Wi-Fi gives us freedom from wires, but it’s not secure by default. Data is transmitted through the air, and anyone nearby can easily capture it with the right tools. As discussed below, whether you have your own Wi-Fi network or use someone else’s, employing security measures is necessary to protect company files, online accounts, and user privacy.
Why Protect Your Wi-Fi Network?
By default, Wi-Fi routers and access points aren’t secure when you purchase them. Unless you enable encryption, people nearby can easily connect to your network. At best, they just use the free wireless Internet for browsing and downloading, possibly slowing down your connections. However, if they wanted to, they could possibly access your PCs and files. They also could easily capture your passwords or hijack your accounts for websites and services that don’t use SSL encryption, such as some Web-based email clients, Facebook, and Twitter.
If your Internet service provider (ISP) set up your Wi-Fi, it likely enabled encryption. This version of encryption, however, may be an older security option that’s now easily breakable: Wired Equivalent Privacy (WEP).
Why protect your connections on other Wi-Fi networks? When you connect to outside networks, such as hotspots in coffee shops, airports, and other public places, the connection is almost always insecure. Eavesdroppers don’t even have to connect to the Wi-Fi hotspot to capture your traffic. And as with using any other unencrypted Wi-Fi network, they could possibly get hold of your passwords or hijack your online accounts.
To check the security status of your Wi-Fi--and raise its security level as needed--follow these best practices.
1. Choose the Right Wi-Fi Security Options
You can use any of several separate protocols that provide different levels of security: WEP, WPA, and WPA2. You see these options when enabling or changing the wireless security on your wireless router or access points (APs). Depending upon your device, you may have to select WPA first to see the WPA2 option.
WEP is easily breakable and protects you only from casual Wi-Fi users. Wi-Fi Protected Access (WPA) has two versions: the first is simply WPA, for a reasonable level of protection, and the second is WPA2, which provides the best protection to date. To confuse you even more, you can implement both WPA and WPA2 in two very different modes: Personal, aka Pre-Shared Key (PSK), and Enterprise (802.1X, RADIUS, or EAP). Most wireless routers and APs support both modes, which you’ll see listed in the wireless settings.
The Personal mode of WPA/WPA2 is easier to set up, but is subject to brute-force dictionary cracking. This means that someone could potentially come up with your encryption passphrase by running software that repeatedly tries to guess it from a dictionary of common words, passwords, and combinations. However, this isn’t a big issue if you create a long and strong passphrase when setting up the encryption, using no words or phrases that might be in a dictionary.
The Personal mode, though, is not suitable if your organization has more than a couple of Wi-Fi users. In this mode, all computers and devices connecting to the network are set with the same encryption passphrase, which creates issues when employees leave the company or a device becomes lost. You’d want to change the passphrase when such occasions arise--but that means you must change it on all access points and every Wi-Fi device.
The Enterprise mode of WPA/WPA2 is much more complex to set up and requires a server, but it provides better security for organizations. Along with the security itself being stronger, this mode provides each Wi-Fi user with their own username and password for logging onto the Wi-Fi instead of a global passphrase. This means that if an employee leaves the company or their device is stolen, you just have to change their password on the server.
The Enterprise mode also prevents users on your network from snooping on each other’s traffic, capturing passwords, or hijacking accounts, since the encryption keys (exchanged in the background) are unique to each user session.
If you aren’t sure your Wi-Fi is encrypted, you can quickly check. On a PC or device that’s connected to the Wi-Fi network (or at least has Wi-Fi), simply open the list of available wireless networks and find the name of the network you use. In Windows, click the network icon in the lower right corner of your screen.
In Windows XP and Vista, you can quickly see the security status of each AP nearby, listed next to each network name. Windows 7, by default, displays a notice by the network name only if it’s unsecured. But you can hover over the network names to view each one's security type, as shown in Figure 2.
2. Enable WPA2-Personal Security on Your Network
If your Wi-Fi network is secured only with WEP or nothing at all, then at least enable WPA2-Personal security.
To do so, you must first enable it and create a passphrase on the wireless router or access points. You need to log into the control panel of each router or AP by typing its IP address into a Web browser. Next, find the wireless security settings and enable WPA2-Personal (PSK) security with AES encryption/cipher type. Then create a long passphrase with mixed case letters and numbers--using no words found in the dictionary--and apply the changes. The image at right (Figure 3) shows an example of these wireless security settings.
Once WPA2-Personal security is enabled on the router or APs, users will be prompted to enter the passphrase when connecting to the Wi-Fi network.
3. Even Better, Establish WPA2-Enterprise Security
To deploy the Enterprise mode of WPA/WPA2, you first need to get a RADIUS server. It enables the required 802.1X authentication and is where you define the usernames and passwords for Wi-Fi users.
If you don’t have the time or expertise to set up your own server, consider using a hosted service. Keep in mind that there are also access points (APs) with built-in RADIUS servers, such as ZyXEL’s 802.11a/b/g/n Business Access Point (NWA3160-N). But if you’re a Linux fan, you might consider installing the open source FreeRADIUS server software on a server or PC.
Once you have a RADIUS server set up, you input a Shared Secret (password) and other details for each router or AP. You also input the usernames and passwords for the Wi-Fi users or devices into the RADIUS server (or use Active Directory or a separate database).
Next, you have to configure each router or AP with security and authentication settings. You log into the control panel of each router or AP by typing its IP address into a Web browser, and log in. Then you look for the wireless security settings and enable WPA2-Enterprise security, which may be referred to as just plain WPA2. You must then enter the IP address of the RADIUS server that you set up and input the Shared Secret (password) you created for that particular router or AP. Once you apply these changes, users will be able to connect.
Next: Wi-Fi for guests, using VPN, and more.