With wireless networks everywhere from secret research facilities to coffee shops, learning how to secure your wireless network is critical. There isn’t a perfect Wi-Fi security strategy, as such, securing a network requires a combination of techniques that will need reevaluation over time. Below are five key elements of a security evaluation strategy.
How to Physically Secure My Wireless Network
When focusing on wireless security, the security of access points (APs) and Ethernet ports can be easy to overlook. For this reason, network owners should maintain the security of both physical and virtual ways to access your network.
One example of a commonly overlooked physical attack exploits physical access to wireless access points. It’s common practice for access points to have a reset button you can press to restore factory settings. This removes Wi-Fi security and allows anyone to connect. The potential for this functionality to be used against you can be minimized by keeping APs out of easy reach and looking into your AP vendor’s locking options. These techniques can help make it difficult for unauthorized people to press the buttons on an AP.
Ethernet ports are another thing to consider. Disabling ethernet ports can minimize a hacker’s ability to access an organization’s Wi-Fi network. For additional security, it’s possible to make it so that physical ports are only accessible by certain users and/or devices.
How to Segment My Network
Another way to secure your wireless network is by isolating different parts of your network from one another. Creating separate subnetworks can help limit the spread of malware between devices on networks. Common separate networks include those for guests and IoT devices. This is because guest and IoT devices present particular vulnerabilities. A guest network can be helpful in keeping guest users isolated from the portion of the network where business data is accessible. An IoT device network can be helpful because they are often less secure than their non IoT counterparts.
It’s also possible to take this even further by segmenting a single network using VLANS to the point that each user has their own network. Learn more about segmenting your network and how to implement it from our article What is Network Segmentation.
How to Use WPA2 Enterprise with 802.1X Authentication
For effective segmentation of a network, devices need to stay in their intended portion of the network. This is where WPA2 Enterprise with 802.1X Authentication can help.
Some APs may still use Wired Equivalent Privacy (WEP) but this protocol is insecure to the point that hackers can potentially break into a network using this protocol within minutes. Yet even with WPA protocols, different versions of these protocols and techniques of applying them can further influence the level of security.
The non-enterprise, WPA2 Personal version has a single pre-shared password. This means that anyone who knows this one password can access the network. The Wi-Fi Protected Access 2 (WPA2) Enterprise version enables each user to authenticate individually with separate usernames and passwords. This approach is inherently more secure because a person must know both the password and the user it’s associated with. If a person leaves the organization or a device is stolen, the organization can either change or revoke that user’s credentials as opposed to changing the password for everyone to ensure only current users know the password. The WPA2 Enterprise version also has the potential to give network owners a better idea of where a breach originates with the integration of certain software.
To enable Enterprise mode, you need a RADIUS server. A RADIUS server makes it possible for user authentication and connection to services like Active Directory or LDAP that stores usernames and passwords.
How to Secure the 802.1X Client Settings
Some hackers setup false wireless networks with an SSID identical to the one of the network its imitating. This enables hackers of networks that don’t use 802.1X client settings to steal user credentials. Enabling server identification on the client side helps prevent this. It ensures that the user’s device won’t transfer Wi-Fi login credentials to the RADIUS server until the server is confirmed as a legit server. With 802.1X, it is also possible to have mutual authentication between the client and the server using certification so that both devices can receive certification that they are what they claim.
How to Detect Rogue APs
Enabling 802.1X client settings minimizes the chance of hackers stealing credentials with false ways to access a network, but it’s best to help ensure that unofficial APs are detected quickly to minimize the risk of devices connecting to them. This is possible with rogue AP detection. Rogue APs are unofficial ways to access the network. While sometimes used for legitimate reasons like increasing the Wi-Fi signal, these can also be setup by hackers. It is, therefore, important to regularly scan for rogue APs using software like a Wi-Fi scanner, wireless intrusion detection system (WIDS) or intrusion protection system (WIPS).
How Impulse Can Help
Impulse’s SafeConnect Network Access Control (NAC) can provide users with a RADIUS server and a means to do things like implement 802.1X, segment your network, and limit access to physical APs. Learn more about SafeConnect NAC on Impulse’s SafeConnect Overview page.
Are you a security superhero? Find out with Impulse’s Network Security Superhero Assessment!