Tips for Securing Your Wi-Fi Networks

by Manjula Sridhar    Dec 04, 2008

As of this writing, the state of Wi-Fi security is alarmingly weak as measured by the survey conducted by Deloitte in Mumbai, one of the financial hubs.

The key findings as quoted from the survey are:

“Of the 6729 wireless networks seen, 36% appeared to be unprotected i.e. without any encryption, 52% were using low level of protection i.e. Wired Equivalent Privacy (WEP) encryption. Balance 12% was using the more secure Wi-Fi Protected Access (WPA). This makes 88 % of the observed wireless networks relatively easy to compromise.”

In a Wi-Fi scenario, security can be compromised in two ways:

1) Your Modem or Router getting hacked into

In this scenario issues arise from the fact that external entities will try to get into your network by hacking into the Wi-Fi signal of your enterprise. Another serious issue is when a rogue Access Point (AP) that can be set up in your Enterprise’s physical vicinity with a stronger signal, can redirect your employees to connect to that AP.

2) Your Employees connecting to Rogue Access Points

The second situation usually arises out of your employees traveling with the laptop and connecting to various public networks. This could happen from connecting to rogue AP, insecure AP or a peer to peer network from an ad hoc user.

The following are the measures that should be undertaken to address these issues.

Protection from Hackers connecting to your network

Wi-Fi security can be protected by measures depending on the budgetary resources, time constraints and network infrastructure needs. Usually layered security works best and a well thought out plan needs to developed.

Sanity Measures

Secure the modem/router itself with some strong user name and password for administration access. Physical security is also a factor to consider if needed. Change the default SSID to something appropriate, but that doesn’t add too much to security as this gets broadcast.

Encryption/Privacy

Wi-Fi at this point in time provides three ways of encryption namely WEP, WPA and WPA2. WEP and WPA are known to be insecure. Please use WPA2 as the encryption option. It provides two modes personal or enterprise mode. Personal or pre-shared key mode (PSK) is easier to configure and doesn’t need additional infrastructure. However this may not be suitable for stringent security measures. In Enterprise mode, WPA gets integrated with AAA server based on RADIUS and EAP (extensible authentication protocol). But this requires additional investments in AAA server.

Authentication/Access control

Use WPA2 in Enterprise Mode

One of the primary issues with Wi-Fi is that it has been designed for easy public access and hence SSID acts a common username and identity for the modem itself. WPA key acts both as an access password and encryption key. In an enterprise setting the first step would be to address this issue and use WPA 2 in an enterprise mode which allows for extending the access control and gets integrated with an Identity database through AAA.

So when a user accesses the Router an additional level of authorization is done based on pre configured users before one gets access to Wi-Fi router.

While this provides strong security it is open for denial of service attacks.

Use MAC Based Filtering

MAC based filtering can be configured in your firewall or Wi-Fi router and can be an additional level of protection. One can also think of Static IP addresses as well, but they are very difficult to manage and are a burden to administrators. However MAC addresses and static IP addresses can be captured and spoofed

Use Wireless Intrusion Prevention Systems

As you see the security measures mentioned above have some issues that still need to be addressed and managed. For stringent security needs it is better to invest in a Wireless Intrusion System that not only takes care of the above issues including the following.

Rouge AP’s masquerading as Enterprise Wi-Fi Router / Evil Twin attack

” Unauthorized association

” Adhoc networks

” MAC spoofing

” Denial of Service

” Man in the middle attacks and

” Monitoring and Alarm generation.

Protection from Rogue APs

Rouge AP security issues could arise from a rogue AP lurking around your office and from your employees outside your office accessing APs for internet access. While WIPS can address the issue of rouge IP in the neighborhood of Enterprise WLAN, issues of mobile workforce still needs to be addressed.

Awareness and Policy enforcement

The first step is making sure that your mobile workforce is aware of the Wi-Fi security issues. It needs to be enforced by guidelines and policies that establish the W-Fi access rules. Some sanity measures that needs to be employed by the mobile workforce are

” Disable Wi-Fi while not using internet.

” Turning off AdHoc networks so that peer to peer connections won’t happen.

” Connecting to only secure and authorized Wi-Fi APs.

” When using public APs limit the internet activity to browsing and avoid accessing sensitive information.

” Use VPN based access for sensitive applications.

Further these need to be extended to all mobile devices that provide Wi-Fi access such as mobile phones, laptops and blackberries.

Install Personal Firewalls on Enterprise Laptops

Many newer firewalls exist which safeguard laptops from connecting to Rogue APs and enforce rules and guidelines. These will also make sure VPN is used for accessing the internet.

Conclusion

Finally security is never a onetime activity. Continuous monitoring and management are required to take care of churn, new vulnerabilities, patch management and other dynamic events. Make sure your regular security audits cover the Wi-Fi aspects in depth.