Tired of myths that surround Wi-Fi? Here are some do’s and don’ts of Wi-Fi security (and some serious myth busting, too!):
- Don’t use WEP: Do not use Wired Equivalent Privacy (WEP) security …at all. Its underlying encryption can be broken so quickly and so easily that even the most inexperienced of hackers can get you. Instead, upgrade to WPA2 (Wi-Fi protected access) with 802.1X authentication 802.11i. And don’t worry even if you have legacy clients or access points that don’t support WPA2; you can always try firmware upgrades or simply replace the equipment.
- Don’t use WPA/WPA2-PSK: If you run a business or an enterprise, you should not be using the pre-shared key (PSK) mode of WPA and WPA2 security. Really, it is really unpractical. If you didn’t already know, when using this mode, the same pre-shared key must be entered into each client, which means the PSK would need to be changed each time an employee leaves and when a client is lost or stolen.
- Don’t trust hidden SSIDs: Disabling the SSID broadcasting of access points will hide your network, or at least the SSID, making it harder for hackers, right? Wrong! Disabling the SSID only removes the SSID from the access point beacons and not from the 802.11 association request, and sometimes, the probe request and response packets as well. So there is every chance of a “hidden” SSID being discovered fairly quickly and thus hacked into. Your network has a higher chance of being hacked if it is busy a one with a legitimate wireless analyzer.
Sure, they might say disabling SSID broadcasting provides another layer of security. It does, however, have its own set of negative impacts on the network configuration and performance. Besides having to manually input the SSID into clients (and thus, complicating client configuration), disabling SSID would also cause an increase in probe request and response packets, decreasing available bandwidth.
- Don’t trust MAC address filtering: Enabling MAC address filtering adds another layer of security, controlling which clients can connect to the network. This is yet another myth. Well, it does have some truth to it, but if you look at the big picture (of overall security, that is), it isn’t exactly true. Eavesdroppers can easily monitor the network for authorized MAC addresses and then change their computer’s media access control (MAC) address. So, clearly, implementing MAC filtering isn’t going to do much for security.
- Don’t forget about protecting mobile clients: Mobile clients should be protected too. Why, you ask? Because you can always protect users with smartphones, laptops and tablets onsite, but what can you do when they connect to Wi-Fi hotspots or to their wireless router at home? Becoming hopeless, of course, isn’t the solution. You should instead try to secure their other Wi-Fi connections as well. This can definitely prevent intrusions and eavesdropping.
So, the first thing you need to do is make sure that all laptops and netbooks have a personal firewall (such as Windows Firewall) active to prevent intrusions. This can be enforced via Group Policy if running a Windows Server or using a solution such as Windows Intune to manage non-domain computers.
Also make sure the user’s Internet traffic is encrypted from local eavesdroppers while on other networks. You can do this by providing VPN access to your network. Consider outsourced services such as Hotspot Shield or Witopia if you don’t want to use in-house VPN. For iOS (iPhone, iPad, and iPod Touch) and Android devices, you can use their native VPN client. However, for BlackBerry and Windows Phone 7 devices, you must have a messaging server setup and configured with the device in order to use their VPN client.
Don’t forget to secure your Internet-exposed services, too. You should get this done because a user can NOT use the VPN while on a public or untrusted networks. If, for example, you offer email access (client or web-based) outside of your LAN, WAN or VPN, make sure you use SSL encryption to keep any local eavesdroppers at the untrusted network from capturing the user’s login credentials or messages.
- Do implement 802.11i: The best security possible with WPA2 is 802.1X, also known as 802.11i and that’s why you should implement it. The EAP (extensible authentication protocol) mode of WPA and WPA2 security uses 802.1X authentication instead of PSKs, which means you will be able to offer each user or client their own login credentials: username and password and/or a digital certificate.
Plus, you don’t have to worry about the encryption keys, either. The actual ones are regularly changed and exchanged silently in the background, thus eliminating the need to change the PSK on each client. All you need to do is modify the login credentials on a central server if you want to change or revoke user access. The unique per-session keys also prevent users from eavesdropping on each other’s traffic which is now possible (and easy!) with tools like the Firefox add-on Firesheep and the Android app DroidSheep.
You need to have a RADIUS/AAA server to enable the 802.1X authentication. For those running Windows Server 2008 and later, consider using the Network Policy Server (NPS), or the Internet Authenticate Service (IAS) of earlier server versions. For those who aren’t, consider the open source FreeRADIUS server.
If you’re running Windows Server 2008 R2 or later, you can push the 802.1X settings to domain-joined clients via Group Policy. If all else fails, consider a third-party solution to help configure the clients.
- Do secure 802.1X client settings: Just implementing the EAP mode isn’t enough; you need to secure its settings for the clients since it is vulnerable to man-in-the-middle attacks. Here’s a tip you might find useful; in the EAP settings of Windows, you can enable server certificate validation by selecting the CA certificate, specifying the server address, and disabling it from prompting users to trust new servers or CA certificates. You could also push these 802.1X settings to domain-joined clients via Group Policy or use a third-party solution (Avenda’s Quick1X).
- Do use a wireless intrusion prevention system: Hackers don’t just try to gain access to your network; they setup rogue access points or perform denial-of-service attacks too. That’s why you need to implement a wireless intrusion prevention system (WIPS) that detects and combats them. Though the design and approaches of WIPSs vary among vendors, they are generally the same. They monitor the airwaves looking for rogue access points or malicious activity, alertyou and help you possibly stop them. AirMagnet and AirTight Neworks are some of the commercial vendors you can turn to for WIPS solutions. On the other hand, there are also open source options, such as Snort.
- Do deploy NAP or NAC: If you want additional control over network access based on client identity and compliance with defined policies, you should deploy a Network Access Protection (NAP) or network access control (NAC) solution. Besides giving you the control you want, these solutions also offer you the functionality to isolate problematic clients and remediation to get clients back within compliance.
You can go for an NAC solution that includes network intrusion prevention and detection functionality too. Make sure it specifically provides wireless protection, though. If you are running Windows Server 2008 or later and Windows Vista or later for the clients, you can use Microsoft’s NAP functionality. There are third-party solutions, such as the open source PacketFence, too.
- Do limit SSIDs users can connect to: Users may knowingly or unknowingly connect to a neighboring or unauthorized wireless network, opening up their computers to possible intrusion. That’s why you need to filter the SSIDs. For those who use Windows Vista and later, you can use the netsh wlan commands to add filters to those SSIDs users can see and connect to. You could deny all SSIDs except those of your wireless network for desktops. And as for laptops, you could just deny the SSIDs of neighboring networks, while still enabling them to connect to hotspots and their home network.
- Do physically secure network components: Unless you want someone to reset an access point to open access, you are going to physically secure your network components too. See to it that access points are placed out of reach; above a false ceiling is a good place or you could mount access points in a secure location and then run an antenna to an optimum spot.
ASysTech are your Orlando business WiFi security specialists. We will work with you and your team to ensure your wireless networks are as secure as possible. Contact us today for a no obligation review of your business network and IT security.