A non-secure wireless network provides an easy way for an attacker to gain access to all of the data that resides on it. This can range from sensitive business data to your precious family photos. Access to your network may also allow the attacker to exploit other vulnerabilities that may exist on devices attached to it. Computers, servers or software can be exploited allowing the hacker to launch an attack against you and/or others.
In this post, I will cover some of the ways you can make your wireless network as secure as possible. Don’t worry this will not be a deep technical dive, how to article, product comparison; nor will I be making any recommendations on what brand of wireless access point should be purchased. Rather it will briefly touch on the different types of wireless security that most modern access points support, and suggestions on how you can better secure your environment.
First and foremost, it is important to address a couple of myths about securing your wireless network.
- It is possible to not broadcast the network name or SSID. This does not make the wireless network invisible, or protect it in any way. It might keep the average person from seeing and/or attempting to connect to your network for free WiFi, but it poses no real security benefit against a more knowledgeable person who is seeking out wireless networks with malicious intent.
- MAC address filtering is another item that may prevent an average user from connecting to your network but again, it is a small hurdle for a more knowledgeable person to overcome. An attacker can simply impersonate one of the MAC addresses that they see communicating on your network.
The best way to protect your wireless network is with strong authentication and encryption protocols. For the remainder of this post we will take a look at some of the options for securing your network.
I don’t want to dive too deep into the alphabet soup of acronyms surrounding wireless security, but if you’re the person responsible for your home and/or business wireless network it is important to have an understanding of the options that you are presented with. Below is a list of the security options that you might find on your wireless access point.
- WEP – Wired Equivalent Privacy
- WPA – WiFi Protected Access
- WPA2 – WiFi Protected Access II
- WPA/2-Enterprise or 802.1X – Port Based Authentication
Taking a closer look at each of them to determine what types of environments they fit into and their relative level of security we see:
WEP or Wired Equivalent Privacy was the original wireless security and part of the IEEE standard known as 802.11 that defined how wireless networks should operate. WEP utilizes a pre-shared key for encryption and sometimes authentication. I won’t spend any more time describing WEP since its encryption keys are short and can be easily cracked. WEP does not have a place in the modern wireless network. WEP has been deprecated by WPA/WPA2. If WEP is in use on your network, you should consider reconfiguring to use a stronger encryption method, upgrading the firmware (the software hardcoded into the device) or replacing hardware as appropriate.
WiFi Protected Access, WPA and WPA2 were the WiFi Alliance’s answer to protecting wireless networks following the discovery of WEP’s short comings. Both incorporate the use of a pre-shared key for authentication. WPA2 provides better overall security for your data and is preferred. The one thing to keep in mind with WPA/WPA2 is that they are only as strong as the pre-shared key that is in use. It is possible to capture and crack WPA/WPA2 pre-shared keys; so you want to make sure that you are using a strong key and not something like your Grandmother’s or a pet’s name. A previous blog post by one of my colleagues provides insight into “What Makes a Good Password.” The principles that he speaks of in his post are also applicable to your wireless network’s pre-shared key.
The discussion of WPA/WPA2 is not complete without mentioning WPS (WiFi Protected Setup). WPS was initially created to help consumers easily secure their wireless networks with WPA/WPA2. The problem was that this also made it easier for an attacker to gain access to the WPA/WPA2 network. Wireless access points prior to 2013 are likely to be vulnerable to brute force WPS attacks. The best option is to completely disable WPS on your network. This may be as simple as turning it off or may require you to upgrade software or equipment.
WPA2 with a strong pre-shared key is the best option for securing your wireless network that we have discussed so far. It is likely the best option for you home and very small business networks.
802.1X eliminates the single pre-shared key that you may or may not ever change. Instead it allows you to use per user authentication for the wireless network and also results in per user encryption keys. In its simplest form, it leverages a central database of usernames and passwords to authenticate users. This is a perfect fit but not limited to environments that have centralized databases such as Microsoft Active Directory, which is typically seen in corporate environments. A person can only access the wireless network if they have an active user account. So in the circumstance that an employee has left a company, all that needs to be done to secure the wireless network is to disable that employee’s account. There are no pre-shared keys to change on your access points, computers and mobile devices.
In addition to using strong authentication and encryption, it is always wise to have access controls in place to limit access to protected resources. This is typically done with a firewall; however, some wireless vendors do provide similar functionality at the wireless access point level.
So what can you do to secure your wireless network?
- Eliminate WEP, WPA and WPS
- Use 802.1X or WPA2-Enterprise
- Use strong pre-shared keys when using WPA2 without 802.1X
- Implement access controls to limit what resources users can access
If you have any concerns about the security of your business’ wired or wireless network, please contact The TNS Group. We make security a priority for your business.