Wi-Fi Security: Beyond Password Protection
You likely know you must password-protect your private Wi-Fi in order encrypt the wireless traffic and to keep others from connecting to the network. It’s no secret that Wi-Fi Protected Access (WPA2) security is the main-line of defense, with the personal (PSK) mode for homes and small offices and the enterprise mode with 802.1X authentication for business networks.
Don’t ignore firmware updates for wireless routers and access points. Before deploying them, one of the first things you should do is check the firmware version and make sure it’s up-to-date. You should also periodically check after deployment and make use of any firmware update notification functionality the vendor might offer. Firmware updates can contain fixes and patches for security holes and other issues, along with maybe adding more features.
Choose the network name (SSID) wisely
For security reasons, you should change the default network name, technically called the service set identifier (SSID), of your wireless routers or access points that comes preconfigured from the vendor. Using the default can make it easier for someone to crack the pre-shared key (PSK). This is because the SSID is used in the hashing process to generate the key, and the rainbow tables (databases) utilized during brute force cracking are typically configured with the common default SSIDs. Using a unique SSID will make the cracking process a bit more difficult for a hacker.
Another security issue with using the default SSID is that the wireless devices can’t tell between two different networks using the same SSID. Thus if your network is unprotected (perhaps like for your guest access), the wireless devices will auto-connect to any network with that same SSID elsewhere as well. If your network is password-protected and the wireless device comes across another network with the same SSID but with a different password, it will wipe out the first saved password if you connect to that second network. Wireless devices can only store one password per each SSID name.
Yet another security concern involving SSIDs is how identifiable it is. You may not want to make the SSID the same as the business name, address, or other quickly identifiable information. This applies more to networks where there are other networks around, so a hacker might find it more difficult to target your network out of the many around.
Change admin passwords and restrict access
Changing the default admin password should be a no brainer. However, I’m surprised how often I come across networks with routers and APs still set with the default, giving easy access to anyone curious enough to try. It goes without saying, but ensure you use strong passwords that are long and complex with mixed case and special characters, if allowed.
While configuring your network, keep any eye out for ways to restrict the admin access via the web GUI. Some vendors include specific settings to control access, while others you can likely utilize firewall rules to do the same. Consider disabling admin access on any guest virtual LAN or WLAN, or from Wi-Fi altogether.
Double-check VLANs are properly configured
If you utilize virtual LANs (VLANs) to segregate traffic, consider verifying them after installing wireless access points or network ports. A simple mistake when configuring the VLANs, tagging, firewall rules, or other network settings may go unnoticed otherwise. Thus, connect to each network name (SSID) and ensure you’re assigned to the proper subnet. Consider doing some pings as well to ensure there isn’t any undesired inter VLAN routing, for instance.
Monitor for rogue access points
Rogue wireless access points are those that aren’t authorized or properly setup by the IT department. It could be someone intentionally plugging in their own wireless router or access point, for good or bad intentions. These days it could even be someone enabling Wi-Fi tethering on their smartphone or tablet.
Even if someone sets up their own Wi-Fi for good intentions, like to extend the wireless, they could leave it open for others to connect. Additionally, it could cause interference with the other access points in the building if it’s not set to a proper channel.
Someone with bad intentions could also plug in their own wireless router or access point into a spare network port, leaving access wide open or configuring it with a password they know. Either way, they then could easily get network access, even while sitting in the parking lot.
Limiting networks users connect to
You can make your Wi-Fi extremely secure and virtually impenetrable, yet your laptops and wireless devices can still be easily penetrated. For instance, someone could setup a rogue access point inside, or even outside your building, tricking the computer/device or the user to connect to the rogue access point. Once connected, the rogue person could potentially access it’s files and data, or perform cracking of the real network’s password.
Although you can’t limit which networks all devices can connect to, it is possible in Windows via Netsh for instance.
Disable Wi-Fi Protected Setup (WPS)
Wi-Fi Protected Setup (WPS) was designed to make encrypting Wi-Fi networks quick and easy, by the press of a button or entering a PIN. However, there have been security holes found in this technology, allowing hackers to crack the WPS PIN and gaining wireless access. Although many vendors have made changes in their routers and access points with this technology to help prevent cracking it, it’s a good idea to disable it when you’re able to.
Verify physical security of the network and building
You can use the best Wi-Fi encryption and security in the World, yet your entire network can be blown open in seconds with a quick factory restore of a wireless access point or from someone plugging into a spare network port. Thus, regularly evaluate the physical security of the network components and the building. Ensure the public and even employees can’t easily access network devices, cabling, and ports.
I discussed many wireless security concerns and issues and how to protect against them other than the given of encrypting the Wi-Fi with a password. Wireless security is about layers. Typically, the more security techniques you use or security holes you prevent, the less likely a hacker could gain access. Along the same lines, there are many ways hackers can get in besides cracking the password, and preventing as many of those vulnerabilities as possible makes your network more secure.
Remember; keep your network components updated with the latest firmware, choose the SSID wisely, and replace those default passwords on your access points and other network components with strong passwords. If you utilize VLANs on the network, double-check they’re properly configured on the wireless side of the network. Monitor for rogue access points, limit network devices that users can connect to, and consider disabling WPS. Also don’t forget about the physical security of your network and building.
There are many other ways you’ll find online that help secure your network further. Some commonly mentioned ones I didn’t discuss here are hiding the SSID by disabling it’s broadcasting, enabling MAC address filtering, and disabling/limiting DHCP. These I don’t feel are worth doing in most cases as the cons typically outweigh the pros of doing so.