Networks

Securing Wi-Fi Networks

hedi-benyounes-735849-unsplash.jpg

     The security of your wireless network is crucial in ensuring your data is well protected, and your network is operating at peak conditions. There are several easy things one can do to improve the security of a Wi-Fi system.

Passwords

Changing your administrator password should be the first thing you do as the one that comes installed in your router is often known by potential attackers. Hackers have many tools at their disposal, such as programs which automatically test thousands of possible username and password combinations (brute force attacks); don’t make it any easier for them.

SSID Broadcasting

Turning off SSID broadcasting as well as changing its name can be useful at limiting your network’s exposure. Attackers widely know the default names that ISPs and router manufactures use, so if an unauthorized user knows what type of router you use (often by looking at the default name of your network), they can then create a customized attack. I tend to find the network name (FBI Van 1) humorous and further thwarts undesired eyes from your network.

Encryption

Changing your encryption settings can have a significant impact on your network’s security as well; Wireless Equivalent Protocol (WEP) for example, isn’t as safe as Wi-Fi Protected Access (WPA). WPA2 is an improved version of WPA and should be used if available. For encryption algorithms, AES (Advanced Encryption Standard) provides stronger encryption than TKIP (Temporal Key Integrity Protocol), as TKIP is only necessary for backward compatibility. EAP (Extensible Authentication Protocol) further advances protection for authentication processes; it supports one-time use passwords, tokens, and smart cards. A later version of EAP, PEAP (Protected Extensible Protocol), is much more secure as it authenticates servers with public key certificates.

WPA3

With the introduction to WPA3, many improvements will begin to be featured in Wi-Fi devices.

One of the most significant updates is making passwords more challenging to guess or decipher with brute force attacks (utilizing a program to automatically generate guesses for a password). In the current world of the IoT (Internet of Things), Wi-Fi enabled devices connect to everything we have come to love, and many of these contain valuable personal information that could be disastrous if fallen into the wrong hands. WPA3 makes it so when offline, only a single attempt at gaining access to Wi-Fi data is allowed. Additionally, gaining unauthorized access to old data is prevented using ‘forward secrecy;’ this feature ensures that even if a password is cracked, one will only be able to seize information which is currently flowing.

Just as with WPA2, WPA3 will undergo further changes and updates throughout the years. Easy Connect, another update with WPA3, simplifies connecting the many smart devices we all use to routers, scanning a QR code or using a smartphone with the proper credentials. While this is very exciting, it is essential to remember that unless your current Wi-Fi device supports a WPA3 update, a new WPA3 Wi-Fi-enabled device must be purchased.

Turning Off Network When Not in Use

Although it sounds simple, many users forget that by just turning off your network when you are not using it can also reduce the time that a malicious attack can be made against it.

Firmware

Similar to your computer, a router has an OS (Operating System). Security firmware in routers often need updating, and some routers do not accomplish this automatically. As new vulnerabilities and exploits are released, the router’s firmware will need to be updated to include fixes to these potential threats. Checking and updating your router’s firmware every month is a great idea.

Disable Guest Accounts

While guest networks have benefits such as not allowing guests to access your entire system, they are somewhat of a double-edged sword. Guest accounts are useful in small businesses such as coffee shops, where customers may want to use a computer and only need access to specific content. However, if guest accounts do not have any form of password to log-in, you are opening yourself up to anyone who wishes to access your network; for a hacker, this is often the only foot in the door they require.

Firewalls

If your router has a built-in firewall (not all do), be sure to enable it. Firewalls serve as your network’s first line of defense and are designed to filter and manage traffic both entering and exiting your network. Firewalls can also prevent against intruders gaining access through unused ports.

VPN

A VPN (Virtual Private Network) creates a protected and encrypted connection over a less secure network (such as the internet). While a VPN will not provide much security in your immediate area (your neighbors for example), they can help stop attacks originating farther from your location. By connecting first to your VPN server, then to the outside internet, your internet traffic will appear to only coming from the VPN. By using a VPN, your traffic will be partially anonymized, thus reducing your chance of unauthorized access.

Virtual Private Networks used in businesses accomplish this by using virtual connections that route through the internet from the remote site or an employee to the business’s private network. By implementing a VPN, companies can connect with its employees all around the world using a quick, reliable, and protected method of sharing information. Virtual Private Networks also provide enhanced security by means such as encryption. Virtual Private Networks offer a business greater flexibility for remote offices, improved security, savings in time and costs for employee commutes, better reliability, and also provide enhanced scalability as a Virtual Private Network can be easily extended as needed.

A Site-to-Site Virtual Private Network can be Intranet or Extranet based.

