How secure is your wireless network?

By - February 18, 2014

How secure is your wireless network? Ask yourself a few simple questions:

  1. Are you still using WEP (Wired Equivalent Privacy)?
  2. Does your wireless have a WPA password that doesn’t change?
  3. Have any of your employees left the organization or been terminated since the last password change?
  4. Do you allow guests or employees personal devices to connect to your Wi-Fi?
  5. Does your SSID (wireless network name) include your organization’s name?

If you answered “yes” to any of the above questions, then your wireless network is a risk point for your organization!

The first area of risk with a wireless network is the Service Set Identifier (SSID). This is commonly known as the wireless network name. Most home wireless routers come by default with an SSID of “Linksys” or “Belkin.” But often in business, these names are changed to the name of the business. The risk here is that there are ways of intercepting the wireless password of a laptop when it tries to connect to your wireless access point (AP). The practice of “hiding” the SSID from broadcast is one step in securing the wireless network, but can still be intercepted. Organizations should use anonymized SSIDs so that an attacker sitting in an internet café cannot pick up your organization name from the SSID and password.

The second component to securing a wireless network is choosing a method of encryption. WEP keys were the first form of protecting wireless communications in 1999, but were exploited in 2001. After WEP was compromised, Wi-Fi Protected Access (WPA) became the industry standard in 2003. Since 2004, the recommended encryption is WPA2, which utilizes AES encryption. WPA2 comes in a two different flavors – WPA2 Personal (also known as PSK – PreShared Key) and WPA2 Enterprise.

WPA2 Personal relies on a pre-shared key, commonly referred to as simply “the Wi-Fi password.” This is common and standard for home use, but business organizations should avoid using these. The problem is that these passwords are rarely changed. Very commonly, when an employee or vendor is termed the passwords aren’t changed. Compounding this problem is the sharing of the password. Within minutes of a password change, the password is commonly sent to all employees via email or shared by word of mouth. This leads to unauthorized devices connecting to the Wi-Fi and often defeats the purpose of securing the wireless at all.

WPA2 Enterprise uses a different form of authentication in addition or instead of a PSK. Usually this involves a certificate installed on the client machine that authenticates the user or device to the network. Certificates are managed by a Certificate Authority on your network, most commonly backed by Microsoft Active Directory. This allows administrators to decide what devices and/or users are allowed to connect to the wireless. A step further in securing the network will utilize some sort of Network Access Control (NAC) to ensure that devices that connect to the private wireless have up-to-date security patches and antivirus definitions.

Many organizations prefer to give their employees or guests access to internet via wireless when visiting their place of business. These businesses should always use enterprise-grade access points such as Ubiquity or Cisco that have the ability to utilize VLANs. These APs can broadcast multiple SSIDs and tie them to VLANs. The “internal” VLAN has access to server resources and should be protected with WPA2 Enterprise. A second SSID can use WPA2 Personal with a PSK that is changed frequently (or an unsecured wireless that users must accept terms of use and monitoring) that is on a segmented VLAN that is restricted only to content-filtered internet (with no access to the internal network) via access-control lists (ACLs).

For more information on RSM’s offerings please check out our website. You can also contact RSM’s technology consulting professionals at 800.274.3978 or email us.

 

Receive Posts by Email

Subscribe and receive notifications of new posts by email.