I’m sharing Wi-Fi tips and seven security tips in two sessions at Enterprise Connect 2022 and thought it would be informative to share a new set of tips by mixing the two topics.
The convenience of Wi-Fi is wonderful. No wires, easy access, works with all your devices. But all that convenience makes it easy for bad actors to access your network. An attacker can sit outside your physical environment — across the street, on a different floor of the building, in the parking lot, or in an adjacent home in your neighborhood — all while connected to your network. What can you do?
Wi-Fi Access Point Security
Let’s start with things you can do on the Wi-Fi access point or wireless router (I’ll use the acronym AP to reference both of these devices).
Some APs will include a feature that isolates clients from each other. The intent is to keep each client from attacking any other client. The only communications path that’s allowed is between the client and the Internet. You may not be able to use this function if you have devices that need to communicate with each other, such as a tablet screen-casting to a TV or an IoT device connecting to its controller.
It’s not worthwhile trying to hide the SSID by not broadcasting it. The SSID appears in other packets, making this ineffective as a security measure. It will also cause problems with some Wi-Fi devices, for which you will have to spend time troubleshooting.
Next, create a separate guest network that uses a different password than your primary Wi-Fi. Use good passwords, and don’t leave any of the SSIDs open. The safest configuration is to restrict the guest network to Internet access only.
For small or home Wi-Fi, select WPA3-PSK (Pre-Shared Key) or WPA2-PSK security. Hint: if your AP only supports WPA2-PSK, it’s probably old enough to warrant an upgrade. Corporate implementations should use 802.1x authentication with a RADIUS server and WPA3 security. Client devices that don’t support 802.1x should be assigned to a separate SSID/VLAN/Subnet where they can be more easily monitored and isolated. Like client isolation mentioned above, this helps reduce the opportunity for a bad actor to attack adjacent devices from a compromised device. The monitoring system should alert you to potential security events like a thermostat that starts scanning your domain controller or email server.
You should use one of the DNS reputation systems like OpenDNS, Norton ConnectSafe, or Cisco Umbrella to reduce the opportunity for malware to sneak by your protections. These services track the domain names used by malware and don’t return an IP address for those sites. Some services are free, and others have a subscription fee. The DNS server configuration will need to be made in the wireless router or a corporate DHCP server.
On the topic of passwords, longer is far better than more complex. There’s a concise example of password selection in Randall Munroe’s comic on password strength here
Security of Wi-Fi Devices
Wi-Fi-enabled IoT hardware like TVs, HVAC systems, door lock systems, or lighting controllers frequently contains default SSIDs and passwords or vulnerable firmware that make them targets of external access. Connecting these devices to the local network provides easy access for the bad actors. Be sure to verify IoT settings after firmware updates because they can reset previously selected security settings.
The biggest security challenge is likely to originate with BYOD devices. In a corporate setting, you’ll generally lack control over those devices, therefore lacking the ability to push security policies to the device. Widespread support of BYOD can result in higher total cost than if corporate resources were purchased, especially if an intrusion occurs via this avenue.
An added concern for BYOD is that corporate data can be easily copied onto a device taken into a more vulnerable location, such as a home or coffee shop environment. The device can be more easily compromised in these environments where it’s away from corporate security controls.
There’s also the risk of “shoulder surfing,” in which private data is visible to unauthorized individuals in public environments. The prevalence of high-resolution cameras everywhere makes the security of such information difficult to control. Imagine losing a major contract because pricing information was viewed or HIPAA information on a popular personality was made public.
The RF Environment
The radiofrequency (RF) environment can be quite challenging for Wi-Fi, affecting its performance. You can have great signal but poor performance and connectivity problems. A detailed site survey is a critical element of the process to diagnose what’s happening. The interference might be from something simple like a microwave oven or weather radar, or it might be a busy Wi-Fi environment from neighbors. The site survey is required to determine the exact cause of the problems and arrive at a suitable solution. If part of the problem is Wi-Fi from neighbors, don’t be tempted to use the containment feature to disable neighboring APs; such actions are illegal in many countries, including the U.S.
Plan on performing periodic validation site surveys. A site survey is a health check to verify the state of the RF environment. Repeating the site survey demonstrates whether the RF environment has changed. When performing the survey, ask:
- Are there new RF sources?
- Are there other Wi-Fi systems?
- Are the neighboring Wi-Fi systems properly designed?
- Are there APs using channel bonding that is causing co-channel interference (CCI) with adjacent channels?
You only get optimum performance with a good design, and the site survey is the basis for that design.
The site survey should also check for rogue APs. These are malicious access points set up by bad actors to steal authentication credentials that can subsequently be used to break into the network. Note that advanced techniques like 802.1x with multi-factor authentication can be used to mitigate this type of threat.
Good network security ultimately depends on the ability of the network’s users to avoid malware, much of which is sent via email or links to web pages that contain malware. User training has been found to be the most effective way to reduce these types of intrusions. Several companies are available to help create and run network security training programs. You’ll learn how to look for the signs of secure web access (HTTPS) versus unsecure access (HTTP) and how to be careful about URLs that you click.
The training program should extend to best security practices when traveling. For example, your users should be able to answer the question: “Is it safe to use hotel Wi-Fi or is it better to use tethering through your cell phone?” (Answer: It’s generally safer to tether through your phone.)
Users should also be able to navigate safety rules during travel. For example, it is not safe to use charging stations equipped with existing cables in public locations like airports. It is easy to obtain custom USB memory sticks and charging cables that contain malware. When these devices are connected to your mobile device, they act like keyboards and initiate the download of malicious applications, quickly compromising your device. One researcher made a cable that looks like a commercially available charging cable but includes a Wi-Fi node that allows the bad actor remote access to your device and its data.
Instead, it’s much safer to use a battery to charge your devices. The battery can then be charged from the public charging ports without risk. Besides, that battery can help keep your devices charged when you’re away from any charging ports.
Join Us At Enterprise Connect 2022