If you do a search for Wi-Fi security on Google, then surely what you get is: Don't use WEP but use WPA or WPA2, disable SSID broadcasting, change the settings. default,… These are very basic matters, in Wi-Fi security. However, in this article we will ignore those basic aspects and introduce you to advanced techniques to increase the security of your wireless network.
1. Switch to enterprise encryption - Enterprise
If you have created a WPA or WPA2 encryption key of any kind and have to enter this key when connecting to a wireless network, then you will only use the Personal or Pre-shared key (PSK) mode of Wi- Fi Protected Access (WPA). Enterprise networks - big or small - still need to be protected with Enterprise mode, which adds 802.1X / EAP authentication for wireless connectivity. Instead of entering the encryption key on all computers, the user will log in with a username and password. The encryption keys are securely provided in the background and are unique to each user and every session.
Products suitable for families: Best router for multiple devices
This method allows for centralized and comprehensive management of the security of the Wi-Fi network.
Instead of loading encryption keys onto computers where employees and other users can discover them, each user will log onto the network with his or her own account while using Enterprise mode. You can easily change or revoke access if needed. This is especially useful when employees leave the company or their laptops are stolen. If you use Personal mode, you will have to manually change encryption keys on all computers and access points (APs).
A special component of the Enterprise mode is the RADIUS / AAA server. This server will communicate with APs on the network and look up the user database. Consider using the Internet Authentication Service (IAS) of Windows Server 2003 or using the Network Policy Server (NPS) of Windows Sever 2008.
2. Physical security assessment
Security for a wireless system is not just technical work. You can get the best Wi-Fi encryption technique but still someone can access your network using an ethernet port. Or someone could go into your company or home and press the hotspot's reset button and restore the factory defaults and leave your wireless network fully on.
Make sure all your APs are out of the reach of unnecessary people and out of sight of the employees in the company. Instead of placing the APs on a table, mounting it on a wall or ceiling is the best practice.
You might consider mounting the APs out of sight and installing additional antennas to increase the AP's transceiver signal. This allows you to secure the AP while still providing a good wireless signal through high gain antennas.
However, it's not just the APs that you need to consider. All network components should be properly protected, even ethernet cables. Hackers can cut off your ethernet cable and access your network that way.
As well as attaching and securing your APs, you also need to closely check your APs. Create a spreadsheet that records the AP models used with the IP and MAC addresses. Plus that's where they are. This way helps you know exactly where to locate the AP when performing actions to check or test a problem AP.
3. Install intrusion detection and prevention system (IDS / IPS)
These systems usually have a software program to use your wireless adapter to detect Wi-Fi signals for problems. They can detect rogue APs, a new AP appearing on the network, or an existing AP reset to default settings or mismatched with a set of standards you have defined.
These systems can also analyze network packets to see if someone might be using hacking or jamming techniques.
There are different intrusion detection and prevention systems out there that use a variety of techniques. You can use the must-say free or open source options like Kismet and Snort. Besides, there are commercial products of many other companies such as AirMagnet, AirDefense and AirTight.
4. Create wireless network usage policies
Along with the instructions for using the computer, you should have a special set of policies for Wi-Fi network access, at a minimum they should be like those listed below:
List of authorized devices with wireless network access: This is the best way to deny all devices and allow desired devices by using MAC address filtering on your network router. . While MAC addresses can be spoofed, this practice still provides some degree of control over the devices your employees are using on the network. You need to keep a copy of all your devices.