10 ways to improve the security of your wireless network

Apr 21
08:01

2009

Nigel Bush

Nigel Bush

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

Wireless technology is now in almost every business and home, but a wireless network is inherently insecure and it is essential that every business ensures that their wireless networks are secured against the latest threats. Below are 10 simple tips for improving the security of your wireless network.

mediaimage

Implementing a wireless networking system can result in serious security problems if the system is not properly secured. In fact,10 ways to improve the security of your wireless network Articles some Internet service providers have clauses in their agreements that indicate that service is not to be shared with people outside of those covered by the agreement. If you deploy an insecure wireless network, it could result in a loss of service, or in the use of your network as a launching pad for attacks against other networks.

The point of properly securing a wireless access point is to close off the network from outsiders who do not have authorisation to use your services. A properly secured access point is said to be “closed” to outsiders. A wireless network is more difficult to secure than a typical wired network due to its nature. A wired network has a limited number of fixed physical points of access while a wireless network can be used at any point within the range of the antennas. To help you close these security holes, here is the first of our 10 wireless security tips

1. Do a Site Survey

We like to ask our customers this question, "Do you know where your wireless signal is?" Unless you know exactly how far your wireless network reaches, and in what directions it travels, chances are you're leaking a Wi-Fi signal that anyone with a laptop and a Wi-Fi card – including hackers – can use for free. A site survey will tell you exactly how far your signal reaches. We can help you measure signal strengths at various points in and around your business environment.

Businesses need to be aware that their network's AP signal could be traveling further than they want and creating a potential security breach. Encryption offers a good deal of protection, but the longer someone has access to your network, the greater the chance they can crack it.

Remember WEP encryption can be cracked. If your signal leaks out into the parking lot, you're giving someone the time and opportunity to hack you. If the signal's contained to your office, you significantly reduce the likelihood of an outside attack.

2) Plan antenna placementThe first step in implementing a closed wireless network is to place the wireless antenna in such a way that it limits how much the signal can reach areas outside the coverage area. Don’t place the antenna near a window, as the glass does not block the signal. Ideally, your antenna will be placed in the centre of the area you want covered with as little signal leaking outside the walls as possible. Of course, it’s next to impossible to completely control this, so other measures need to be taken as well.

(See our next series of tips for more information).

3) Encryption

Wireless encryption protocol (WEP) is a standard method to encrypt traffic over a wireless network. While it has major weaknesses, it is useful in deterring casual hackers. Many wireless access point vendors ship their units with WEP disabled in order to make the product installation easier. This practice gives hackers immediate access to the traffic on a wireless network as soon as it goes into production since the data is directly readable with a wireless sniffer.

Encrypting your network makes it difficult for hackers to crack in and use your wireless connection, access your data, or perform other malicious actions. Encryption's an effective hacker deterrent.

The thought of trying to hack a 128-bit or 256-bit cipher is enough to send a hacker packing — and looking for an easier target. There are two types of encryption: WEP and WPA with AES encryption. The 128-bit WEP encryption can be cracked, but it can take up to four hours of work to do it. To date, 256-bit AES has never been cracked.

Most wireless access points (APs) support both WEP and WPA standards, but not all client cards (the Wi-Fi card that plugs into your laptop) support AES encryption, which requires a dedicated chip.

4) Change the SSID and disable its broadcastThe Service Set Identifier (SSID) is the identification string used by the wireless access point by which clients are able to initiate connections. This identifier is set by the manufacturer and each one uses a default phrase, such as “101” for 3Com devices. Hackers that know these pass phrases can easily make unauthorised use of your wireless services. For each wireless access point you deploy, choose a unique and difficult-to-guess SSID, and, if possible, suppress the broadcast of this identifier out over the antenna so that your network is not broadcast for use. It will still be usable, but it won’t show up in a list of available networks.

5) Disable DHCP

At first, this may sound like a strange security tactic, but for wireless networks, it makes sense. With this step, hackers would be forced to decipher your IP address, subnet mask, and other required TCP/IP parameters. If a hacker is able to make use of your access point for whatever reason, he or she will still need to figure out your IP addressing as well.

6) Disable or modify SNMP settingsIf your access point supports SNMP, either disable it or change both the public and private community strings. If you don’t take this step, hackers can use SNMP to gain important information about your network.

7) Use access listsTo further lock down your wireless network, implement an access list, if possible. Not all wireless access points support this feature, but if yours does, it will allow you to specify exactly what machines are allowed to connect to your access point. The access points that support this feature can sometimes use Trivial File Transfer Protocol (TFTP) to periodically download updated lists in order to prevent the administrative nightmare of having to sync these lists on every unit.

8) Stick With the Same Vendor

Buying your APs and Wi-Fi cards from the same vendor increases your network performance and reduces compatibility issues, since not all vendors support the same features. “Turbo Mode is an example of this.

Some manufacturers build a Turbo mode into their APs and Wi-Fi cards. It's supposed to double your network throughput, but it only works if all your cards come from the same vendor. It could even be available only on a specific card within a vendor's line.

D-Link has an AP and a Wi-Fi card that are specific to the Turbo mode feature. The company makes lots of cards and APs, but not all of them support that feature. This is true of most vendors.

9. Place Your Wireless Network on Its Own VLAN

A VLAN (Virtual Local Area Network) is a way of segmenting your network so that employees can access only the job-related resources they need without having access to the entire network.

Not everyone on your network needs to know everything. Introducing VLANs is a way to add a layer of internal data protection to your business. This is a somewhat more costly addition to a wireless network, but a good option if your business requires compliance with HIPAA or other types of state and federal regulations, or if you want to make sure that your personnel or other backend data isn't readily accessible.

10. Set Up a Secondary Authentication Mechanism

Authentication is a way that people can prove they are who they say they are in order to access a network or any secure area. The most common authentication method is the user name and password. But companies dealing with highly sensitive data might want to consider adding a second method on top of the type they currently employ.

A RADIUS server is one option although this solution can be expensive depending on the size of the business. A number of low-cost solutions for small businesses exist to help them use authentication servers that utilize the protocol called 802.1X. They include software packages like LucidLink or Elektron that runs on a local computer to turn it into a RADIUS authentication server, or hosted RADIUS like WSC Guard or WiTopia.net.

The type of business that needs a higher level type of security are typically hospitals or medical practices that need to comply with HIPAA regulations. Other fields include financial services that must comply with Sarbanes-Oxley or industries with the money and the need to install a locked-down wireless network.

For more information relating to Networking, Network Security and Network Storage please go to our specialist websites:

Networking                  www.primary-networks.co.uk

Network Security         http://www.primary-security.co.uk/

Network Storage          www.Primary-Storage.com

IT Services                   http://www.primarynetworksgroup.com/id2.html

Or to find out more about all of our products and services, go to www.PrimaryNetworksGroup.com