Nov 19 2009

Wireless Security Lockdown

These methods can help ensure a secure network for your organization.

With the constant influx of wireless devices, it is increasingly important to ensure 802.11x networks are adequately secured. The primary concern for users is knowing that their wireless network is readily available. But for the IT manager, knowing that the network is secure and protected is paramount.

There are several methods for securing your network, including hiding it and filtering networked devices to allow access only by those with approved Media Access Control (MAC) addresses. These methods will keep your data and users safe from threats. But no method is foolproof, so understanding your security and implementing the best method will go the farthest in providing peace of mind.

Security Protocols

First and foremost, don’t open the network to anyone walking by. Keep in mind that every router you purchase is set up out of the box to be an open wireless network; your job is to seal that up. There are several protocols you can use, and your choice depends on the types of devices you expect to support:

  • Wired Equivalent Privacy: Dating to 1999, WEP is the oldest and therefore most universal security protocol for wireless. WEP is secure against an average threat, but a hacker with extensive knowledge can discover a password if given enough time. This is a serious disadvantage for users in densely populated areas or where there is a significant threat of intrusion. But WEP provides the lowest common denominator for device connectivity. Every device with an antenna can connect to WEP without any issues. This is helpful if you have older personal digital assistants to connect to your network. Also, WEP does not decrease your data throughput as more sophisticated protocols will.
  • Wi-Fi Protected Access: Created in 2003 to replace WEP, WPA offers 256-bit level security, far above the 40-bit offered by WEP. This is a powerful deterrent to even the most adventurous users and will ensure a quite secure network. It allows the use of passphrases instead of a long string of characters (WEP’s method), but most users tend to use easily guessed words, such as street names or last names. Avoid those examples and you are well on your way to setting up a secure network. Always remember that older devices may not be able to connect to your WPA network, and you may have to look at the manufacturer’s website to find available updates. Some throughput will be lost during the encryption process, but the amount is negligible.
  • WPA2: WPA2 was created in 2004 as a WPA extension to offer a deeper level of security for WPA. It is the most secure wireless security a router can provide. The configuration is extremely similar to WPA and also adds a stronger encryption algorithm. It surpasses all other protocols in security, but what you gain in security you also lose in bandwidth. There will be a drop in speed from high-level encryption. Also, only newer devices will be able to connect to WPA2, so you will need to test your oldest devices to see what level of security they can support. 

Network Configuration

Once you have chosen a wireless protocol, you can configure the backbone of your network to add another layer of security to the router. Routers vary from one to another, but there are techniques that work for even bare-bones wireless routers. The most common methods are to hide the network completely and to allow access by only specific MAC addresses.

There are advantages and disadvantages to each of these methods, but they are very interchangeable and effective when used with the security protocols:

  • Hiding SSID: The term Service Set Identifiers (SSID) refers to the network name chosen and what a wireless device will detect when searching for a network. A router, unless otherwise configured, will broadcast the network’s SSID at all times for everyone to see and attempt a connection. Hiding the ID will force devices to know the network’s password and its name — basically making the network invisible. If the password is compromised but the network name remains secure, there will be no way to connect to it, thus the extra layer of security. Remember that when setting up new devices, you will need to know the network’s name (which will be case sensitive) and the security type and password.
  • MAC address filtering: Filtering MAC addresses can be an extremely powerful security measure that all IT managers should consider. Every device has a unique MAC address, which is simply the hardware designation for the Ethernet device. Because no two MAC addresses are alike, you can enable your router to prevent all MAC addresses from connecting other than the ones you designate. Even the most knowledgeable intruder will have a difficult time attaching to your network if MAC filtering is enabled. It should be noted that once enabled, if you have a guest device in your building, you will have to log into your router, add the device’s MAC address and save the changes before the device will be able to access the network — a small price to pay for high-level security.

Wireless devices will continue to evolve and change, and as more tools become 802.11x-enabled, the importance of a secure wireless network increases exponentially. Every year, organizations look for ways to add wireless abilities to a vast array of new products, from televisions to the latest smartphones. That said, no two networks are alike, and no set of security measures are going to be the same. But by applying smart basic security techniques, in any combination, you can be assured that your data and network traffic will be as safe as possible.