Wireless networks can provide significant business advantages for enterprises, such as ensuring employees can connect across multiple devices and even buildings, thereby improving productivity. However, wireless networks can also bring visible and invisible risks to business privacy. Below are nine common wireless network security pitfalls that enterprises should pay attention to.
As BYOD continues to grow in the workplace, the risks also increase. When managing corporate Wi-Fi networks, administrators need to be mindful not only of coverage and connectivity issues but also of security and privacy. These risks may seem obvious, but they are often overlooked by businesses. Small vulnerabilities in wireless LANs can allow attackers to exploit them.
There are many security technologies available for enterprises today. When choosing security technology, the main concern is whether to prioritize flexibility and speed or strict security protection. If the WiFi platform supports the right devices and is customized according to corporate requirements, it can achieve a balance between flexibility and security. However, businesses must also remember that attackers are constantly becoming more sophisticated, and relying solely on technology may not provide the highest level of security. Only by correctly combining technology with supporting policies can a secure and healthy WiFi environment be ensured. Below are common security mistakes enterprises should avoid when deploying and operating WLAN:
▲ Over-Reliance on Firewalls and Antivirus Software
Many enterprises overly rely on network firewalls and antivirus software while avoiding discussions about additional investments in network security. Businesses often adopt the attitude of ‘we don’t need more security technology,’ which can easily leave them vulnerable to attacks. Firewalls and antivirus software cannot address common vulnerabilities in corporate WiFi networks. Enterprises need to recognize that their security investments may not have immediate effects, but they are akin to insurance. Depending on the importance of the enterprise’s digital information and IT infrastructure, additional security investments must be made to ensure safety.
▲ Ignoring WLAN Security Features
When purchasing WLAN equipment, enterprises typically choose devices based on coverage, upload/download speeds, the number or type of devices, or even the type of walls and floors. However, WiFi devices come with many additional security features, including QoS control options, support for WPA/WPA2, WPS, port filtering, IP packet filtering, URL keyword filtering, MAC address filtering, and integrated firewall support. Many security features in next-generation devices can eliminate the need for multiple products and ensure that you get the most out of your WiFi devices.
▲ Improper Device Configuration
When setting up WLAN nodes (routers, access points, bridges, or client adapters), you must assess device encryption. Encryption communication mechanisms can ensure the integrity of client systems, but this may negatively impact network performance. Wired Equivalent Privacy (WEP) was deprecated in 2003, and since then, WiFi Protected Access (WPA) and WPA2 have become the new standards. There are also these encryption mechanisms in different configurations, including Pre-Shared Key (PSK), Temporal Key Integrity Protocol (TKIP), or Advanced Encryption Standard (AES), each supporting different key lengths (64-bit, 128-bit, or 256-bit). Large enterprises may also opt for the enterprise mode of WPA or WPA2, which can prevent WLAN users from eavesdropping on each other’s communications.
The most advanced configurations undoubtedly provide better security, but this often comes at the cost of performance. When encryption keys are lengthy, devices require more time and resources to perform encryption and decryption, impacting network performance. The encryption configuration also needs to be stringent enough to ensure security while allowing for acceptable network performance levels.
Tip: When configuring/upgrading your devices, please document and/or back up the settings of your old router, such as port forwarding, QoS priority settings, or other settings and passwords. If this is not done, you may need to spend a lot of time reconfiguring the devices later.
▲ Allowing Guests to Access Without a Password
The worst-case scenario is allowing guests to connect to the WiFi network without any password. All businesses (including malls, airports, or chain restaurants) should use some form of access mechanism based on PINs, time limits, or data limits to track guest users. For enterprise-level WiFi networks, a password or PIN authentication system for guests is often the most important security deployment.
▲ Passwordless Wireless Networks
There are many attackers constantly trying to eavesdrop on corporate networks and steal data. With modern gadgets and applications, they can easily infiltrate most WiFi networks. Even wireless LANs that use WPA or WPA2 encryption standards can be vulnerable to brute force attacks, which attackers can use to steal passwords or hijack website or service accounts. Using encryption such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS) on critical applications can help protect you from such eavesdropping attempts and restrict access to shared folders and other critical network resources.
▲ Lack of Additional Authentication Measures
Enterprises can reduce WLAN security risks through additional authentication. When using WPA or WPA2 in enterprise mode, a standalone Remote Authentication Dial-In User Service (RADIUS) server is typically required for 802.1x authentication. There are many options available for this. Windows Server versions 2008 and later provide a Network Policy Server (NPS) that can be used to configure RADIUS servers. For other operating systems, third-party RADIUS servers are needed. Some WLAN access points also include a built-in RADIUS server.
There are also managed services like AuthenticateMyWiFi that can provide additional authentication security. Enterprises should consider all options before making any investments.
▲ Completely Relying on MAC Address Filtering
MAC address filtering is an integrated security mechanism in many WLAN devices that allows administrators to customize lists of computers and client devices that are allowed or denied connection based on unique MAC addresses. This mechanism provides basic security but should not be relied upon as a standalone security measure since MAC addresses can be easily spoofed. Many devices provide the ability to change MAC addresses. If attackers know the list of authorized MAC addresses for your enterprise or purchase devices authorized for your network, they can infiltrate your network to steal bandwidth or perform malicious activities.
To avoid this, use encryption along with MAC filtering. Encryption can prevent attackers from eavesdropping on the corporate network and provide stronger security than just using MAC filtering.
▲ Incorrect SSID Settings
Correctly setting the Service Set Identifier (SSID) can help reduce risk factors. For example, many WLAN devices allow administrators to disable SSID name broadcasting, which can remove the SSID from the list of visible available network connections. This can help protect the network from unauthorized user access. However, savvy attackers may still discover hidden networks; a combination of methods discussed above is needed.
Another important SSID setting relates to the number of SSID clients. In Windows 7 and later versions of Windows operating systems, you can limit the number of client devices that can connect to the SSID. This can help prevent clients from connecting to insecure public WiFi networks, thus avoiding exposing devices and login credentials to external networks.
▲ Lack of Password Policies
In addition to security deployments and device management, enterprises also need to ensure that appropriate policies are in place to operate the WiFi environment. For example, when creating user accounts for the WiFi network, many administrators prefer to use the same password for all WiFi computers and devices, which often leads to access issues. To restrict access to specific users or groups, administrators may need to change passwords for all access points and devices. For this, enterprises can utilize individual user accounts or digital certificates to allow them to connect to the WiFi network. At the same time, managing individual account permissions often allows enterprises to better track users.
When formulating robust security policies, enterprises should consider requiring users to use strong passwords that include a combination of letters, numbers, and special characters, and enforce password expiration after a specified period.
Source: IT168