Essential Wi-Fi Security Knowledge You Must Understand

WEP (Wired Equivalent Privacy) security is long dead. Most inexperienced hackers can easily and quickly break basic encryption. Therefore, you should not use WEP at all. If you are using WEP, upgrade immediately to WPA2 (Wi-Fi Protected Access) with 802.1X authentication. If you have outdated devices and access points that do not support WPA2, try to upgrade the firmware or simply replace the devices.

The WPA/WPA2 Pre-Shared Key (PSK) mode is not secure for business or enterprise environments. When using this mode, the same pre-shared key must be entered on every client. Therefore, whenever an employee leaves or a key is lost or stolen, the PSK needs to be changed. This is impractical in most environments.

The EAP (Extensible Authentication Protocol) mode of WPA and WPA2 uses 802.1X authentication instead of PSK, providing each user and client with their own login credentials, such as usernames and passwords, along with a digital certificate.

The actual encryption keys are changed and exchanged regularly in the background. Thus, to change or revoke user access, you only need to modify the login credentials on the central server, rather than changing the PSK on every client machine. This unique approach of having a key for each process also prevents users from eavesdropping on each other’s communications. Nowadays, tools like the Firefox plugin Firesheep and the Android app DroidSheep make eavesdropping quite easy.

To achieve the best possible security, you should use WPA2 with 802.1X. This protocol is also known as 802.1i.

To implement 802.1X authentication, you need to have a RADIUS/AAA server. If you are running Windows Server 2008 or later, consider using Network Policy Server (NPS) or Internet Authentication Service (IAS) for earlier server versions. If you are not running Windows server software, you might consider using the open-source FreeRADIUS server software.

If you are running Windows Server 2008 R2 or later, you can set 802.1X for machines connected to the same domain through Group Policy. Otherwise, you may consider third-party solutions to help configure these clients.

The EAP mode of WPA/WPA2 is still vulnerable to man-in-the-middle attacks. However, you can prevent these attacks by ensuring the security of client EAP settings. For example, in Windows EAP settings, you can implement server certificate validation by selecting a CA certificate, specifying the server address, and prohibiting it from prompting users to trust new servers or CA certificates.

You can also push 802.1X settings to machines connected to the same domain through Group Policy or use third-party solutions like Avenda’s Quick1X.

　Ensuring Wi-Fi network security involves more than just defending against attempts to gain network access. For instance, hackers can set up a fake access point or implement a denial-of-service attack. To help detect and counter these attacks, you should apply a Wireless Intrusion Prevention System (WIPS). The design and methods of WIPS systems from various vendors differ, but these systems generally monitor for rogue access points or malicious actions, alerting you and potentially blocking these malicious behaviors.

Many commercial vendors offer WIPS solutions, such as AirMagnet and AirTight Networks, as well as open-source options like Snort.

In addition to 802.11i and WIPS, you should consider implementing a NAP (Network Access Protection) or NAC (Network Access Control) solution. These solutions provide additional control over network access based on client identity and compliance with defined policies. These solutions also include the ability to isolate problematic clients and provide remediation measures for clients to regain compliance.

Some NAC solutions may include network intrusion prevention and detection features. However, make sure that this solution also specifically offers wireless network protection capabilities.

If your clients are running Windows Server 2008 or later and Windows Vista or later operating systems, you can use Microsoft’s NAP features. Additionally, you may consider third-party solutions, such as the open-source PacketFence.

A common misconception in wireless security is that disabling SSID broadcasting on access points will hide your network or at least make it harder for hackers to find your SSID. However, this practice merely removes the SSID from the access point’s beacon. It is still included in 802.11-related requests and, in some cases, in probe requests and response packets. Therefore, eavesdroppers can quickly discover “hidden” SSIDs using legitimate wireless analyzers in busy networks.

Some may argue that disabling SSID broadcasting still provides another layer of security. However, remember that it can negatively impact network setup and performance. You have to manually enter the SSID on clients, complicating client configuration. It can also increase probe requests and response packets, reducing available bandwidth.

Another misconception in wireless security is that enabling MAC (Media Access Control) address filtering adds another layer of security, controlling which clients can connect to the network. There is some truth to this. However, remember that eavesdroppers can easily monitor authorized MAC addresses on the network and subsequently change their own computer’s MAC address.

Therefore, do not assume that MAC filtering can do much for security and adopt MAC address filtering. However, you can use this practice as a loose way to control which clients and devices can access the network. But you also need to consider the management challenges of keeping the MAC list up to date.

Many network administrators overlook a simple yet potentially dangerous security risk: users intentionally or unintentionally connecting to nearby or unauthorized wireless networks, exposing their computers to possible intrusions. However, filtering SSIDs is one way to prevent this from happening. For example, in Windows Vista and later versions, you can use the netsh wlan command to add filters for SSIDs that users can see and connect to. For desktop computers, you can deny all SSIDs except your wireless network. For laptops, you can simply deny SSIDs from nearby networks while allowing them to connect to hotspots and their own networks.

Remember, computer security is not just about the latest technologies and encryption. Physically securing your network components is equally important. Ensure that access points are placed in locations that are out of reach, such as above false ceilings, or consider placing access points in a secure location and using an antenna in an optimal position. If insecure, someone can easily access the access point and reset it to factory defaults, opening up the access point.

Your concerns about Wi-Fi security should not be limited to your network. Users of smartphones, laptops, and tablets may also need protection. But what happens when they connect to Wi-Fi hotspots or their home routers? You need to ensure that their other Wi-Fi connections are also secure to prevent intrusions and eavesdropping.

　　Unfortunately, ensuring the security of Wi-Fi connections outside is not an easy task. It requires a comprehensive approach, such as providing and recommending solutions and educating users about Wi-Fi security risks and defenses.

　　First, all laptops and netbooks should have a personal firewall to prevent intrusions. If you are running Windows Server operating systems, you can enforce this feature through Group Policy, and you can also manage non-domain computers using solutions like Windows Intune.

　　Second, you need to ensure that users’ internet communications are encrypted to prevent local eavesdropping while providing VPN (Virtual Private Network) access to your network on other networks. If you do not use an internal VPN for this application, consider using outsourced services like Hotspot Shield or Witopia. For iOS (iPhone, iPad, and iPod Touch) and Android devices, you can use the native VPN client software on these devices. However, for BlackBerry and Windows Phone 7 devices, you must set up a message server and configure the device to use its own VPN client software.

　　You should also ensure that your internet-facing services are secure, so that users can use these services when they cannot access your network via VPN on public or untrusted networks. For example, if you provide email addresses outside of your LAN, WAN, or VPN, ensure that SSL encryption is used to prevent local eavesdroppers. Eavesdroppers on untrusted networks can capture users’ login credentials or information.