8 tips to protect your business’ wireless network

Enamored by Wi-Fi’s convenience, we tend to be blind to its risks. Many routers are riddled with security holes that leave your data exposed to enterprising hackers and other intruders. And if you’re running a business, the jeopardy is even greater. To keep your wireless network secure, follow these eight security tips.

Change the default password

If you didn’t do it when you set up your router, immediately change the default password. This is an essential step given that the default passwords for all network equipment vendors are widely known and just a quick search away.

Use only WPA2 encryption

The unidirectional nature of Wi-Fi signals necessitates the use of encryption to prevent neighbors or malicious parties from spying on your online activities. Even though the option is still available for legacy reasons, avoid WEP encryption as it can be cracked in minutes. Use only WPA2, which introduces a new AES-based encryption for better security over WPA. There’s really no excuse not to: Every Wi-Fi router bearing the Wi-Fi trademark today supports it, as does every wireless device and Wi-Fi adapter card made in the last few years.

Use a complex passphrase

Despite the lack of known weaknesses in WPA2, it is susceptible to brute force attacks when used with an easily guessed passphrase. Specialized software makes it trivial for attackers to process captured wireless data packets against huge dictionary lists to obtain a match. To foil such attacks, use a passphrase containing at least 25 characters including a mix of letters (upper and lower case), numerals and symbols.

Avoid common SSID names

One common tip is to not broadcast the SSID (Service Set Identification). While this could be used to throw off novice attempts at breaking in, hiding the SSID is useless against a half-competent hacker.

However, it’s good practice to not use the default SSID, as well as common names. Hackers have developed pre-computed tables of password hashes known as a “rainbow table” to find the WPA passphrase quickly. These tables are keyed to individual SSIDs, and using one that is not on the list would force an attacker to adopt a more time consuming approach without the benefit of a ready-to-use rainbow table.

Disable WPS

If your Wi-Fi router supports Wi-Fi Protected Setup (WPS), disable it. Created as a user-friendly way for users to add new devices to their network, the WPS PIN is an 8-digit number printed on the label of WPS-enabled devices. Depending on vendor implementation, however, it is likely to be susceptible to brute force attacks.

WPS makes it easier to add device to your network, but it also makes your network more vulnerable.

An attacker can crack the PIN code of a vulnerable device with between four to 10 hours of automated effort, which would allow them to recover your secret passphrase and make changes to your Wi-Fi hardware.

Set up a guest network

It would be bad form to deny friends and relatives access to your Wi-Fi network when they’re visiting. But circulating the static passphrase to everyone is bad security. Instead, set up a separate wireless network under a second SSID, a feature supported by an increasing number of wireless routers. Having a separate network for guests allows you to routinely change the passphrase without affecting your own devices. You can even disable it entirely when not in use.

Forget MAC address filtering

The MAC (media access control) address is a unique identifier hardcoded to individual ethernet ports and Wi-Fi devices. However, the actual effectiveness of this is dubious, since it's trivial to spoof a MAC address.

Most Wi-Fi access points will allow you to filter out unauthorized MAC addresses, though the security benefits are dubious.

Unless you know what you are doing here, we would urge against using MAC address filtering due to the inconvenience and hassle that can result from a misconfiguration. Moreover, having to manually add every single tablet or smartphone that you acquire is a productivity downer.

Disallow admin access from wireless network

You may not be able to keep a determined hacker out, but you don’t have to make his job easier. Disallowing administrative access from the wireless network shout keep any successful hacker from wreaking further havoc by making changes to the configuration of your Wi-Fi router. Obviously, this means that any tweaks to your Wi-Fi router would have to be done from a desktop or laptop on your wired local area network. But the added protection is worth the hassle.

Though this isn’t meant as an exhaustive guide to protect yourself against all possible security risks of a Wi-Fi network, adhering to the above tips should make you significantly safer. Ultimately, if security is paramount sticking to a wired ethernet network may be your best bet yet.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.