WiFi networks are incredibly common nowadays. You could travel to Thailand or India and find almost as many networks from companies and regular users as you could in US or Canada. But many users are not aware that unprotected WiFi networks are an easy target for hackers.
A hacked network can be used to spy on your online activity, corrupt files, steal information and a lot more. I wanted to make sure this doesn’t happen to me and did a lot of research on protecting WiFi networks. Here are the most important security measures you can take:
1. Set an unidentifiable network name (SSID)
If there’re a lot of WiFi networks in the parameter and a hacker wants to hack your network, it will be easier to find it if you decide to use your name (SSID) or the name of your business. You should do the opposite – name your network some different name so that if they plan on hacking you, they’ll have to go through many networks before they stumble upon yours.
It’s also best not use a SSID that is too common. For example “wireless” or the vendor’s default name. By using a common name like that, the encryption algorithm can be easier to crack since it combines the SSID with the password. Basically, it’s harder to crack a different name that isn’t pre-loaded in the hackers toolkit + password than a common SSID like “wireless” + password.
It’s understandable that you would want to name the SSID by your company name or address so that those users who need to find the network can do so more easily. But it makes the hacker’s job a lot easier as well.
A more extreme measure than changing the name is to turn off the SSID broadcast. This will make your network’s name invisible, but it has some downsides. First of all, it forces all users to enter the SSID manually, and it can also slow down your speed when they try to connect.
Furthermore, a skilled hacker can still capture the SSID by monitoring other network traffic. But it’s not a bad idea if not many people are using the WiFI network and entering the name manually doesn’t annoy them too much.
2. Increase physical security
Wireless security can get infiltrated by a hacker who has physical access to access points (APs). Even if you have the best encryption in the world, if they can get hold of the reset button and restore factory default settings, they can remove the WiFi security you set up and connect.
So the APs distributed across your facility need to be secured as well. This can be done by mounting it out of reach so that any attempt would get noticed. Using locking mechanisms, offered by the AP vendor or custom made can also be helpful for limiting access to AP buttons and other ports.
3. Add security against „rogue AP“
A „rogue AP“ is when someone adds an unauthorized AP to the network. This isn’t always malicious, as it could be done to add more WiFi coverage. But it could also be done by someone outside of your company or an Office Space type employee.
Securing against „rogue AP“ is simple – ensure that all unused ethernet ports are disabled. This can be done by physically removing the ports or cables, or by disabling the connectivity of that outlet or cable on the router or switch.
If you really want to increase your security, you can enable 802.1X authentication on the wired side. This means that any device that wants to plug into the ethernet port has to enter log-in credentials to gain access to your network. For 802.1X authentication to work, your router or switch needs to be able to support it in the first place, so check out if it does first.
4. Use Enterprise Mode
The enterprise mode of WiFi security is really beneficial because:
- Every user can get a different username and password
- Every user can get a different encryption key
It allows for every user to be authenticated individually. In other words, every user has his own WiFi username and password. In comparison, the personal mode which is the default mode has everyone sharing the same password. If something happens you have to change the password on every device. So enterprise mode can drastically reduces the chance of a security breach because if a laptop or a smartphone for example get stolen, you can simply change or remove that user’s log-in credentials. The same is true if an employee leaves the company.
An amazing advantage of separate encryption keys needs to be pointed out as well. So each user can only decrypt the data traffic of their own connection. So no one can view anyone else’s wireless traffic. For example, if a hacker got a hold of some low-tier clerk’s username and password, he couldn’t get to the really important information about the company.
Still not sure how it works? Check out this video explanation:
How to setup Enterprise Mode
The first thing you need to set up is a RADIUS server. It’s main purpose is to enable user authentication and to hold the database that includes everyone’s usernames and passwords.
There are many ways to do this:
- deploy a standalone RADIUS server
- check if your other servers like a Windows Server can be used
- use a cloud-based or hosted RADIUS service
- some wireless APs and controllers have a built-in RADIUS server with limited performance and functionality. But they can be good enough for smaller networks.
Secure the Enterprise Mode against “man-in-the-middle attacks”
The enterprise mode is a great upgrade from personal mode, but it still has some weak points. The main one is the possibility that someone will set up a fake WiFi network with the same or a very similar SSID as your network.
So they could be sitting in a cafe next to your office. You or your employee could connect by accident to this fake network that has the hacker’s RADIUS server, and he could capture your username and password. Once he has them, he could use them to connect to the real WiFi network.
The best way to prevent a man-in-the-middle attack is to use server verification from the client side. So when server verification is enabled, there will also be a checkup to see if you’re connecting to a legit server or not.
In other words, even if you type in your username and password and try to connect to a hacker’s fake server, it won’t capture them because the wireless client will recognize it as a fake server. Whether you can do this and to what degree depends on the device and the operating system.
It can be done in Windows by following these steps:
- enter the domain name(s) of the legit server
- select the certificate authority that issued the server’s certificate
- choose to “not allow any new servers or certificate authorities”
So even if you try to log in to a fake WiFi network that can collect your credentials with a RADIUS server, Windows will prevent you from connecting.
Use “rogue-AP” detection
There are 3 main ways to hack a WiFi network:
- set up a fake WiFi network and RADIUS server to capture users’ credentials
- physically reset an AP to factory defaults to get rid of security measures
- plug in a “rogue AP” by using unprotected ports
I’ve explained all three of these already and ways to prevent it from happening. However, if it does happen, it’s good to have additional protection in place to detect it. Your AP or wireless controller vendor could have some rogue detection that can be enabled. They will scan the system periodically and send alerts if a new AP is detected. You can then act quickly, remove it and change user credentials.
5. Activate a WIDS or WIPS
To maximize your chances of detecting any illegal activities, you can use a premium wireless intrusion detection system (also known as WIDS) or intrusion protection system (WIPS). These systems are much more detailed in their analysis. They can pick up strange de-authentication requests, mis-association requests and much more. Learn more about them in this video:
A WIPS is a better option because it can offer protection as well. So if any strange activity is detected it can take automatic countermeasures. For example, it could block the wireless client that is behaving strangely to protect the network.
So your AP vendor could provide some of these detection and protection capabilities. But if it doesn’t, or they’re not up to the high security standard you’re looking for, there are some premium options dedicated specifically to securing WiFi networks.
Popular sensor-based solutions are offered by 7Signal and NetBeez among others. They can also monitor your WiFi performance and check for irregular disconnects or errors that could be fixed to improve speed and general performance. To learn more about finding the ideal WISP for your situation check out this article from Search Security.
Final Word: How to secure a WiFi network
Many regular users think that hackers always use complicated methods that require a lot of programming and genius level of IQ. In reality, any intruder, whether he’s trying to get inside your home and steal your TV, or crack your WiFi password and steal credit card information will try to use the easiest entrance point available.
If they can enter your network by setting up a false network with the same name and sip on coffee in the nearby cafe waiting for you or an employee to log into it, they’ll do that. And if they can physically manipulate the APs or ethernet ports, they’ll use them as a preferred or alternative method.
Either way, it’s important to patch both network and physical vulnerabilities. Hopefully you’ll use the methods presented in this article to your advantage.