Intranet-based Site to Site VPNs enable multiple remote locations to establish secure connections with each other and act as a single network.  An example of when this would be used would be with a system that spans several buildings that needs access to a data center and secure access through strong encryption, through private lines; this type has high-bandwidth capabilities and performance.

Extranet-based Site to Site VPNs would allow numerous buildings in remote locations to be able to work in a shared environment; this form is more reliable and easily manageable.

Remote-Access Virtual Private Networks are also sometimes called Virtual Private Dial-Up Networks (VPDN); these networks are useful when users need remote access to a network. A company’s data in this type of VPN can, for example, be accessed remotely through a third-party service provider. An example of when this type of VPN would be used would be if a company’s employees in remote locations wished to connect their laptops to the corporate LAN.

Pros and Cons of VPNs-

Pros- High security when compared to other forms of remote communications, lower costs, higher scalability, and higher flexibility of compatible devices.

Cons- More complex design and security configuration, reliability can be an issue, can cause incompatibility problems with different infrastructures, and possible security problems with the use of wireless devices.

Disable WPS

WPS (Wi-Fi Protected Setup) is a system that allows more natural connection to an encrypted Wi-Fi network; it does this by not requiring a passphrase. Although it can indeed make things simpler when connecting your equipment, unauthorized users can potentially enjoy the same benefit. WPS has many known security holes and exploits and is often enabled by default. If you can remember your passphrase, there is really no need for WPS, so disabling it is always recommended.

Disable Remote Management

Routers often feature remote management, a service which allows you to manage a router externally, such as outside of your network; this feature can be enabled by default. Honestly, there are very few benefits from having this enabled, so it is a great idea just to disable it and reduce the risk for unauthorized users to have access to your router’s management interface.

Disable DHCP

Instead of using the DHCP (Dynamic Host Configuration Protocol) server in your router, which is what IP addresses are assigned to on each device in a network, you should implement static address and network settings (entering your device and assigning it an IP address which is tailored to your router).

Rotating Passphrases

Just like any password, your router’s passphrase needs to be complicated, not containing any personal information that an attacker can guess or find on social media, and is also rotated every so often. Every month or so, changing to a new password is a great way to keep up the security of your network. Again, passwords should use multiple types of characters, symbols, and numbers, as well as stored in a safe location (hopefully your memory).

Rogue Access Points

A rogue access point is defined as a wireless access point that has been installed on a private company’s network (or home/personal network) without proper authorization. These rogue access points can create quite the massive headache unless defended against by using the following tips.

The network’s policy is the first area that needs attention; a no-exceptions policy against the unauthorized use of wireless LANs must be established, and an amnesty program that allows employees to disclose any self-installed AP’s to the IT department should be encouraged to further reduce these risks.

How your company’s IT department discovers rogue access points are critical as well. Sniffing tools can be used to physically survey the various facilities for wireless LAN signals and determine which ones are rogue. These LAN signals can even be coming from loading docks, truck terminals, and smaller areas that can go unnoticed. Constant maintenance of these areas mentioned is the last step that can strengthen your defense against rogue access points. An IT department must continuously teach the other employees about safe internet usage and inspect the company for rogue access points without rest.

With the increase of popularity of cell phones that can act as Wi-Fi access points, these previously mentioned defense tips for protecting against rogue access points will need modifications, such as controlling the use of Wi-Fi access points and even inspecting employee’s cell phones if a higher level of security is desired.

The Router Itself

A router is a network device that forwards data packets from one network to another; it also determines which port to send out the packet. In other words, a router merely gives Wi-Fi access to a large area. Routers only support a certain amount of square feet in coverage, sometimes needing additional routers. In an office setting, a more advanced router will be required due to the higher traffic load, external line costs, and congestion.

By using a secure router, only specific MAC (Media Access Control) addresses will be permitted. The sophistication of a router is one of the most influential methods for defending your network from unwanted users. A simple upgrade of a router is an excellent start as more advanced equipment comes out every year. A new router can have security, range, and speed benefits. Make sure you place the router in an area that gives max coverage of your house. A router in the basement, for example, might cause connectivity problems for higher floors. If your router allows it, one can also upgrade the antenna to increase the area of Wi-Fi connectivity in your house. Be sure to remember that having your router in the center of your house/office is also recommended as you do not want to have your Wi-Fi signal reaching too far outside of your home or office.’

Summary

As we are living in a world where everything is connected, the security of our Wi-Fi-enabled devices needs to be as advanced as the hardware itself. Hopefully, this post will guide you in your mission to boost your Wi-Fi protection.

Advertisements

Categories: Networks

Tagged as: ,

1 reply »

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s