If you’ve done any Google-ing on Wi-Fi security, you probably have the basics
beaten into you: Don’t use WEP, use WPA or WPA2, disable SSID broadcasting,
change default settings, and so on. Therefore we’ll forgo the basics and skip to
other ways you might be able to increase the security of your wireless network.
Lets get started!
#1 Move to enterprise encryption
If you created a WPA or WPA2 encryption key of any type and must enter it
when connecting to the wireless network, you are only using the Personal or
Pre-shared key (PSK) mode of Wi-Fi Protected Access (WPA). Business networks–no matter how small or big–should
be protected with the Enterprise mode, which adds 802.1X/EAP authentication to
the wireless connection process. Instead of entering the encryption key on
all the computers, users would login with a username and password. The
encryption keys are derived securely in the background and are unique for each
user and session.
This method provides central management and overall better Wi-Fi security.
Instead of loading the encryption keys onto computers where employees and
other users can recover them, each user logs into the network with their own
account when using the Enterprise mode. You can easily change or revoke access
when needed. This is especially useful when employees leave the company or a
laptop is stolen. If you’re using the Personal mode, you’d have to manually
change the encryption keys on all the computers and access points (APs).
The special ingredient of the Enterprise mode is a RADIUS/AAA server. This
communicates with the APs on the network and consults the user database. Consider using the the Internet Authentication Service (IAS)
of Windows Server 2003 or the Network Policy Server (NPS) of Windows Sever 2008.
If you want to go vendor-neutral, try the popular open source server,
FreeRADIUS. If you find setting up an
authentication server requires more money and/or expertise than you have,
consider using an outsourced service.
#2 Verify physical security
Wireless security isn’t all technical. You can have the best Wi-Fi encryption
but have someone plugging into an ethernet port that’s in plain sight. Or
someone could come by and hold in the reset button of an access point, restoring it to
factory defaults and leaving your network wide open.
Make sure all your APs are well out of the reach of the public and out of
sight from employees too. Instead of sitting an AP on a desk, mount it on the
wall or ceiling–better yet, put them above false ceiling.
You might consider mounting the APs out of sight and installing external
antennas where you’d get the most signal. This would let you confine the AP even
more while taking advantage of the increased range and performance of an
aftermarket or higher gain antenna.
APs aren’t the only piece of equipment to be worried about. All networking
components should be secured. This even includes ethernet cabling. Though it
might be a little farfetched to some, a determined hacker could cut a ethernet
cable to tap into the line.
Along with mounting, you should keep track of the APs. Create a spreadsheet
logging the APs models used along with the MAC and IP addresses. Plus note where
its located. This way you know exactly where the APs should be when performing
inventory checks or when tracking down a problem AP.
#3 Setup an intrusion detection/prevention system (IDS/IPS)
These systems usually consist of a software program that uses your wireless
adapter to sniff the Wi-Fi signals for problems. They detect rogue APs, whether
a new AP is introduced to the network or an existing one is reset to defaults or
doesn’t match a set of standards you’ve defined.
These systems also analyze the
network packets to see if someone might be using a hacking or jamming technique.
There are many different intrusion detection and prevention systems out there
that use a variety of techniques. Open source or free options
include
Kismet
and
Snort.
Commercial products are also available from vendors such as
AirMagnet,
AirDefense, and
AirTight.
#4 Create wireless usage policies
Along with other general computer usage guidelines, you should have a
specific set of polices for Wi-Fi access which should at least include the following
items:
- List devices authorized to access the wireless network: It’s best
to deny all devices and explicitly allow each desired device by using MAC
address filtering on the network router. Though MAC addresses can be
spoofed, this provides reasonable control of which devices employees are
using on the network. A hard copy of all approved devices and their details
should be kept to compare against when monitoring the network and for
inputting into intrusion detection systems. - List of personnel authorized with Wi-Fi access to the network:
This could be regulated when using 802.1X authentication (WPA/WPA2-Enterprise)
by only creating accounts in the RADIUS server for those who need Wi-Fi
access. If 802.1X authentication is also being used on wired side, you
should be able to specify whether users receive wired and/or wireless access
by modifying the Active Directory or using authorization policies on the
RADIUS server itself. - Rules on setting up wireless routers or APs: For example, that
only the IT department can set up more APs, so employees don’t just plug in
an AP from home to extend the signal. An internal rule for IT department might cover defining acceptable equipment models and configuration. - Rules on using Wi-Fi hotspots or connecting to home networks with
company devices: Since the data on a device or laptop can be compromised
and the Internet activity be monitored on unsecured wireless networks, you
may want to limit Wi-Fi connections to only the company network. This could
be controlled by imposing network filters with the Network Shell (netsh)
utility in Windows. Alternatively, you could require a VPN connection back
to the company network to at least protect the Internet activity and to
remotely access files.
#5 Use SSL or IPsec on top of Wi-Fi encryption
Though you might be using the latest and greatest Wi-Fi encryption (on Layer
2 of the OSI model), consider implementing another encryption mechanism, such as
IPSec (on Layer 3 of the OSI model). In addition to providing double encryption
on the wireless side, it can secure the wired communication too. This would
prevent eavesdropping from employees or outsiders tapping into an ethernet port.
Eric Geier is the the author of many networking and computing
books for brands like For Dummies and Cisco Press.