10 tips for better wireless network security

18,324
wi-fi security tips

Wireless networks have become increasingly common in organizations. With an increase in attacks occurring on wireless networks, wireless security ensures that unauthorized access to wireless networks is restricted.

There are several reasons which may be the cause for the increase in attacks on wireless networks.  Unlike wired networks, which require an attacker to physically access the network, with wireless networks, the attacker only needs to be in close proximity. Consequently, the very nature of a wireless network, to provide easy access to end-users is the reason for the increase in attacks.

Presented below are the common wireless security threats, and how you can protect against them.

7 Common wireless network threats

While malicious actions are an occurrence, wireless networks also face threats from non-deceitful actions. Many examples exist where innocent, yet careless, errors have been found to be the cause of a significant security breach. Presented below are seven of the most common threats to wireless networks.

wireless network security 1
Configuration Problems – Incomplete configurations or misconfigurations.
wireless network security 2
Denial of Service – The attacker sends large amounts of traffic (or viruses) via the network with the intent of overwhelming or hijacking resources.
wireless network security 3
Eavesdropping or Passive Capturing – Eavesdropping within range of an access point with the aim of capturing sensitive information.
wireless network security 4
Rogue (or Unauthorized/Ad-Hoc) Access Points – Impersonating a legitimate access point (AP), and fooling wireless devices into connecting with it.
wireless network security 5
Evil Twin Attacks – Similar to above, however, here the attacker mimics an access point and provides a stronger signal to auto-connect authorized users.
wireless network security 6
Hacking of lost or stolen wireless devices – Cybercriminals will evaluate the physical device for weaknesses and vulnerabilities, which may allow them to bypass the password to gain access.
wireless network security 7
Freeloading – While not usually done maliciously, unauthorized users will piggyback on your wireless network to gain free access. Whether malicious or not, there are still security ramifications.

Protecting your wireless network

Many small and medium business will seek to secure their wireless networks by restricting access to only authorized devices.

To secure your wireless network, there are three common techniques available.  These techniques can be used either independently of each other, or collectively:

  • SSID broadcast prevention
  • MAC address filtering
  • Enabling Wi-Fi encryption (WEP & WPA)

Here, we’ll explain each of these in techniques in more detail.

See also: Wi-Fi security: Securing your wireless network

SSID broadcast prevention

Every wireless network has an identity, known as the service set identifier (SSID).  This ID is broadcast to make any wireless devices in the area aware of their presence.

The wireless client device will typically display a list of within range Wi-Fi networks listed by name.  A user can select the network from the list and associated credentials to establish a wireless connection. If the credentials are incorrect, or if the client wireless device does not know the wireless network name, then no connection can be established.

The security technique is to prevent your wireless network from broadcasting its SSID.  This technique is not recognized as a robust security method.  Rather, it is more a hindrance for both potential attackers and users alike.

Turning off the ability to broadcast the SSID means that bonafide users who wish to connect to your wireless network will need to identify the name in advance.

In a small office environment, where there are only a handful of wireless devices, this method will shield your SSID from neighbouring offices and users.

For a small business, such as a hotel/guest house, a mechanism will need to be identified to inform new users of SSID/network name.  Furthermore, a procedure for changing the name periodically will need to be in place.

wireless security ssid

MAC address filtering

MAC address filtering involves restricting access to the wireless network based on the MAC address.  This approach provides a very powerful security method, allowing you to limit access to your wireless network by specific devices.

Each device which connects to a wired or wireless network has a MAC (media access control) identifier.  You can find out more about MAC identifiers here.

Every network adapter has a unique MAC identifier, or address, assigned by the adapter manufacturer.

To configure MAC address filtering on your Wi-Fi network, each wireless access point needs to be configured to only allow communication from specific MAC addresses. In most cases, this configuration can be done via the interface on your wireless router.

