June 22, 2015
Everyone knows that wireless networking (WiFi) is here to stay. A large number of companies, OST Security clients included, utilize WiFi as a way to provide employees network and Internet access when they’re using laptops or smartphones. Some organizations choose to offer the general public access to WiFi as well, usually as part of a commitment to customer convenience or experience. From a security standpoint, most wireless implementations are a nightmare. While we’ve seen dramatic improvement over the past several years, wireless is still a weak point for many organizations. In this article, we’ll look at the key elements to ensuring the WiFi networks at your place of work are optimized for security: Leverage a strong encryption/authentication method This might seem obvious, but we still see the occasional WEP-encrypted network. For readers who aren’t in the know, there are different kinds of encryption methods that can be used to secure a wireless network. WEP (or Wired Equivalent Privacy) is a dated, easily defeated encryption method. Organizations should be using at least WPA/WPA2, ideally with added measures such as EAP (using a central authentication server) and MAC address filtering. Segment from your production network Every once in a while, OST Security will perform an assessment and see that a wireless network owned by the client is not segmented from their production domain. This means that a bad guy could sit in your parking lot, hop on your WiFi, and perform devastating attacks – just as though he was physically inside your building and plugged into a wall port. The risk here is obvious. Hosts on wireless networks should not be able to communicate with hosts on your wired, production network. Separate Internet connection Particularly if you have an open wireless network to give the public access to the Internet, it’s a good idea to have this network on a separate Internet connection entirely. This means that you’ll have to purchase another line from your ISP – but the tradeoff in risk reduction is worth it. Say, for example, that someone commits a computer crime while connected to your public wireless network. If you have a separate Internet connection in place for this public network – and a User Agreement in place that those accessing it must accept – you have built a good amount of legal protection for your organization. Limit key distribution For internal wireless networks (ones used by employees), it’s a good idea to limit the distribution of your access key. Ideally, only one or two individuals in the organization would know the key. When an employee wants access to the wireless network, that individual can enter the key for them. Most devices allow for the retention of a wireless key, so you wouldn’t need to have it re-entered all the time. Doing this would drastically decrease the likelihood of inappropriate access to the internal WiFi (i.e. by non-employees). WIPS/WIDS Wireless intrusion prevention systems and wireless intrusion detection systems are an excellent addition to a WiFi network already employing the best practices recommended above. WIPS/WIDS usually come in the form of a physical network device that monitors the wireless spectrum for malicious activity (for example, a fake access point trying to lure victims into connecting). WIPS implementations generally include not only the detection of this kind of activity, but also offer countermeasures to defeat attacks. WiFi networks are a fact of many modern computing environments. If your organization has one (or more), taking the above precautions will effectively minimize many of the risks associated. For a full IT security assessment, including an analysis of wireless configurations, please contact firstname.lastname@example.org.