Wireless networks are extremely convenient, but that convenience comes at a price: security. With a traditional wired network, data is channelled through cables and cannot be easily intercepted. With a wireless network, data is beamed through the sky and can be more easily intercepted – unless, that is, you have appropriate security measures in place. This article explains how to secure a wireless network against attack.
Before outlining the steps you should take to secure a wireless network, let’s quickly look at a couple of things that you probably don’t want to do: namely, disabling SSID broadcasting and enabling MAC filtering. The SSID is the name of your wireless network and its broadcast to enable people to easily find and connect to your network. Numerous websites – in fact, just about every website - recommend disabling SSID broadcasting (if the bad guys can find it they can hack it, right?) and enabling MAC filtering. However, MAC filtering is so easily bypassed as to render it almost completely redundant. With regards to SSID broadcasting, more about that in our article Why You Shouldn’t Disable Your SSID Broadcast.
So, if you shouldn't enable Mac filtering and you shouldn't disable SSID broadcasting, what should you do? Read on!
- Use encryption. To stop outsiders being able to data this transmitted over your wireless network, the data should be encrypted. There are 3 wireless encryption standards: WEP, WPA and WPA2. WEP is the oldest and most easily cracked standard, so ideally you should use WPA or, better yet, WPA2.
- Change the default account names and passwords. The majority of access points (APs) use default account names/passwords set by the manufacturer that are known to one and all. Change them to something unique and be sure to use strong passwords.
- Segment your network. Even when best practice is adhered to, a wireless network will be less secure than a wired network. Segmentation creates a barrier between the physical network and wireless network – by using a firewall, for example - and enables you to control access/communication between them. Unfortunately, this can be a somewhat complex job and, unless you have a fair amount of in-house expertise, you’ll probably need to retain the services of a consultant.
- Authenticate users. RADIUS provides you with far more control over access to the WLAN. For more information, visit Microsoft's overview on securing wireless LANs with certificate services and the FreeRADIUS Project.
- Update your firmware. The manufacturers of AP devices often release firmware updates to fix bugs and security vulnerabilities. So, keep your firmware updated.
Security is only as strong as its weakest link, and that is often the wireless network. In simple environments, the network can probably be DIY’d; however, security matters do become more challenging in complex environments and in such cases the best advice may well be to leverage the expertise of a consultant.
One final bit of advice: the value of securing your own wireless network will be eroded if your data is bounced in unencrypted form over other networks. Educate your users and make sure that they are aware of the risks associated with connecting to an insecure network.
