Wi-Fi Security – Steps To Minimise Your Business’ Vulnerability To Attack
If your workplace is anything like ours, then most of your colleagues will be coming to work every day with a smartphone, laptop, tablet or some kind of mobile, Wi-Fi enabled device. And, if your colleagues are anything like mine, the first thing they’ll be doing is asking your network administrator or IT consultant for access to your Wi-Fi network.
Used correctly, the advantages of mobile devices to workplace productivity, flexibility and portability are obvious, but your business needs to balance these gains against the inherent susceptibility of Wi-Fi networks to malicious hacking and eavesdropping.
Fortunately, there are a few simple steps you can follow to minimise your vulnerability to attack:
A strong, industry proven encryption algorithm should be every wireless network’s first line of defence. Some points to consider:
- WEP (Wired Equivalent Privacy) is dead. And buried. Don’t use it. In 2005, the FBI demonstrated that WEP’s underlying encryption can be cracked in less than 3 minutes using publicly available tools. If your business supports WEP encryption you are literally broadcasting your vulnerability to anyone in the vicinity with mischief on their mind. If you’re just setting up a new wireless network, use WPA2 (Wi-Fi Protected Access). It is easier to use, supports more complex passwords (WEP is confined to 0-9 and A-F), and has built-in support from Windows XP to 7. If you need to upgrade your access point firmware or in-house infrastructure to run WPA2, do it.
- Be wary of using Pre-Shared Keys (PSKs). Although the use of PSKs offer an additional layer of security sufficient for home networks, they aren’t practical for use in a business environment. Using PSKs means that the same key needs to be entered into each client, which means you would need to change it each time a staff member leaves or a Wi-Fi device goes missing. Instead of using WPA2-PSK, you should consider implementing the 802.11i encryption standard.
- 802.11i is a standard that incorporates WPA2 and uses new protocols such as TKIP (Temporal Key Integrity Protocol) and Advanced Encryption Standard (AES). Put simply, it gives your business the flexibility of offering each user their own scure 802.1x authentication details. Instead of relying on a single encryption key to secure communication, the keys are regularly exchanged per session via a central authentication server. Keep in mind that to implement 802.11i on your network you’ll need an AAA (Authentication, Authorisation and Accounting) server, such as the Network Policy Server available in Windows Server 2008.
A Service Set Identifier (SSID) is the name that identifies a particular wireless network. An SSID can be broadcast from one or a number of wireless access points.
- Don’t rely on hiding your SSID. Choosing not to broadcast your SSID might prevent the neighbour’s 12 year old son from trying to access your home router, but it won’t prevent any serious attack on a business network. Each time a Wi-Fi client makes a connection to your network, the SSID is transmitted in plain text even if the connection is otherwise encrypted.
- Be wary of your users connecting to other SSIDs. Every time one of your users connects to an SSID outside of your network, they introduce a potential vulnerability. The user doesn’t even have to be aware of the connection, some devices will automatically establish a Wi-Fi connection if an open network is available. Any mobile device that is also used for work should be set-up to only access trusted networks automatically – if the device is a laptop or PC running Windows, you can use the “netsh” command to create a filter.
Another common misconception of Wi-Fi security is that using MAC filtering to control access to the network somehow makes other security measures irrelevant. Using a device’s unique physical network identifier to negotiate a trusted connection would work, but for the fact that MAC addresses can be easily spoofed (impersonated) by other devices within the network’s range (especially if the user has assumed that MAC filtering is foolproof and has not used any underlying network encryption!). Use MAC filtering, but only as a single layer of a comprehensive Wi-Fi security plan.
Static IP Addressing
When setting up a wireless network you should consider disabling at least the IP address assignment of the network’s DHCP server. If you take the extra time to assign a static IP to each device that can connect to the network, and limit the subnet size to what is absolutely necessary, you can make it much more difficult for unauthorised devices or users to log onto your network.
Intrusion Prevention Systems
Another arrow in your Wi-Fi security bow should be the use of both a WIPS (Wireless Intrustion Prevention System) to monitor and block the airwaves for unauthorised network access attempts, and a HIPS (Host-based Intrustion Prevent System) on your devices to monitor and block attacks specific to individual nodes. Most security software, including AVG’s Internet Security Business Edition will come with an effective HIPS, whereas you’ll need to shop around for a WIPS, which is essentially a hardware network device. Intrustion Prevention Systems take security a step further by targeting specific suspicious network behaviours, such as the use of rogue access points, Denial of Service (DoS) attacks, Man in the Middle Attacks, and MAC spoofing.
Don’t forget Physical Security!
When you’re planning to secure a new or existing network, it’s easy to get caught up in technological jargon and lose sight of the most basic level of security – a good solid lock. Place your Wi-Fi infrastructure in secure rooms and control physical access by unauthorised staff of visitors. The “reset to factory defaults” setting is great when you’ve forgotten the password on your home router, but isn’t so convenient when it opens your business network up to casual passers-by!
Use a good Endpoint Security solution
The final layer of security on a network exists on the endpoints themselves. Using a trusted, centrally managed and updated security solution such as AVG’s Internet Security Business Edition will monitor incoming and outgoing traffic and file system operations at the client level. For mobile devices, there are also a range of security solutions available, such as AVG Mobilation for the Android platform.