Wireless security is a whole different animal than wired network security. Since WiFi is a wireless technology, intrusion attempts are much easier because they are possible without physical access to the network or building. Therefore, this is one area of IT security where you don’t want to make any mistakes.
Here are five common WiFi security mistakes you should avoid when deploying wireless networks:
Using Pre-Shared Key (PSK) WiFi Security
The personal mode of WiFi Protected Access (WPA or WPA2) security is much easier to initially set up than the enterprise mode with 802.1X authentication, which requires a RADIUS server or hosted RADIUS service. However, the enterprise mode is designed much better for business networks. It provides greater security in business environments and will actually take less time in the long run to manage if you compare to the effort required to securely utilize personal mode.
When you use the personal mode of WPA or WPA2 security, you set a passphrase that’s used by all users in order to connect to the WiFi. This passphrase is stored in all those devices, so if one becomes lost or stolen or if an employee leaves the organization, you would need to change the passphrase on the APs and on all the wireless devices in order to keep the network secure.
When you use the enterprise mode of WPA or WPA2 security, you can create unique login credentials for each user. This can be a security certificate or smart card for the greatest security or a username and password for easier deployment. Though the login credentials are stored on the wireless devices with this mode as well, an individual user’s credentials can be changed or revoked via the RADIUS server if a device becomes lost or stolen or if they leave the organization. You wouldn’t have to change any passwords on the APs or the login credentials for other users.
Another big vulnerability of personal mode is that users connected to the WiFi can eavesdrop on other user’s wireless traffic since anyone with the passphrase can decrypt all the traffic. However, this isn’t the case with the enterprise mode. The encryption is designed in a way where users can’t decrypt other users traffic.
Takeaway: Remember, if you don’t choose to use the preferred enterprise mode, be sure to change the passphrase when an employee leaves, or if a wireless device becomes lost or stolen. Also, the personal mode is risky for insider eavesdropping, so beware! See a previous article of mine for more on deploying the enterprise mode.
Not having separate wireless access for guests
Most businesses and organizations will have clients, contractors, or some other form of guests visit their offices over time. Even if this doesn’t happen often, consider setting up wireless access for guests. Those visiting the office most likely would find the WiFi convenient or maybe even required.
If you don’t have any guest access set up, someone might give them access to the main or private network, which isn’t a good security practice. Further, if there’s guest access set up, but it’s not done properly, they still may be able to access the private network.
I suggest creating a separate SSID for guest access and associating it with a separate VLAN that can’t access the main or private network but can access the Internet. Also, consider utilizing quality-of-service (QoS) features to impose bandwidth limits on the guest VLAN so they don’t hog all the Internet bandwidth.
Additionally, consider enabling the personal mode of WiFi security on that separate SSID.Though generally less secure than the enterprise mode, I think it’s acceptable for guest access to keep off nearby freeloaders that might misuse the WiFi access. Even if someone was to hack their way onto the guest access, the idea is that the private network would be on a different VLAN that’s inaccessible to them anyways.
Takeaway: Be prepared for guests on your network by creating secure guest access because if you don’t, users will likely allow them onto the private network. Also, don’t forget to limit their bandwidth.
Relying on alternative or insecure security practices
When googling and scouring the Internet, I still come by many tutorials and articles recommending old or questionable security practices for wireless networks. Though some can help and I understand great security comes in layers, I just suggest concentrating on the main security mechanism first (encryption) and factor in all the pros and cons of other methods.
One of the biggest alternative WiFi security practices is not broadcasting your SSID. The idea here is to hide the network name so unauthorized users can’t connect, as they must know the SSID in order to try, or to hide the fact that there’s a wireless network at all.
Keep in mind some of the newer operating systems now list networks with unknown SSIDs. Though the SSID won’t be shown in the native wireless network list, wireless analyzers can pick up the SSID from wireless traffic, such as association attempts and probes, that still includes the network name even if SSID broadcasting is turned off. In addition to not being a foolproof security measure, not broadcasting the SSID can also have negative impacts on the network security from extra traffic that’s generated.
MAC address filtering is also another technique often brought up when discussing wireless security. Though it can help administrators regulate exactly which devices can connect to the network, it’s easy for a hacker to spoof their device’s MAC address and managing the filtering can be quite inconvenient. Turning off DHCP and/or limiting the IP address range offered to wireless users is yet another technique out there to help combat wireless hackers, but this is also another one that can be easily circumvented while making the network administrator’s job more difficult.
Takeaway: Remember, before rolling out alternative security measures, ensure the network is well secured with WPA2, preferably with the enterprise mode. Then carefully research other additive measures to ensure they are worth the effort. Check out my previous article on Wi-Fi security myths as well.
Not protecting laptops & mobile devices on public WiFi
There are two main vulnerabilities of using public WiFi hotspots. Firstly, if a user connects a laptop that has network shares, the files could be exposed to the other hotspot users. Secondly, if there’s a WiFi eavesdropper nearby monitoring the airwaves, they could capture the passwords or hijack accounts for unencrypted websites and services that the user connects to.
Windows has a network classification feature where the user can choose the public network type, or answer no when asked about enabling file sharing and discovery, and then any network shares on the laptop are disabled while connected to the network. Typical users, however, might not understand all this, so do your best to educate them.
Protecting a user’s WiFi traffic while connected to open hotspots takes more effort. I’d first ensure all the company or corporate logins the user might utilize are encrypted, such as email access. Though most webmail systems provide SSL encrypted access by default, many POP3, IMAP, and SMTP servers still do not when using an email client like Outlook.
For additional assurance that user traffic is secured while on open WiFi networks, consider setting up VPN access on laptops and mobile devices so all the user traffic goes through the encrypted tunnel and isn’t exposed to any nearby eavesdroppers. If you don’t have a company VPN server or don’t want to use it for that purpose, consider subscribing to a third-party VPN service. Some VPN providers offer client programs that can automatically enable the VPN connection while on unencrypted WiFi networks.
Takeaway: Protecting users on open WiFi networks takes effort on both your parts. Ideally you should utilize VPN connections, but also consider removing any network shares so there’s not a chance they’ll be shared to others. Plus ensure their email and other services they log into are always encrypted. Read more in a previous article of mine about securing public WiFi connections.
Having sub-par WiFi performance
Although it doesn’t seem like a security risk, having poor WiFi performance can be dangerous in certain cases. If your wireless is slow or is constantly kicking off users, for instance, they may find another WiFi signal to connect to, like a neighbouring business’s guest access, an open home router, or a public hotspot. If that happens, then the same security risks as I just explained for hotspot connections apply, so any network shares of the device and the user’s traffic is compromised.
Takeaway: Ensure your network is up to par and try to educate the users on the risks of connecting to other networks. If you think users still might be tempted to connect elsewhere, keep in mind that you can limit the networks they connect to on Windows devices.