By Eric Geier
September 13, 2011
We list the six biggest Wi-Fi security mistakes so that you can avoid them and better protect your wireless network.
A wireless network offers lots of advantages over being tethered to your desk. But “no wires” doesn’t mean you can forgo security. These are the six most common Wi-Fi security mistakes people make when setting up a wireless network. Avoid them, and you can rest easier knowing that both your network and your data are safer.
6 Common Wi-fi Security Mistakes
1. No encryption or using only unsecure WEP security
Encrypting your wireless network is essential for two reasons: to keep unauthorized people from connecting to it, and to prevent eavesdropping on your Internet traffic. If random people can connect, they may be able to access your shared folders and other network resources. If they can eavesdrop, they may be able to capture your passwords or hijack your websites and/or services accounts that you log into that don’t use SSL encryption.
Remember WEP security is not secure, and it can be cracked easily. At a bare minimum you should use the Personal (PSK) mode of WPA or WPA2 security — preferably WPA2. It will encrypt your traffic and prevent unauthorized access. This mode is still susceptible to brute force cracking, so make sure you create and use a strong encryption password (called a passphrase). Use a long password (up to 63 characters), mix upper and lower case letters, and add in special characters, too.
2. Not using WAP2-Enterprise security with 802.1X authentication
All wireless networks used by businesses or organizations with employees should use the Enterprise mode of WPA or WPA2 security. It typically requires a separate server (called a RADIUS server) to do the required 802.1X authentication, but some select access points include a built-in RADIUS server. There are also hosted services (such as AuthenticateMyWiFi) that make the whole process easy.
This Enterprise mode offers increased security and lets you better manage access to the Wi-Fi network. Instead of using the same password on all your Wi-Fi computers and devices, you can assign users their own individual account and/or digital certificate that they must use in order to connect. Therefore, when an employee leaves the organization or you lose a Wi-Fi device, you only have to revoke/change one account. If using the Personal mode of WPA/WPA2, you’d have to change the password on all your access points, computers and devices.
The Enterprise mode of WPA/WPA2 also prevents users on the Wi-Fi network from eavesdropping on each other’s traffic. Unlike when using the Personal mode, users can’t use hacker software apps to capture passwords and hijack accounts of others.
3. Not securing 802.1X client settings
If you are using the Enterprise mode of WPA/WPA2, you should configure all user accounts with full security to prevent man-in-the-middle attacks. In the EAP settings of the client (such as Windows), make sure it’s set to validate the server certificate, that a server address is defined, and the root CA certificate is selected. In Windows, you should also select to have it not prompt users to trust new CAs.
4. Trusting MAC address filtering
MAC address filtering is available on just about all wireless routers and access points. It lets you define a list of computers and devices that are allowed or disallowed to connect, based upon its MAC address — that’s supposed to be unique.
However, MAC addresses can be spoofed easily. Someone can watch for authorized MAC addresses, set their client to one, and then be able to connect. Don’t ever use just MAC filtering on a Wi-Fi network without encryption. Even if it keeps other people off the network, without encryption they could still eavesdrop on your wireless activity.
However, if you have encryption enabled you may consider using MAC filtering to help control which computers and devices authorized users connect to the Wi-Fi. Again, your users could easily spoof their MAC, but it could help.
5. Trusting hidden SSIDs
Wireless routers and access points let you turn off network name broadcasting (SSID). This removes the SSID from beacons, but it’s still used in some packets. Someone using a special (but free and easy to obtain) wireless stumbler may be able to quickly discover a “hidden SSID.” It can keep casual users from seeing that your network exists, but it doesn’t help prevent hackers from finding out.
You might think that hiding your SSID acts as another layer of security — making it harder for hackers — but keep in mind that it could also make using your network harder and degrade its performance. This is because you have to manually create wireless profiles on your computers and devices, since you can’t just see them and click to connect. This can also generate a lot of additional packets on the network, possibly decreasing the bandwidth.
6. Not limiting SSIDs employees can connect to
An often-overlooked security issue is that users may be able to easily connect to other Wi-Fi signals. It could be your unsecured public Wi-Fi (if you offer one), a Wi-Fi signal belonging to another organization or a hacker that’s setup an evil-twin network to cull the user’s credentials. The users could connect intentionally, to avoid Web filtering for example, or unintentionally. Whatever the case, it could expose the computer or device to nefarious people.
In Windows Vista and later, you can limit the SSIDs it can see and connect to via the netsh wlan commands via the Command Prompt. This isn’t possible in Windows XP, but you should ensure that the wireless settings are set to automatically connect to any available network and clear other networks from the list of preferred networks.