Lock Down Your Wi-Fi Network: 8 Tips for Small Businesses
By Eric Geier
PCWorldNov 16, 2011 6:03 pm PST
Wi-Fi gives us freedom from wires, but it’s not secure by default. Data is transmitted through the air, and anyone nearby can easily capture it with the right tools. As discussed below, whether you have your own Wi-Fi network or use someone else’s, employing security measures is necessary to protect company files, online accounts, and user privacy.
Why Protect Your Wi-Fi Network?
By default, Wi-Fi routers and access points aren’t secure when you purchase them. Unless you enable encryption, people nearby can easily connect to your network. At best, they just use the free wireless Internet for browsing and downloading, possibly slowing down your connections. However, if they wanted to, they could possibly access your PCs and files. They also could easily capture your passwords or hijack your accounts for websites and services that don’t use SSL encryption, such as some Web-based email clients, Facebook, and Twitter.
If your Internet service provider (ISP) set up your Wi-Fi, it likely enabled encryption. This version of encryption, however, may be an older security option that’s now easily breakable: Wired Equivalent Privacy (WEP).
Why protect your connections on other Wi-Fi networks? When you connect to outside networks, such as hotspots in coffee shops, airports, and other public places, the connection is almost always insecure. Eavesdroppers don’t even have to connect to the Wi-Fi hotspot to capture your traffic. And as with using any other unencrypted Wi-Fi network, they could possibly get hold of your passwords or hijack your online accounts.
To check the security status of your Wi-Fi–and raise its security level as needed–follow these best practices.
1. Choose the Right Wi-Fi Security Options
You can use any of several separate protocols that provide different levels of security: WEP, WPA, and WPA2. You see these options when enabling or changing the wireless security on your wireless router or access points (APs). Depending upon your device, you may have to select WPA first to see the WPA2 option.
WEP is easily breakable and protects you only from casual Wi-Fi users. Wi-Fi Protected Access (WPA) has two versions: the first is simply WPA, for a reasonable level of protection, and the second is WPA2, which provides the best protection to date. To confuse you even more, you can implement both WPA and WPA2 in two very different modes: Personal, aka Pre-Shared Key (PSK), and Enterprise (802.1X, RADIUS, or EAP). Most wireless routers and APs support both modes, which you’ll see listed in the wireless settings.
The Personal mode of WPA/WPA2 is easier to set up, but is subject to brute-force dictionary cracking. This means that someone could potentially come up with your encryption passphrase by running software that repeatedly tries to guess it from a dictionary of common words, passwords, and combinations. However, this isn’t a big issue if you create a long and strong passphrase when setting up the encryption, using no words or phrases that might be in a dictionary.
The Personal mode, though, is not suitable if your organization has more than a couple of Wi-Fi users. In this mode, all computers and devices connecting to the network are set with the same encryption passphrase, which creates issues when employees leave the company or a device becomes lost. You’d want to change the passphrase when such occasions arise–but that means you must change it on all access points and every Wi-Fi device.
The Enterprise mode of WPA/WPA2 is much more complex to set up and requires a server, but it provides better security for organizations. Along with the security itself being stronger, this mode provides each Wi-Fi user with their own username and password for logging onto the Wi-Fi instead of a global passphrase. This means that if an employee leaves the company or their device is stolen, you just have to change their password on the server.
The Enterprise mode also prevents users on your network from snooping on each other’s traffic, capturing passwords, or hijacking accounts, since the encryption keys (exchanged in the background) are unique to each user session.
If you aren’t sure your Wi-Fi is encrypted, you can quickly check. On a PC or device that’s connected to the Wi-Fi network (or at least has Wi-Fi), simply open the list of available wireless networks and find the name of the network you use. In Windows, click the network icon in the lower right corner of your screen.
In Windows XP and Vista, you can quickly see the security status of each AP nearby, listed next to each network name. Windows 7, by default, displays a notice by the network name only if it’s unsecured. But you can hover over the network names to view each one’s security type, as shown in Figure 2.
2. Enable WPA2-Personal Security on Your Network
If your Wi-Fi network is secured only with WEP or nothing at all, then at least enable WPA2-Personal security.
To do so, you must first enable it and create a passphrase on the wireless router or access points. You need to log into the control panel of each router or AP by typing its IP address into a Web browser. Next, find the wireless security settings and enable WPA2-Personal (PSK) security with AES encryption/cipher type. Then create a long passphrase with mixed case letters and numbers–using no words found in the dictionary–and apply the changes. The image at right (Figure 3) shows an example of these wireless security settings.
Once WPA2-Personal security is enabled on the router or APs, users will be prompted to enter the passphrase when connecting to the Wi-Fi network.
3. Even Better, Establish WPA2-Enterprise Security
To deploy the Enterprise mode of WPA/WPA2, you first need to get a RADIUS server. It enables the required 802.1X authentication and is where you define the usernames and passwords for Wi-Fi users.
If you don’t have the time or expertise to set up your own server, consider using a hosted service. Keep in mind that there are also access points (APs) with built-in RADIUS servers, such as ZyXEL’s 802.11a/b/g/n Business Access Point (NWA3160-N). But if you’re a Linux fan, you might consider installing the open source FreeRADIUS server software on a server or PC.
