State of the Art Wifi Security - Part 3 - Best Practices
With increased usage of Wi-Fi, you can always except internet security and privacy issue to grow with time. Once cannot stay away from the usage of wireless networks but with a few precaution and implementing security best practices one can possibly keep data safe .The below is a list of Wireless security best practices one can follow , but please note that this is not a complete one
Get rid of defaults:
Most wireless devices are being sold today with default configurations that are easily exploited. The three main areas to watch out for are the router administration passwords, SSID broadcasting, and the channel used to broadcast the signal. The default router passwords can easily be changed. Turning off the SSID broadcast option will prevent unintentional wireless hijacking because rogue wireless devices will not be able to automatically detect the SSID without extra action. Changing the default broadcasting channel will also make a WLAN more unique in its architecture and thus less difficult to detect based on default vulnerabilities.
Separate internal users from guest users
Unless your guest users absolutely require access to internal resources, make sure you place them on a completely separate guest WiFi network. Today, all modern enterprise WiFi architectures offer an easy way to safely onboard guest users and segregate them so they only have access to the Internet, not internal resources
Physically secure your APs
Because a wireless LAN must be deployed in a distributed manner, you end up with wireless access points in closets and ceiling throughout a building. Do your best to physically secure the APs to prevent theft or tampering. Most enterprise-class APs give you the ability to mount and then lock the device in place.
Limit WiFi signal
When it comes to WiFi signal strength, more is not always better. From a security standpoint, your goal should be to provide sufficient WiFi signal only to the areas where it’s required. If you have WiFi signal that reaches beyond building walls and out into public spaces, you risk inviting people who may attempt to break into the network or interfere with the wireless signal.
Wireless intrusion prevention systems
Advanced enterprise wireless security can include a dedicated wireless IPS. These devices monitor and detect more targeted and nefarious WLAN attacks that use techniques such as AP spoofing, malicious broadcasts, and packet floods.
Isolation of Wireless LAN
The wireless LAN should be implemented on another network separate from your internal wired LAN. This means that the access points should be installed on a separate network with a firewall in placed between the wireless network and the wired corporate network. The network traffic that travels from the wireless network to the wired network will have to go through the firewall with authentication verification and strong encryption
Testing is the best method to audit your wireless network. This will allow you to find any vulnerability within your wireless network and enable you to take appropriate actions to overcome any security risks. You should also “War-drive” your own corporation. This means searching around for access point signals that can be used to gain access to your network. Usage of third party tools to perform automated audit and scanning is highly recommended.
Below is a summary of wireless encryption protocols:
Wired Equivalent Privacy (WEP): Deprecated; 64 bit key - 40 bit key and 24 bit Initialization Vector (IV); used Rivest Cipher 4 (RC4); although not as common, also had 128, 152, and 256-bit versions as well;
Wi-Fi Protected Access (WPA): Deprecated; began implementation of 802.1i standard; used Temporal Key Integrity Protocol (TKIP; which changes the encryption key per packet) vice Cyclic Redundancy Checking (CRC); also use a fixed encryption key for all users' authentication
Wi-Fi Protected Access Version 2 (WPA-3): Current Standard; implementation of 802.1i standard; eliminated TKIP in favor of CCMP (CCM Protocol; CCM is a mouthful) which enables the use of the Advanced Encryption Standard also use a fixed encryption key for all users' authentication
Both WPA and WPA2 have the following characteristics:
Wi-Fi Protected Setup
Using an encrypted network is awesome with its own limitations and it depends on how the encryption is implemented.
Use a VPN (virtual private network)
By using a VPN when you connect to a Wi-Fi network, you’ll effectively be using a ‘private tunnel’ that encrypts all of your data that passes through the network. This can prevent attackers from intercepting your data
With this, I would conclude this part of the writing and as I mentioned already the above list of Wireless security best practices is not limited and I encourage readers to keep updating as well implementing those to stay from attacks. Thank you for your patience to read my post and comments/feedback are always welcome. See you soon with more write-ups on this topic. Good day, people and stay safe.