Nov 03 2009

Wireless Security Lockdown

These methods can help ensure a secure network for your organization.

With the constant influx of wireless devices, it is increasingly important to ensure your 802.11x networks are adequately secured. The primary concern for users is knowing that when they are mobile, their wireless network is readily available. To an IT manager, knowing this network is secure and protected is a primary concern and is paramount to keeping unauthorized users out of your systems.

There are several methods for securing your networks, including hiding your network and filtering your networked devices to allow only MAC addresses that you approve to connect. Any of these methods will keep your data and users safe from threats. No method is foolproof, but understanding your security and implementing the best method will provide you the peace of mind that IT managers strive for.

Security Protocols

First and foremost is to ensure your network is not open to anyone walking by. Keep in mind that every router you purchase is set up out of the box to be an open wireless network; your job is to seal that up. There are several protocols you can use, and your choice depends on the types of devices you expect to support.

WEP is the oldest (1999) and therefore most universal security protocol for wireless. While WEP is secure against an average threat, a hacker with extensive knowledge can discover your password if given enough time. This is a serious disadvantage for users in a densely populated area or where there is a significant threat of intrusion. However, WEP provides the lowest common denominator for device connectivity. Every device with an antenna can connect to WEP without any issues. This is helpful if you have older PDAs to connect to your network. Also, WEP does not decrease your data throughput as more sophisticated protocols will. 

WPA was created in 2003 to replace WEP and offers 256-bit level security, far above the 40-bit offered by WEP. This is a powerful deterrent to even the most adventurous users and will ensure a very secure network. It allows the use of passphrases instead of a long string of characters (WEP's method), but most users tend to use easily guessed words, such as street names or last names. Avoid those examples and you are well on your way to setting up a secure network.  Always remember that older devices may not be able to connect to your WPA network and you may have to look at the manufacturer's website to find any available updates. Some throughput will be lost during the encryption process, but this amount is negligible.

WPA2 was created in 2004 as an extension of WPA to offer an even deeper level of security to WPA. It is the most secure wireless security a router can provide. Its configuration is extremely similar to WPA and also adds a stronger encryption algorithm. It surpasses all other protocols in security, but what you gain in security you will lose in bandwidth. There will be a drop in speeds from the high level of encryption. Also, only newer devices will be able to connect to WPA2, so you will need to test your oldest devices to see what level of security they can support. 

Network Configuration

Once you have chosen a wireless protocol for your network, you can configure the backbone of your network to add another layer of security to your router. Every router is slightly different, but everything listed below is available on even the most bare-bones wireless router. The most common methods are to hide your wireless network completely and to allow only specific MAC addresses to connect. There are advantages and disadvantages to each of these methods, but they are very interchangeable and effective when used with one of the security protocols listed above.

Hiding SSID:
The term Service Set Identifiers (SSID) refers to the network name you have chosen and what a wireless device will detect when searching for a network. A router, unless otherwise configured, will broadcast the SSID of your network at all times for everyone to see and attempt to connect to. Hiding it will force any device to not only know your network password, but also the network name, basically making your network invisible. If the password is compromised but the network name remains secure, there will be no way to connect to your network, thus the extra layer of security.  Remember that for a new device, you will need to know your network name (case-sensitive) and the security type and password before it will function properly.

MAC address filtering:
Filtering MAC addresses can be an extremely powerful security measure that all IT managers should consider. Every device has a unique MAC address, which is simply the hardware designation for the Ethernet device. Because no two MAC addresses are alike, you can enable your router to prevent all MAC addresses, besides the ones you designate, from connecting.  Even the most knowledgeable intruder will have a difficult time attaching to your network with this enabled. It should be noted that once this is enabled, if you have a guest device in your building, you will have to log into your router, add the device's MAC address and save the changes before it will be able to access your network – a small price to pay for a high level of security.

Wireless devices will continue to evolve and change, and as more tools become 802.11x-enabled, the importance of a secure wireless network increases exponentially. Every year, organizations look for ways to add wireless abilities to a vast array of new products, from televisions to the latest smartphones. That said, no two networks are alike and no set of security measures are going to be the same. However, by applying any of the items listed here, in any combination, you can be assured that your data and network traffic will be as safe as possible.