Stop Wifi Intruders and Freeloaders
A huge number of businesses have wifi networks on their premises in order to provide Internet connectivity to customers and/or employees. Yet, in their haste to create hotspots, many companies fail to build adequate security into their wifi networks.
A poorly protected wireless network leaves users' transmissions vulnerable to interception, leading to potential financial losses as attackers use stolen credit card numbers, bank-account passwords, confidential business information and other sensitive data to enrich themselves and their cohorts. For the business hosting the network, inadequate safeguards can expose critical wired and wireless network resources to snoops and crooks.
Protecting a wifi network isn't difficult, but it takes time, careful planning, attention to details and a few simple security tools. Below are strategies that can help you secure your wifi network.
1. Secure your access points. Begin by creating a new administrator password. This is a simple step that many businesses overlook. If an access point's administration area can be accessed by entering a stock word like "admin" or "password," the system is literally begging to be attacked.
2. Activate encryption. Using WPA (Wifi Protected Access) encryption in the form of WPA or WPA2 is highly recommended. WPA or WPA2 with EAP-TLS (Extensible Authentication Protocol Transport Layer Security), with both user and computer certificates, is the strongest method of authentication. EAP-TLS uses digital certificates to provide mutual authentication, in which the wireless client authenticates to the authentication server and vice versa. EAP-TLS authentication requires a PKI (public key infrastructure) to issue certificates and keep them current. The PKI should be configured to issue both user and computer certificates for wireless access.
Some older clients don't support WPA or WPA2. If you decide that your network must serve such technologies, turn on 128-bit WEP (Wired Equivalent Privacy) encryption and use a password to generate the key. Be sure to keep a record of the password so it can be supplied to the people who need network access. Remember, however, that WEP is a weak security approach that can be defeated relatively easily by a skilled attacker. One way of improving on static WEP is to configure access points to use MAC (Media Access Control) filtering to allow only a predefined group of clients to access the network. Unfortunately, a truly committed attacker can also defeat this technique.
3. Create a fresh SSID. What could be worse then using a default SSID (service set identifier)? Why, giving it your company's name, of course (although potential hackers will thank you for identifying their target). Try using a name that's cryptic, like "jup2fjk," or one will make attackers think twice — something like "infected node" (although such a name may also scare away legitimate users from using a public hotspot).
4. Sniff out rogue access points. Most business networks lie within range of access points connected to other networks. Most of these access points will be linked to legitimate systems, but some may be the handiwork of potential mischief-makers, such as attackers and even company employees operating their own unauthorized networks. Unmanaged access points can create a vulnerable point of attack against a business's network. Plugging a laptop into the network and running a detection tool, provided by a vendor such as AirMagnet and Aruba Networks, will enable the network administrator or other authorized individual to quickly pinpoint the existence of any rogue devices. Steps can then be taken to either take down the access point or to secure the network against its presence.