Wireless security is an animal completely different from wired network security. Since WiFi is a wireless technology, intrusion attempts are much easier because without physical network or building access they are possible. This is, therefore, an area of IT security in which you do not want to make mistakes.
You should avoid five common WiFi security errors when you deploy wireless networks:
1. Using Pre-Shared Key (PSK) WiFi Security:
The WiFi Protected Access (WPA or WPA2) personal mode is much easier to set up initially than the 802.1X company mode, which requires a RADIUS server or RADIUS hosted service. The enterprise mode, however, is better designed for business networks.
It offers greater security in business environments and takes less time to manage in the long term when compared to the effort required to use personal mode safely.
When using personal WPA or WPA2 security mode, you set a passphrase to connect to the WiFi that is used by all users.
This passphrase is stored in all these devices, so if one is lost or stolen or if an employee leaves the organization, the passphrase on the APs and on all wireless devices needs to be changed to keep the network secure.
If you use the WPA or WPA2 security enterprise mode, you can create unique login credentials for every user. This can be a security or smart card for maximum security or a username and password for easier deployment.
Although login credentials are also stored in this mode on wireless devices, individual user credentials can be changed or revoked via the RADIUS server if a device is lost or stolen or if the organization leaves. You would not need to change any AP passwords or other users ‘ login credentials.
Another major vulnerability in personal mode is that WiFi-connected users can eavesdrop the wireless traffic of other users because everyone with the passphrase can decrypt all traffic. This is not the case, however, with enterprise mode. The encryption is designed in a way that users can not decrypt the traffic of other users.
Related: Check out some Cool and Funny WiFi Router Names to make it super cool and unique.
2. Not having separate wireless access for guests
Most companies and organizations have customers, contractors or other visitors to their offices over time. Although this is not often the case, consider establishing wireless access for guests. Those who visit the office would most likely find the WiFi convenient or even necessary.
If you have no guest access setup, someone could give them access to the main or private network, which is not a good practice for security. In addition, if guest access is set up, but it is not properly set up, they can still access the private network.
I suggest that a separate SSID should be created for guest access and linked to a separate VLAN that can not access the main or private network but can access the Internet. Consider also the use of quality-of-service (QoS) functions to impose bandwidth limits on the VLAN so that they do not hog all the bandwidth of the internet.
In addition, consider enabling the personal WiFi security mode on this separate SSID. Although generally less secure than the enterprise mode, I believe that it is acceptable for guests to keep off nearby freeloaders who may misuse the WiFi. Even if someone were to hack into the guest’s access, the idea is that the private network would be on a different VLAN, which is always unavailable.
Takeaway: be prepared for your network guests by creating secure guest access, because if you don’t, users will probably allow them to enter the private network. Don’t forget to limit bandwidth as well.
3. Relying on alternative or insecure security practices
I still come across many tutorials and articles to recommend old or questionable security practices for wireless networks when I google and scour the Internet. Although some can help and I understand that there is great security in the layers, I suggest that I concentrate first on the main security mechanism (encryption) and on all the advantages and disadvantages of the other methods.
One of the biggest alternative practices for WiFi security is not to broadcast your SSID. The idea here is to hide the name of the network so that unauthorized users cannot connect because they need to know the SSID to try and hide the fact that there is a wireless network.
Keep in mind that some of the newer operating systems now list unknown SSID networks. Although the SSID will not be displayed in the native wireless network list, wireless analyzers can pick up the SSID from wireless traffic, such as association attempts and probes, which still contain the network name even if SSID broadcasting is disabled.
Besides not being a foolproof security measure, not broadcasting the SSID can also have negative effects on the network security caused by extra traffic.
Takeaway: remember to ensure that the network is well secured with WPA2, preferably in enterprise mode, before implementing alternative security measures. Then investigate other additive measures carefully to make sure that they are worth the effort. Check out my last article about Wi-Fi security myths.
4. Not protecting laptops & mobile devices on public WiFi
Two major vulnerabilities exist in the use of public WiFi hotspots. First, the files could be exposed to other hotspot users if a user connects a laptop with network shares. Second, if the airwaves are monitored by a WiFi eavesdropper nearby, they can capture passwords or hijack accounts for unencrypted websites and services to which the user connects.
Windows has a network classification function where the user can choose the type of public network or answer no when asked to enable file sharing and discovery, and any network shares on the laptop are disabled when connected to the network. However, typical users may not understand all of this, so do your best to inform them.
More effort is needed to protect the WiFi traffic of a user when connected to open hotspots. First, I would make sure that all the company or company logins the user could use are encrypted, such as email access. While most webmail systems provide default encrypted SSL access, many POP3, IMAP and SMTP servers still do not use an email client such as Outlook.
5. Having sub-par WiFi performance
Although it does not appear to be a safety risk, poor WiFi performance in some cases can be dangerous. For example, if your wireless is slow or constantly kicking off users, they may find another WiFi signal to connect to, such as the guest access of a neighboring company, an open home router or a public hotspot.
If this happens, the same security risks that I have just explained apply to hotspot connections, so that any network share of the device and the traffic of the user is compromised.
Takeaway: make sure your network parallels and try to inform users about the risks of connecting to other networks. If you think that users may still be tempted to connect elsewhere, remember that you can limit the networks on Windows devices to which they connect.