7 wireless security facts to protect your Wi-Fi network

It is 2012 and wireless networks are everywhere. However, just as prevalent as these hotspots are, so are the myths and misinformation about how to properly secure them. Whether you are using a basic Netgear or Linksys wireless router at home or are responsible for setting up Wi-Fi access points in a corporate environment, you cannot overlook these very basic security measures.

1. Protecting home wireless networks improves corporate network security

Even if your sole responsibility is to secure the company’s wireless network, the prevalence of telecommuting increases the importance of educating employees about securing their home network in order to keep the corporate network safe. A breach in a home user’s Wi-Fi router enables a hacker to enter the enterprise right through the virtual private network (VPN) that you set up to secure your data and servers.

2. Wi-Fi Protected Setup is unsafe

Wi-Fi Protected Setup (WPS) is available in many modern wireless routers and access points to make it easy to setup up encryption for laptops and other Wi-Fi devices. Unfortunately, this ease-of-use feature is vulnerable to brute force attacks that render the encryption useless.  Worse, it is enabled by default.

A few WPS cracking tools were made available shortly after the vulnerability was discovered and many more are being developed and released as I write this. Using these tools, WPA encryption keys can be discovered in as little as a couple of hours. If your router or access point has WPS, turn it off. If you need it to initially set up a your devices, be sure to turn it off as soon as possible.

Note that some wireless routers, such as those made by Cisco/Linksys, have an option to disable WPS, but the functionality is still active despite the setting. Until the manufacturer fixes the problem, the only solution for these devices and ones that don’t have an option to turn off WPS is to use third-party firmware, such as DD-WRT.

3. Hiding your SSID does more harm than good

One of the most common security myths is that turning off SSID broadcasting makes your network more secure because it will be harder for hackers to know what network name to use to make a connection. This could not be further from the truth because every time a client device attempts to connect to the network, the SSID is broadcast in the clear over the air. It is not encrypted.

Thus, it is trivial to monitor wireless traffic and pick up SSID names as devices associate with an access point. Even worse, everywhere the client device goes and attempts to connect to a wireless network, it will broadcast the SSID of every hidden network that it knows about, in order to check if one of them is nearby. As a result, hiding the network SSID makes those laptops, smartphones and tablet computers vulnerable to attack by rogue hotspots impersonating the networks that are being sought.

Keep SSID broadcasting enabled on access points and, instead, verify that probing for hidden networks is disabled on all client devices.

4. MAC address filtering is not a security feature

Although MAC address filtering can minimize unwanted Wi-Fi clients from accidentally associating with an access point, it provides no true security. MAC addresses are always transmitted in the clear between devices, even when encryption is enabled, and is easily spoofed. Many wireless routers and Wi-Fi interfaces have user-friendly configuration settings to modify their MAC address.

Another downside to MAC address filtering is the amount of effort involved to enter every device’s address into the access point’s filtering table. It is just not worth the effort for negligible benefit.

5. WEP encryption is ineffective—use WPA or WPA2

Wired Equivalent Privacy (WEP) encryption has been around since 1999 and was replaced by Wi-Fi Protected Access (WPA) encryption in 2003 due to the many security flaws in WEP. A network that uses WEP can be cracked in a matter of minutes and will only provide a false sense of security. Instead, use WPA or its successor, WPA2. If your devices do not support WPA, check for firmware or driver updates that may add the capability. Failing that, upgrade to devices that use WPA2.

6. Good encryption requires strong encryption keys

Enabling WPA or WPA2 on your wireless network is only half of the solution. The other half is the use of strong encryption keys. Using a weak key or password for WPA can significantly reduce the security of the encryption. As already demonstrated in this article, other so-called security measures are ineffective and encryption is the first line of defense for securing your network.

To fully benefit from encrypted transmissions, always use a long WPA password of 10 characters or more that consists of upper- and lowercase letters, digits and symbols. The longer and more varied it is, the better. This is not a password that users have to remember nor enter on a regular basis, so make it complicated. Avoid words and phrases. Use a password generator such as GRC’s high-entropy generator (be sure to use the printable ASCII character version of the generated password for maximum strength).

7. WPA-PSK is not good enough for a company network

The Private Shared Key (PSK) mode for WPA uses a single password for all devices that connect to the wireless network. It is intended for home use where the set of users and devices does not change often. It is not intended for business use, yet many companies use WPA-PSK because it is easier to get up and running than WPA Enterprise, which requires a RADIUS server.

Although WPA-PSK uses strong encryption, the reason that it is not suited to business or enterprise use is primarily a consequence of the corporate environment. Employees come and go. When one or more leave, the wireless password can go along with them. If the password is not changed, the network is vulnerable. Who wants to change the password on every notebook or other device that still needs access?

Similarly, when devices are lost, it is an opportunity for easy access by someone who does not belong on the company network. Again, changing a common password everywhere is inefficient.

WPA Enterprise, which is the extensible authentication protocol (EAP) mode of WPA, uses 802.1X authentication so that every employee has his own login to the wireless network via username and password or digital certificate. Once authenticated, encryption keys are generated and changed in the background as the network is used.

When access needs to be revoked, login credentials are easily changed or removed centrally on a RADIUS server. This solution increases security while reducing the effort required to keep up with personnel and equipment changes.

Many commercial products are available to set up a RADIUS server as well as free, open source solutions such as FreeRADIUS. For those business that do not have the resources or desire to setup their own server, third-party services are available to provide RADIUS authentication.

Bonus fact: Wi-Fi access points and routers need physical security

Wireless network equipment is often placed in easy-to-reach locations for convenience. This is also a security problem because someone can easily reset or reconfigure the device to compromise its security. Placing access points high on walls or ceilings and out of reach also improves their signal coverage.

These facts are not altogether new and more in-depth information is easy to find. Search for “wi-fi security” to find additional tips, from basic to advanced. There is no reason that your wireless network, whether at home or at work, has to be insecure.

What recommendations do you have to secure wireless networks?

6 thoughts on “7 wireless security facts to protect your Wi-Fi network

  1. Peter, this reminds me of a pet peeve of mine. WiFi security concerns are the excuse for why, when you go to your doctor’s or dentist’s office and are made to wait for an hour, reading lame magazines, they always have a WiFi network *right there* that is not open to patients.

    When I asked an office manager about this, of course she said, “Oh, we’re afraid somebody could break into our patient files.” I wanted to say (1) If somebody wanted to crack your network that way, I’ll bet it’d be done in a jiffy, and (2) Your doctor just bought his 2nd Ferrarri but can’t spring $80 for a separate wifi router for guests?

    • That’s true. Beware, though, if they ever set up a public access point. Wide-open Wi-Fi is dangerous for your laptop and your personal data. Protecting yourself on wireless networks is also an important security matter, but that’s a topic for another post.

      • When using public wifi (and even some private-public wifi such as hotels), I always connect to my home OpenVPN server. This routes all of my traffic through an encrypted tunnel. There are a couple downsides:
        1. It cuts down on the throughput, limited by my comcast cable modem upstream cap
        2. The OpenVPN route I went is not simple to configure, and requires some special (though inexpensive) hardware
        Consider this like a hazmat suit for your internet traffic, if you have the tech chops (and/or patience) for it.

  2. More security features that were promised to serve well before are no longer working right now to give what users deserve. What was said is right: physical security stands among the best ways to protect network services.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>