Wi-Fi is inherently susceptible to hacking and eavesdropping, but it can be secure if you use the right security measures. Unfortunately, the web is full of outdated advice and myths. But here are some dos and don'ts of Wi-Fi security, addressing some of these myths.
Don't use WEP
WEP (wired equivalent privacy) security is long dead. Its underlying encryption can be broken quickly and easily by the most inexperienced of hackers. Thus you shouldn't use WEP at all. If you are, immediately upgrade to WPA2 with 802.1X authentication undefined 802.11i. If you have legacy clients or access points that don't support WPA2, try firmware upgrades or simply replace the equipment.
Don't use WPA/WPA2-PSK
The pre-shared key (PSK) mode of WPA and WPA2 security isn't secure for business or enterprise environments. When using this mode, the same pre-shared key must be entered into each client. Thus the PSK would need to be changed each time an employee leaves and when a client is lost or stolen undefined impractical for most environments.
Do implement 802.11i
The EAP mode of WPA and WPA2 security uses 802.1X authentication instead of PSKs, providing the ability to offer each user or client their own login credentials: username and password and/or a digital certificate. The actual encryption keys are regularly changed and exchanged silently in the background. Thus to change or revoke user access all you have to do is modify the login credentials on a central server, rather than having change the PSK on each client. The unique per-session keys also prevent users from eavesdropping on each other's traffic.
Do secure 802.1X client settings
The EAP mode of WPA/WPA2 is still vulnerable to man-in-the-middle attacks. However, you can help prevent these attacks by securing the EAP settings of the client. For instance, in the EAP settings of Windows you can enable server certificate validation by selecting the CA certificate, specify the server address, and disable it from prompting users to trust new servers or CA certificates. You can also push these 802.1X settings to domain-joined clients via Group Policy or use a third party solution, such as Avendaundefineds Quick1X.
Do use a wireless intrusion prevention system
There's more to Wi-Fi security than combating those directly trying to gain access to the network. For instance, hackers could setup rogue access points or perform denial of service attacks. To help detect and combat these, you should implement a wireless intrusion prevention system. The design and approaches of WIPSs vary among vendors, but generally they monitor the airwaves looking for, alerting you to and possibly stopping rogue APs or malicious activity.
Do deploy NAP or NAC
In addition to 802.11i and a WIPS, you should consider deploying a Network Access Protection or network access control solution. These can provide additional control over network access, based on client identity and compliance with defined policies. They can also include functionality to isolate problematic clients and remediation to get clients back within compliance. Some NAC solutions may also include network intrusion prevention and detection functionality, but you'd want to make sure it also specifically provides wireless protection.
Don't trust hidden SSIDs
One myth of wireless security is that disabling the SSID broadcasting of APs will hide your network, or at least the SSID, making it harder for hackers. However, this only removes the SSID from the AP beacons. It's still contained in the 802.11 association request, and in certain instances, the probe request and response packets as well. Thus an eavesdropper can discover a "hidden" SSID fairly quickly, especially on a busy network, with a legitimate wireless analyser.
Don't trust MAC address filtering
Another myth of wireless security is that enabling MAC address filtering adds another layer of security, controlling which clients can connect to the network. This has some truth, but remember that it's very easy for eavesdroppers to monitor the network for authorised MAC addresses and then change their computer's MAC address. Thus you shouldn't implement MAC filtering thinking it will do much for security, but maybe as a way to loosely control which computers and devices end-users bring onto the network.
Do limit SSIDs users can connect to
Many network administrators overlook one simple but potentially dangerous security risk: users knowingly or unknowingly connecting to a neighbouring or unauthorised wireless network, opening up their computer to possible intrusion. However, filtering the SSIDs is one way to help prevent this. In Windows Vista and later, for example, you can use the netsh wlan commands to add filters to those SSIDs users can see and connect to.
Do physically secure network components
Remember, computer security isn't just about the latest technology and encryption. Physically securing your network components can be just as important. Make sure APs are placed out of reach, such as above a false ceiling or even consider mounting APs in a secure location and then run an antenna to an optimum spot. If not secured, someone could easily come by and reset an AP to factory defaults to open access.
Don't forget about protecting mobile clients
Your Wi-Fi security concerns shouldnundefinedt stop at your network. Users with smartphones, laptops and tablets may be protected on site, but what about when they connect to Wi-Fi hotspots or to their wireless router at home? You should try to ensure their other Wi-Fi connections are secure as well, to prevent intrusions and eavesdropping. Unfortunately, it isnundefinedt easy to ensure outside Wi-Fi connections are secure. It takes a combination of providing and recommending solutions and educating users on the Wi-Fi security risks and prevention measures.
ShareTwitter Facebook Google Plus Email this article
It is not invulnerable but might still be a useful bridge to stronger authentication
VC-backed firms will be able to access loans of up to £5 million