It is 2012 and wireless networks are everywhere. However, just as prevalent as these hotspots are, so are the myths and misinformation about how to properly secure them. Whether you are using a basic Netgear or Linksys wireless router at home or are responsible for setting up Wi-Fi access points in a corporate environment, you cannot overlook these very basic security measures.
1. Protecting home wireless networks improves corporate network security
Even if your sole responsibility is to secure the company’s wireless network, the prevalence of telecommuting increases the importance of educating employees about securing their home network in order to keep the corporate network safe. A breach in a home user’s Wi-Fi router enables a hacker to enter the enterprise right through the virtual private network (VPN) that you set up to secure your data and servers.
2. Wi-Fi Protected Setup is unsafe
Wi-Fi Protected Setup (WPS) is available in many modern wireless routers and access points to make it easy to setup up encryption for laptops and other Wi-Fi devices. Unfortunately, this ease-of-use feature is vulnerable to brute force attacks that render the encryption useless. Worse, it is enabled by default.
A few WPS cracking tools were made available shortly after the vulnerability was discovered and many more are being developed and released as I write this. Using these tools, WPA encryption keys can be discovered in as little as a couple of hours. If your router or access point has WPS, turn it off. If you need it to initially set up a your devices, be sure to turn it off as soon as possible.
Note that some wireless routers, such as those made by Cisco/Linksys, have an option to disable WPS, but the functionality is still active despite the setting. Until the manufacturer fixes the problem, the only solution for these devices and ones that don’t have an option to turn off WPS is to use third-party firmware, such as DD-WRT.
3. Hiding your SSID does more harm than good
One of the most common security myths is that turning off SSID broadcasting makes your network more secure because it will be harder for hackers to know what network name to use to make a connection. This could not be further from the truth because every time a client device attempts to connect to the network, the SSID is broadcast in the clear over the air. It is not encrypted.
Thus, it is trivial to monitor wireless traffic and pick up SSID names as devices associate with an access point. Even worse, everywhere the client device goes and attempts to connect to a wireless network, it will broadcast the SSID of every hidden network that it knows about, in order to check if one of them is nearby. As a result, hiding the network SSID makes those laptops, smartphones and tablet computers vulnerable to attack by rogue hotspots impersonating the networks that are being sought.
Keep SSID broadcasting enabled on access points and, instead, verify that probing for hidden networks is disabled on all client devices.
4. MAC address filtering is not a security feature
Although MAC address filtering can minimize unwanted Wi-Fi clients from accidentally associating with an access point, it provides no true security. MAC addresses are always transmitted in the clear between devices, even when encryption is enabled, and is easily spoofed. Many wireless routers and Wi-Fi interfaces have user-friendly configuration settings to modify their MAC address.
Another downside to MAC address filtering is the amount of effort involved to enter every device’s address into the access point’s filtering table. It is just not worth the effort for negligible benefit.
5. WEP encryption is ineffective—use WPA or WPA2
Wired Equivalent Privacy (WEP) encryption has been around since 1999 and was replaced by Wi-Fi Protected Access (WPA) encryption in 2003 due to the many security flaws in WEP. A network that uses WEP can be cracked in a matter of minutes and will only provide a false sense of security. Instead, use WPA or its successor, WPA2. If your devices do not support WPA, check for firmware or driver updates that may add the capability. Failing that, upgrade to devices that use WPA2.
6. Good encryption requires strong encryption keys
Enabling WPA or WPA2 on your wireless network is only half of the solution. The other half is the use of strong encryption keys. Using a weak key or password for WPA can significantly reduce the security of the encryption. As already demonstrated in this article, other so-called security measures are ineffective and encryption is the first line of defense for securing your network.
To fully benefit from encrypted transmissions, always use a long WPA password of 10 characters or more that consists of upper- and lowercase letters, digits and symbols. The longer and more varied it is, the better. This is not a password that users have to remember nor enter on a regular basis, so make it complicated. Avoid words and phrases. Use a password generator such as GRC’s high-entropy generator (be sure to use the printable ASCII character version of the generated password for maximum strength).
7. WPA-PSK is not good enough for a company network
The Private Shared Key (PSK) mode for WPA uses a single password for all devices that connect to the wireless network. It is intended for home use where the set of users and devices does not change often. It is not intended for business use, yet many companies use WPA-PSK because it is easier to get up and running than WPA Enterprise, which requires a RADIUS server.
Although WPA-PSK uses strong encryption, the reason that it is not suited to business or enterprise use is primarily a consequence of the corporate environment. Employees come and go. When one or more leave, the wireless password can go along with them. If the password is not changed, the network is vulnerable. Who wants to change the password on every notebook or other device that still needs access?
Similarly, when devices are lost, it is an opportunity for easy access by someone who does not belong on the company network. Again, changing a common password everywhere is inefficient.
WPA Enterprise, which is the extensible authentication protocol (EAP) mode of WPA, uses 802.1X authentication so that every employee has his own login to the wireless network via username and password or digital certificate. Once authenticated, encryption keys are generated and changed in the background as the network is used.
When access needs to be revoked, login credentials are easily changed or removed centrally on a RADIUS server. This solution increases security while reducing the effort required to keep up with personnel and equipment changes.
Many commercial products are available to set up a RADIUS server as well as free, open source solutions such as FreeRADIUS. For those business that do not have the resources or desire to setup their own server, third-party services are available to provide RADIUS authentication.
Bonus fact: Wi-Fi access points and routers need physical security
Wireless network equipment is often placed in easy-to-reach locations for convenience. This is also a security problem because someone can easily reset or reconfigure the device to compromise its security. Placing access points high on walls or ceilings and out of reach also improves their signal coverage.
These facts are not altogether new and more in-depth information is easy to find. Search for “wi-fi security” to find additional tips, from basic to advanced. There is no reason that your wireless network, whether at home or at work, has to be insecure.
What recommendations do you have to secure wireless networks?