Restricting by MAC address requires the following:

  1. The MAC address of each wireless device (computer/laptop/smartphone) which is authorized to connect to the wireless network.
  2. The entry of these MAC addresses in the allowed/authorized list of addresses on the wireless router.

It is well worth noting that MAC address can be mimicked by cybercriminals using specialist equipment. Despite this, MAC address filtering

MAC address filtering is a robust security method as it allows you to restrict access by device.  However, this security method can be arduous for organizations with a large number of wireless devices.

Similarly, this security method is unsuited for organizations where the wireless client device frequently changes, such as a hotel, café, and so forth, due to the need to find each MAC address for each device.

However, if your wireless device inventory is predominately static, then MAC address filtering is recommended.

wireless security mac filtering

Enabling Wi-Fi Encryption

Using Wireless encryption techniques to secure your wireless network secures the data transmitted and received between the wireless access point (WAP) and wireless device.  Wireless encryption security techniques make it difficult for eavesdroppers to breach the wireless signal.

WEP and WPA

Wi-Fi encryption is available in two methods:

  • WEP (Wired Equivalent Privacy)
  • WPA (Wireless protected access)

Developed during the early days of Wi-Fi, WEP (Wired Equivalent Privacy) was created in response to the fact that it was more difficult to encrypt the wireless transmission than it was the wired. While WEP was suitable for its time, with the evolution of computers and computing, WEP security can now be easily and overcome.

Fortunately, since the advent of WEP, further wireless security protocols have been developed.  A summary of wireless encryption protocols can be found below:

  • Wired Equivalent Privacy (WEP): The oldest encryption protocol, however, has proven to be vulnerable. Over the years, an increasing number of security flaws have been discovered.
  • Wi-Fi Protected Access (WPA): Original version of the WPA protocol. Improved security, but considered now to be vulnerable to intrusion. Superseded by WPA2. Used Temporal Key Integrity Protocol (TKIP) as an encryption method.
  • Wi-Fi Protected Access 2 (WPA2): Any device manufactured after 2006 with a “Wi-Fi” logo must support WPA2 encryption. Uses Advanced Encryption Standard (AES).

WPA offers the following security algorithms:

  • PSK (Pre-Shared Key) – Also known as WPA-PSK. One password applies to all users, which is set on a wireless router or an access point (AP).  Users must enter the password when connecting to the Wi-Fi network. Wireless access cannot be individually or centrally managed. WPA-PSK passwords are stored on the wireless client device. Consequently, anyone using the wireless client device can connect to the wireless network and see the password.
  • WPA-Enterprise (WPA-802.1x, RADIUS) – While more complicated to set up, WPA-Enterprise offers individualized and centralized control over access to your wireless network. WPA-Enterprise should require a RADIUS server for client authentication. Encryption keys are securely created and assigned per user session, once the user presents their login credentials.
  • Wi-Fi Protected Setup (WPS) – Similar to WPA-PSK, except the password is generated by the wireless router, as opposed to being manually set. WPS offers two methods of connection, either through a wireless router generated 8-digit PIN, or Push-Button-Connect. It is advisable to always opt for push-button-connect, as WPS PINs can be brute-forced in approximately a day.
wireless security tkip and aes

Wi-Fi Protected Access 3 (WPA3)

Released in 2018, WPA3 is the most current and secure protocol currently available.  WPA3 offers two different operating modes:

  • WPA3-Personal – WPA3 personal uses a 128-bit encryption key which is communicated to both the AP and the client, prior to a wireless connection being established. It uses a Forward Secrecy protocol which prevents older data from being compromised by a later attack and provides resistance to offline, password-guessing attempts.
  • WPA3-Enterprise – WPA3-Enterprise makes use of 192-bit key-based encryption. It further utilizes a 48-bit initialization vector guaranteeing a minimum security level.

The robustness of any encryption techniques is dependent on how the encryption is implemented.

