Wi-Fi Security: Beyond Password Protection

There are many more ways to protect your Wi-Fi beyond password protection and here we
take a look at some of them.

Introduction

You likely know you must password-protect your private Wi-Fi in order encrypt the wireless
traffic and to keep others from connecting to the network. It’s no secret that Wi-Fi Protected
Access (WPA2) security is the main-line of defense, with the personal (PSK) mode for homes
and small offices and the enterprise mode with 802.1X authentication for business networks.

Update firmware

Don’t ignore firmware updates for wireless routers and access points. Before deploying them,
one of the first things you should do is check the firmware version and make sure it’s up-to-
date. You should also periodically check after deployment and make use of any firmware
update notification functionality the vendor might offer. Firmware updates can contain fixes
and patches for security holes and other issues, along with maybe adding more features.

Choose the network name (SSID) wisely

For security reasons, you should change the default network name, technically called the
service set identifier (SSID), of your wireless routers or access points that comes
preconfigured from the vendor. Using the default can make it easier for someone to crack the
pre-shared key (PSK). This is because the SSID is used in the hashing process to generate
the key, and the rainbow tables (databases) utilized during brute force cracking are typically
configured with the common default SSIDs. Using a unique SSID will make the cracking
process a bit more difficult for a hacker.
Another security issue with using the default SSID is that the wireless devices can’t tell
between two different networks using the same SSID. Thus if your network is unprotected
(perhaps like for your guest access), the wireless devices will auto-connect to any network
with that same SSID elsewhere as well. If your network is password-protected and the
wireless device comes across another network with the same SSID but with a different
password, it will wipe out the first saved password if you connect to that second network.
Wireless devices can only store one password per each SSID name.

Yet another security concern involving SSIDs is how identifiable it is. You may not want to
make the SSID the same as the business name, address, or other quickly identifiable
information. This applies more to networks where there are other networks around, so a
hacker might find it more difficult to target your network out of the many around.

Change admin passwords and restrict access

Changing the default admin password should be a no brainer. However, I’m surprised how
often I come across networks with routers and APs still set with the default, giving easy
access to anyone curious enough to try. It goes without saying, but ensure you use strong
passwords that are long and complex with mixed case and special characters, if allowed.

While configuring your network, keep any eye out for ways to restrict the admin access via the
web GUI. Some vendors include specific settings to control access, while others you can
likely utilize firewall rules to do the same. Consider disabling admin access on any guest
virtual LAN or WLAN, or from Wi-Fi altogether.

Double-check VLANs are properly configured

If you utilize virtual LANs (VLANs) to segregate traffic, consider verifying them after installing
wireless access points or network ports. A simple mistake when configuring the VLANs,
tagging, firewall rules, or other network settings may go unnoticed otherwise. Thus, connect
to each network name (SSID) and ensure you’re assigned to the proper subnet. Consider
doing some pings as well to ensure there isn’t any undesired inter VLAN routing, for instance.

Monitor for rogue access points

Rogue wireless access points are those that aren’t authorized or properly setup by the IT
department. It could be someone intentionally plugging in their own wireless router or access
point, for good or bad intentions. These days it could even be someone enabling Wi-Fi
tethering on their smartphone or tablet.

Even if someone sets up their own Wi-Fi for good intentions, like to extend the wireless, they
could leave it open for others to connect. Additionally, it could cause interference with the
other access points in the building if it’s not set to a proper channel.

Someone with bad intentions could also plug in their own wireless router or access point into
a spare network port, leaving access wide open or configuring it with a password they know.
Either way, they then could easily get network access, even while sitting in the parking lot.

Limiting networks users connect to

You can make your Wi-Fi extremely secure and virtually impenetrable, yet your laptops and
wireless devices can still be easily penetrated. For instance, someone could setup a rogue
access point inside, or even outside your building, tricking the computer/device or the user to
connect to the rogue access point. Once connected, the rogue person could potentially
access it’s files and data, or perform cracking of the real network’s password.

Although you can’t limit which networks all devices can connect to, it is possible in Windows
via Netsh for instance.

Disable Wi-Fi Protected Setup (WPS)

Wi-Fi Protected Setup (WPS) was designed to make encrypting Wi-Fi networks quick and
easy, by the press of a button or entering a PIN. However, there have been security holes
found in this technology, allowing hackers to crack the WPS PIN and gaining wireless access.
Although many vendors have made changes in their routers and access points with this
technology to help prevent cracking it, it’s a good idea to disable it when you’re able to.

Verify physical security of the network and building

You can use the best Wi-Fi encryption and security in the World, yet your entire network can
be blown open in seconds with a quick factory restore of a wireless access point or from
someone plugging into a spare network port. Thus, regularly evaluate the physical security of
the network components and the building. Ensure the public and even employees can’t easily
access network devices, cabling, and ports.

Summary
I discussed many wireless security concerns and issues and how to protect against them
other than the given of encrypting the Wi-Fi with a password. Wireless security is about
layers. Typically, the more security techniques you use or security holes you prevent, the less
likely a hacker could gain access. Along the same lines, there are many ways hackers can
get in besides cracking the password, and preventing as many of those vulnerabilities as
possible makes your network more secure.

Remember; keep your network components updated with the latest firmware, choose the
SSID wisely, and replace those default passwords on your access points and other network
components with strong passwords. If you utilize VLANs on the network, double-check they’re
properly configured on the wireless side of the network. Monitor for rogue access points, limit
network devices that users can connect to, and consider disabling WPS. Also don’t forget
about the physical security of your network and building.

There are many other ways you’ll find online that help secure your network further. Some
commonly mentioned ones I didn’t discuss here are hiding the SSID by disabling it’s
broadcasting, enabling MAC address filtering, and disabling/limiting DHCP. These I don’t feel
are worth doing in most cases as the cons typically outweigh the pros of doing so.