|
Tips to Secure Your Small Business Wi-Fi Network By Eric Geier (NoWiresSecurity Founder & CEO) - originally published on InformIT.com Securing your wireless network is all about layers. Flipping on encryption helps block people from connecting over Wi-Fi and also scrambles the network traffic that flows through the air. However, this doesn’t help if someone can just come into the building and plug in. Plus, if the encryption key is cracked, you’re toasted. Though encryption is the most important security layer for wireless networks, you need to use more. The more techniques you use, the more secure your network and its data will be.
The following tips describe many
techniques and methods to secure your small business Wi-Fi network.
The Wired Equivalent Privacy (WEP)
encryption method was debunked long ago and provides inadequate
Wi-Fi security. The WEP encryption keys can be cracked, in some
cases, within minutes. You should use the Wi-Fi Protected Access
(WPA or WPA2) encryption method.
To prevent employees from seeing the
encryption keys or passphrases and having them loaded on their
computers, you should use the Enterprise version of WPA or WPA2
rather than the Pre Shared Key (PSK) or personal version. Otherwise,
when an employee leaves the company, he or she will still have the
key to unlock the network. Additionally, their laptop could be
stolen and a thief could have the key. Sure you can change the
encryption settings, but it’s a headache. WPA/WPA2-Enterprise hides
the actual encryption key; it’s never loaded onto the computers.
After everything is configured, users log onto the network with a
username and password that can be changed or revoked.
Though you can use the latest and
greatest Wi-Fi encryption in the world, it’s useless if someone
plugs into a port within the building and can access the network.
Additionally, employees could even plug their own AP into a port,
intentionally or not, giving out open wireless access. To reduce the
chances of this happening, make sure all routers, APs, and network
devices are hidden and secure. You could use closets, high mounting
locations, or the space above false ceilings.
To encrypt the wired side of the
network and for double Wi-Fi encryption, you could use VPNs. You
could buy a standalone VPN server, install server software on a
computer, or purchase a hosted service. Every computer on the
network could be configured to connect with the VPN server. Then
even the users’ traffic on the wired side of the network will be
encrypted and double encrypted over the airwaves.
Since computers may be sharing files
or have sensitive data on them, you need to prevent them from
connecting to other networks. Check Windows to make sure it isn’t
set to auto connect to available networks. In Vista, you can even
use the WLAN commands for the Netsh utility to block all networks
but yours. This would prevent employees that mistakenly or
intentionally connect to neighboring networks.
Dividing your network into separate
virtual networks (VLAN) provides internal security. You can better
control the resources and network traffic employees can access and
receive. Thus, a regular employee can’t open files shared on the
computers of the management staff. Additionally, if an employee does
monitor the raw network traffic, he or she will only see traffic on
their own virtual network. VLANs can also provide external security
as unauthenticated users can be allocated to a separate VLAN. Plus,
if someone does gain unauthorized access, he or she will have access
to only a portion of a network.
To protect the network from Internet
or local attacks and intrusions, you should always have firewalls
running on the computers and on the network router. Ports should
only be opened only when necessary. For additional security, you can
define the IP address scope that can use the ports.
Though Wi-Fi hackers can easily spoof
the MAC addresses of their network adapters, using MAC address
filtering provides another layer of security. It just takes some
overhead to enter the MAC addresses of all your computers or
devices.
Though not broadcasting your network
name only throws Wi-Fi hackers off for a moment, it does add another
layer of security. The SSID can still be retrieved over a short
period of time with basic tools. Additionally, hiding the SSID can
cause a big headache for you; it can cause connectivity problems.
Securing your network and computers
requires some maintenance. You need to periodically check for
firmware updates for the router, access points, and other network
components. You also need to keep track of the network adapters that
are loaded in the computers and update them with new drivers if and
when they become available. Additionally, make sure the operating
systems on all the machines are kept update-to-date with security
patches and fixes. Keeping everything maintained will help ensure
any known vulnerabilities are addressed and any new security
features are supported. If you could completely block incoming and outgoing radio signals at the exterior walls of your building, you wouldn’t have to worry about Wi-Fi attackers or eavesdroppers in the parking lot. Though that isn’t practical, you could try to reduce signal leakage. Between relocating APs and tuning down their power levels, you can somewhat keep the signals contained in your controlled area. |
|||
|
Home ·
About Us · Press
· Contact Us
|