Larger organizations may wish to opt for WPA-Enterprise, which offers greater protection since it uses multiple encryption keys, which are not shared with multiple hosts.

For smaller and medium-sized organization, WPA2-PSK (AES) encryption is more cost-effective. However, anyone with either authorized or unauthorized access can decrypt packets.

The below table presents the common protocols and encryption methods:

 

 

Protcol/Encryption

Recommendation

Details

Open/None

Not recommended
Open Wi-Fi networks have no passphrase. You should not set up an open Wi-Fi network

WEP 64

Not recommended
Old vulnerable WEP protocol.

WEP 128

Not recommended
Old vulnerable WEP protocol, with a larger 64-bit encryption key size.

WPA-PSK (TKIP)

Not recommended
Original version of the WPA protocol. Superseded by WPA2.

WPA-PSK (AES)

Not advisable
Uses the original WPA protocol but replaces TKIP with the more modern AES encryption. Devices which support AES will almost always support WPA2, as such WPA-PSK (AES) is rarely used.

WPA2-PSK (TKIP)

Not advisable
Uses the WPA2 standard with older TKIP encryption. Should only be used if you have older devices that cannot connect to a WPA2-PSK (AES) network.

WPA2-PSK (AES)

Recommended
Uses WPA2, and the latest AES encryption protocol. Some devices will have the option “WPA2” or “WPA2-PSK.” In most cases, this is AES.

WPAWPA2-PSK (TKIP/AES)

Not advisable
Some devices offer both WPA and WPA2, with both TKIP and AES. While this provides maximum compatibility with older devices you may have, it also allows an attacker to crack the more vulnerable WPA and TKIP protocols

Ten tips for improving your wireless network security

To ensure the utmost protection and keep the business booming, there’s no alternative to a safe, secure, and reliable WLAN. You want to give your business the best things possible.

Presented below are some robust suggestions that will help you improve your WLAN security and get you the maximum of what wireless networking has to offer:

1. Stay alert – Never assume that hackers don’t have any interest in your business. You may not be the one they’re targeting, but you could be a great medium to their target. For a better understanding of how online threats can impact your organization, read cybersecurity for business.

2. Upgrade your WLAN security protocols – Upgrade the security of your device from basic WLAN’s Wired Equivalent Privacy (WEP). You can go for the modern devices that have built-in Wi-Fi Protected Access protocols (WPA) for better protection.

3. Ensure your equipment meets WLAN standards – When you get a new WLAN equipment, you must first check if the equipment meets the required wireless networking standards. It’s best if you can order equipment from the same manufacturer, so there’s no problem with the compatibility later.

4. Enable WLAN security features – Don’t forget to implement security features such as MAC address restrictions, broadcast SSID, and Wi-Fi encryption, when installing the new equipment. Recheck if you’re unsure because omitting security can expose your full network to attacks.

5. Ensure physical security is satisfactory – Position your data transferring device away from the outside wall of your building to reduce radio signal leakage. This prevents any chances of outside interception.

6. Contol access to authorized users only – In most cases, most, if not all of your employees will be enabled to use Wi-Fi. However, employees must also have management authorization to add access points. You have to be very careful about it because a single insecure access point is enough to put your whole network at risk. You can find more about access points and other wireless network components.

7. Use a VPN – For high-level security, use the latest technologies and encryption like SSL-enabled communication protocols or a Virtual Private Network (VPN) to protect the transferred data. Using firewalls to separate the WLAN from the remaining network would be a wise choice. You can learn how to improve network security with VPN and firewalls.

8. Monitor and assess – Check your network and logs from time to time to ensure the network’s safety. Also, seeking advice from an expert would give you the best results.

9. Keep hardware and firmware updated – Make sure your software and router or wireless access point firmware are always updated since this makes the security stronger with every update.

10. Seek professional advice – And finally, if you’re not good with technical stuff, call in an expert to do a thorough check-up on your safety measures.

You might also like