Wireless technology can make intrusion attempts easier because the attacker does not need physical access to the network or building. In penetration tests we have found several examples where it was possible to access the company’s internal network and eavesdrop on network traffic from the safety of the office car park. This is not something that you want to happen. There are also inherent dangers when connecting to open networks which could leave you vulnerable to compromise.
To ensure that it doesn’t happen to you, here are five important WiFi security tips you should consider when configuring wireless your network:
1. Using Pre-Shared Key (PSK)
Opting for personal mode of WiFi Protected Access (WPA or WPA2) can make security much easier to set up initially, than it is when you use enterprise mode with 802.1X authentication, which requires a RADIUS server or hosted RADIUS service. Enterprise mode is, however, designed for business networks and provides greater security in these environments. It may take less time in the long run to manage, when compared to the true effort required to use personal mode securely.
When you use WPA or WPA2 (WPA2 is strongly recommended over WPA) security in personal mode, you set a password that’s used by all users in order to connect to the wireless network. This password will be stored in all the attached devices, so that if one becomes lost or stolen or if an employee leaves the company, you will need to change the password on all access points and on all the wireless devices to be sure that the network remains secure.
If you use the enterprise mode of WPA or WPA2, you can set up unique user name and password for each user. Additionally, you can set up authentication by security certificate or smart card for enhanced security. Though the login credentials are also stored on the wireless devices with this method, an individual user’s credentials can be changed or revoked via the RADIUS server if a device becomes compromised or if they leave the organisation. You wouldn’t have to change any passwords on the APs or the login credentials for other users. And less effort to maintain security usually means more reliable security.
Another significant vulnerability of personal mode is that users connected to the wireless network could eavesdrop on other user’s traffic as anyone with the password can decrypt all the traffic. This is not the case with the enterprise mode. The encryption is designed such that users can’t decrypt other users traffic.
2. Separate Wireless Access for Guests
Its highly likely, that you will have guests such as customers, contractors or auditors, that visit your offices from time-to-time. And, it is common, these days for visitors to request internet access. This being the case, you should consider setting up separate wireless access for guests.
If you do not set up guest access, you run the risk that someone might give them access to the main or private network, which is not good security practice. Additionally, be aware that if separate guest access set up, but it’s not done properly, they still may be able to gain access the private network.
We would suggest setting up a separate SSID for guest access and associating it with a dedicated VLAN that can not access the company network but can access the Internet. You should also consider using quality-of-service (QoS) features to impose bandwidth restrictions on the guest VLAN so it doesn’t hog all the Internet bandwidth.
You could also consider enabling the personal mode of wireless security on that separate SSID. Although it is generally less secure than the enterprise mode, it is sufficient for guest access to deter freeloaders that might attempt to get ‘free’ WiFi access. Even if an attacker was to ‘hack’ their way onto the guest network, because it is on a separate VLAN, they should not be able to access the corporate network.
3. Use Current Security Practices
When researching security tips on the internet, you will, undoubtedly come across many articles which recommend old or questionable security practices for wireless networks. Though some can be helpful, they can also rely too much on what might be considered ‘additional layers’ rather than concentrating on the main wireless security mechanism i.e. encryption.
A common suggestion is not broadcasting your SSID. The idea here is to hide the network name so unauthorised users can’t connect, as they need to know the SSID in order to try. It’s worth keeping in mind that some of the newer operating systems now list networks with unknown SSIDs and although the SSID won’t be shown in the native wireless network list, wireless analysers can pick up the SSID from the traffic. As well as not being a fool proof security measure, not broadcasting the SSID can also have negative impacts on the network from extra traffic that’s generated.
Another technique that is often brought up when discussing wireless security is MAC address filtering. This can help administrators control exactly which devices can connect to the network but it is relatively easy for a hacker to spoof a device’s MAC address and managing the filtering can be quite inconvenient.
Turning off DHCP and/or limiting the IP address range available to wireless users is yet another method that is used in an attempt to thwart wireless hackers. However, it is another technique that can be easily circumvented while increasing the workload for the network administrator.
Before rolling out additional security measures, ensure the network is well secured with WPA2, preferably with the enterprise mode. Only then, carefully research the pros and cons of other measures to ensure they are worth the effort.
4. Protect Laptops and Mobile Devices on Public Networks
Being attached to someone else’s network can be a risky business. There are a couple of key things to consider. If you connect your laptop and it has network shares, your files could be exposed to the other network users. If there is a WiFi eavesdropper in the vicinity, scanning the airwaves, they may be able to capture the passwords or hijack accounts for unencrypted websites and services that you are using.
If you are using Windows, there is a network classification feature which allows you to choose the ‘public network’ type, or answer no when asked about enabling file sharing and discovery so that any network shares on the laptop are disabled while connected to that network. Your company laptops should be set up to use this feature.
You should take additional measures to protect WiFi traffic while connected to open hotspots. Ensure that all the company logins that will be used from your company’s laptops are encrypted, such as email. Although most webmail systems provide TLS/SSL encrypted access by default, many POP3, IMAP, and SMTP servers still do not do this by default when using an email client like Outlook.
For greater assurance that user traffic is secured while on open networks you should consider setting up VPN access on laptops and mobile devices. This means that all network traffic goes through an encrypted tunnel and is not exposed to anyone with the ability to scan the network traffic. If your company does not have a VPN facility, you could consider subscribing to a third-party VPN service. Some VPN providers offer services that can automatically enable the VPN connection when you are on an unencrypted wireless networks.
5. Poor Network Performance
At first sight, poor performance may not seem to be a security issue but having poor network performance can be dangerous in some circumstances. If your WiFi is slow or is constantly dropping connections for example, they may try to find another, more reliable WiFi signal to connect to, such as another company’s guest access, an open home router, or open public hotspot. If they take this option, then the issues discussed above will apply.
It is important to educate your users on the risks when connecting to other networks. If you think users may still be tempted to connect elsewhere you have the option of limiting the networks they can connect to on Windows devices.