Once you have a RADIUS server set up, you input a Shared Secret (password) and other details for each router or AP. You also input the usernames and passwords for the Wi-Fi users or devices into the RADIUS server (or use Active Directory or a separate database).
Next, you have to configure each router or AP with security and authentication settings. You log into the control panel of each router or AP by typing its IP address into a Web browser, and log in. Then you look for the wireless security settings and enable WPA2-Enterprise security, which may be referred to as just plain WPA2. You must then enter the IP address of the RADIUS server that you set up and input the Shared Secret (password) you created for that particular router or AP. Once you apply these changes, users will be able to connect.
Next: Wi-Fi for guests, using VPN, and more.
4. Offer Separate Wi-Fi for Guests
Never allow an untrusted or unfamiliar person have access to your private Wi-Fi network. If you want to offer visitors or guests wireless Internet access, make sure that such access is segregated from your company’s main network so they can’t possibly get into your computers and files, and eavesdrop on your traffic.
Consider purchasing a separate Internet connection for guests and setting up an additional wireless router or APs. Some wireless routers, such as D-Link’s Xtreme N Gigabit Router (DIR-655), offer guest access on another SSID, or network name, that’s separate from your private network and requires only a single Internet connection. To see if your router offers this option, check the user manual or log in to the router’s Web-based control panel by typing its IP address into a browser and look for a guest feature. Additionally, most business-class APs offer the same functionality by creating Virtual LANs (VLANs) and multiple SSIDs.
When configuring guest access, you could even enable separate encryption so you can still try to control who connects and uses your Internet access. With a wireless router, you should use the guest access settings–such as those shown in Figure 5–for this purpose.
5. Physically Secure Your Network Gear
Besides enabling encryption to secure your private wireless network, you need to think about the physical security of your network. Make sure that your wireless router or APs are all secured from visitors. An intruder could easily plug into the network if it’s in reach or reset it to factory defaults to clear the security. To prevent this, you could, for instance, mount the hardware high on walls or above a false ceiling. Also, if your office has ethernet network ports on the walls, make sure that they aren’t within the reach of visitors, or disconnect them from the network. If you have a larger network with a wiring closet, make sure it says locked and secure.
6. Secure Your Wi-Fi Outside the Office With VPN
You also need to secure your Wi-Fi connections when on other untrusted networks, such as public hotspots. You can use a virtual private network (VPN) connection, which secures all your Internet traffic by redirecting it to the VPN server via an encrypted tunnel. This ensures that if local eavesdroppers are hanging around a Wi-Fi hotspot, they won’t see your real Internet traffic and can’t capture your passwords or hijack any accounts.
If your employer or organization offers VPN access, you can use it to secure your Wi-Fi and also to remotely access the network. But if such a VPN isn’t available, consider hosted services. Many free ones are designed for Wi-Fi security–Hotspot Shield, for example. However, for better reliability and better speeds, you might consider a paid service, such as Comodo TrustConnect.
7. Ensure Websites Are Encrypted Outside the Office
If you don’t use a VPN connection to secure all your traffic when out of the office, at least ensure that any websites you log in to are encrypted. Highly sensitive websites, such as banks, use encryption by default, but others, such as social networking sites and email providers, don’t always do so.
To ensure that a website is using encryption, access it via a Web browser and try to use SSL/HTTPS encryption. You can see if the site supports SSL encryption by adding the letter s to its address: https:// instead of http://. If it’s encrypted, you’ll also see some sort of notification in the browser about the security, such as a padlock or green-colored address bar. If you don’t see any notification or it shows an error, it may not be secure; you should therefore consider waiting to access the site until you’re on a private network at home or in the office.
If you check your email with a client program such as Microsoft Outlook, you should try enabling SSL encryption for your email server in your account settings (see Figure 6). However, many email providers don’t support encrypted connections via client programs. If that’s the case, check your email via the Web browser–using SSL/HTTPS–if possible.
8. Shop for Secure Wi-Fi Gear
When shopping for a Wi-Fi router or access points, keep security in mind. As mentioned, some consumer-level wireless routers, such as the D-Link Xtreme N Gigabit Router, offer a wireless guest feature, so you can keep visitors off your private network. And business-class routers and APs usually offer VLAN and multiple SSID support, which you can configure to do the same.
Additionally, some business-level routers offer integrated VPN servers. You can use VPN connections to secure your Wi-FI hotspot sessions, remotely access your network, or link muliple offices together. Some, such as the ZyXEL 802.11a/b/g/n Business Access Point, even have an embedded RADIUS server, so you can use the Enterprise mode of WPA2 security.
When shopping the big-box stores, you’ll find mostly consumer-level wireless routers. You can check the box for features, but I suggest investigating online before purchasing. Check the manufacturer’s site and read through the model’s product description pages to get a better idea of what features it supports.
When shopping online for consumer or business gear, some Web stores include a lengthy description, but again, check the manufacturer’s site for a full feature list.
Eric Geier is a freelance tech writer. Become a Twitter follower to keep up with his writings. He’s also the founder and owner of NoWiresSecurity, which helps businesses protect their Wi-Fi network with enterprise-class security (WPA2 with 802.1X).