID and MAC address filtering techniques that can easily be bypassed by Wi-Fi hackers. But here I’ll share some more worthy techniques you can use to help prevent wireless eavesdropping, attacks, and even unintentional security vulnerabilities.
Physically Secure the Network
One crucial yet often overlooked security risk is the physical misuse of your Wi-Fi and networking components, whether intentionally or accidentally either by users or outsiders. For instance if network jacks are left open, an employee could bring in their own AP to help boost the Wi-Fi signal without understanding why and how to enable encryption to secure it from outsiders. Additionally, someone could intentionally reset an AP to factory defaults in order to disable the Wi-Fi security, giving them and others within range open access to the network.
To help prevent physical misuse, ensure APs and other network components are mounted out of sight and/or inaccessible to guests and even users. Try to run all Ethernet cabling inside walls or place in a conduit. Place or move Ethernet jacks to more secure places and disable those that are unused.
Use Enterprise Security with 802.1X Authentication
It’s widely known that WEP security can be easily cracked and isn’t secure. Wi-Fi Protected Access (WPA and WPA2) provides adequate security, but there are two very different modes you can use. The Personal (pre-shared key) mode is the easiest to setup and use, but isn’t the best for business networks. You must create a global static passphrase that’s saved on the end-user devices. Thus to prevent someone from connecting that leaves the company or when an end-users device is stolen, you’d have to change the global passphrase on all APs and end-user devices.
The Enterprise (802.1X) mode is more complex to setup and requires a RADIUS authentication server or service, but it provides better security. Users can be assigned unique login credentials that can easily be changed/revoked, useful for when employees leave the company or lose a Wi-Fi device. Additionally, users can’t eavesdrop on each other’s network traffic like when using the Personal mode.
For more information, see a previous article: Deploying WPA2-Enterprise Wi-Fi Security in Small Businesses.
Secure the 802.1X Client Settings
Although the Enterprise mode of WPA or WPA2 is more secure than the Personal mode, there still are vulnerabilities. For instance, the user logins are susceptible to man-in-the-middle attacks and brute-force cracking. However, securing the 802.1X client settings on the end-user devices can help prevent attacks. Ensure the server validation feature is enabled on Windows PCs and other devices that support it.
For more information, see a previous article: Security Vulnerabilities of Enterprise (802.1X) Wi-Fi Security.
Educate Users on Risks and Vulnerabilities
There are many things you can do as a network administrator to help secure your network, but users can also help. Consider educating them in the basics of network security and implement a network usage policy. Discuss things like requiring authorization from IT before plugging and unplugging devices into the network, not connecting to neighboring Wi-Fi networks, and reporting lost laptops and mobile devices. Also discuss social engineering and how employees should be careful what information they share to others.
Impose Wi-Fi Restrictions on User PCs
As briefly mentioned in the previous section, you should inform users not to connect to neighboring Wi-Fi networks as it can open up their computer to possible intrusion. To go a step further you could block other network names (SSIDs) on PCs running Windows Vista and later. You can use the netsh wlan commands to add filters to those SSIDs users can see and connect to.
Starting with Windows 7 and Windows Server 2008 R2, Microsoft includes a Wi-Fi feature called Wireless Hosted Networks. It allows users to create a virtual AP, which can potentially open up your network to authorized access. However, you can use Group Policy rules to prevent users from creating Wireless Hosted Networks.
You can read more about both of these issues and how to enable the restrictions in a previous article: 4 Hidden Wi-Fi Security Threats.
Perform a Wi-Fi Site Survey
You should periodically perform a Wi-Fi site survey to evaluate your wireless network’s health and security. You could perform a basic survey walking around with a laptop or mobile device looking at simple signal readings and AP details on the native wireless interface or use a stumbler program like inSSIDer in Windows or Wifi Analyzer for Android devices. Keep an eye out for rogue APs and those with incorrect security settings.
Install a Wireless Intrusion Prevention System (WIPS)
To help detect rogue APs, denial-of-service (DoS) attacks, and other network security issues, consider implementing a Wireless Intrusion Prevention System (WIPS). The design and detection techniques of WIPSs vary, but generally they monitor the airwaves looking for, alerting you to, and possibly stopping rogue APs or other malicious activity. There are many commercial vendors offering WIPS solutions, such as AirMagnet and AirTight Neworks. There are also open source options, such as Snort.
Summary
We discussed a couple ways you and your users with your education can increase the security of your Wi-Fi network. Remember; don’t forget about the physical security: try to place APs and network components out of sight and reach. For networks with more than a handful of users, use Enterprise (802.1X) security. For at least company-owned PCs, ensure the 802.1X client settings are secure and consider filtering the SSIDs users can connect to and disabling Wireless Hosted Networks.
To help catch rogue APs, attacks, and other security vulnerabilities, consider performing periodic site surveys and also deploying a Wireless Intrusion Prevention System (WIPS).
