• Main
  • Blog
  • Wi-Fi networks security: 10 tips to secure your wireless network

Wi-Fi networks security: 10 tips to secure your wireless network

Wi-Fi networks security: 10 tips to secure your wireless network

As an introduction

Some time ago, when we communicated with customers on the topic of Wireless networks performance and security, we have often heard the following arguments:

  • Why do we need it?
  • From whom do we need to protect?
  • Everything works well and nobody hacks us!

Fortunately, we hear such phrases less often lately, but, still, not everything in the garden is rosy. There are still many companies, where IT specialists do not consider it necessary to provide the proper security of the wireless segment of the corporate network.


The common situation

The most common situation is when the wireless networks in organizations are organized the following way:

  • Wireless network is made based on SOHO routers/access points, not designed for operation in loaded networks
  • Authentication based on pre-shared keys is used
  • Wireless network has a non-restricted access to servers and other resources
  • Internet access is set without any restrictions/verifications
  • Equipment firmware update is not monitored properly
  • Default equipment settings are used

This is true not for all companies and not all mentioned items are true at once, but usually there are always several remarks.

Let’s examine several situations and imagine, what can happen in this case.

Wi-Fi network security

Easiest network access

Any unauthorized user, in other words – intruder, can obtain the access to organization’s LAN, even from the outside! Pre-shared authentication keys are not usually changed for a long time and known for a wide range of people. Then, using simple methods, it is possible to attack any server/PC and obtain access to almost any information.

Unprotected BYOD (bring your own device)

Large amount of personal devices of employees and guests, protection of which can not be controlled, are also connected to the network. Thus a risk appears of malware infiltration to LAN through such devices, e.g. by cryptographers and cryptominers.

Uncontrolled operation

Outdated versions of firmware contain a lot of vulnerabilities, through which the access to control can be obtained, and, as a result, the wireless network control can be lost. Also the outdated versions can be unstable, equipment can “freeze and misbehave”.

Incorrect commissioning

Default passwords and IP addresses, not changed during network commissioning, can be easily found in documentation, especially when the installed equipment model is known, that can also be defined by a simple scanning.

Lack of modern protection means

And, finally, as an option, wireless network operation can be blocked by DoS attack on equipment, since SOHO devices do not have protection function!

wireless networks security

How to protect the organization’s Wi-Fi network and commercial information from hacking by potential intruders? — We will tell you!

10 steps to Wi-Fi network security provision

Step No.1 Protect the wireless network devices control

Change the default settings and restrict access to control interfaces. Use only secured control protocols HTTPS/SSH.

This step allows to exclude the possibility of equipment control loss. Only authorized administrators can change wireless network parameters.

Wi-Fi networks security

Step No.2 Look for updates

Regularly check for updates and update the operating systems software (firmware) of wireless network equipment.

By completing this simple step you are preventing from the known and common vulnerabilities use by intruders, and equipment will operate more stable and without lags.

wireless network security key

Step No.3 Set the relevant technologies and encryption algorithms

Use only the proven access technologies and encryption algorithms such as WPA2/WPA3 and AES. WEP/WPA/TKIP are not recommended

These settings will help you to prevent the key hacking, that requires just a several dozen minutes.

encryption algorithms

Step No.4 Separate Wi-Fi networks

We strongly recommend to separate the wireless network into guest and corporate ones. Guest network can have only Internet access. Corporate network can have LAN access. Use segmentation (VLAN) for various networks.

By following this recommendation, you will improve the security of your organization, since the guest devices, personal smartphones and laptops of employees will have no access to LAN resources. Such devices are hard or impossible to control in terms of correspondence to security rules.

Corporate smartphones, tablets and laptops with access to LAN resources are subject to strong verifications.

wireless networks separation

Step No.5 Use strong user authentication

Set the strong user authentification/authorization for the corporate network and temporary passwords for the guest network. For instance, for the corporate network you can use accounts and passwords based on Microsoft Active Directory data. For that you need a server with RADIUS protocol support. For instance, Cisco ISE or Microsoft NPS.

This will allow to obtain the complete picture of actions of users and their devices in wireless network, that will help in prevention and investigation of the possible information security incidents. Microsoft AD password policy will also be applied to the wireless network.

Accounts for guests with the limited duration can be created from the wireless network controller interface. At the same time there will be no possibility to obtain the permanent access using the same passwords for a long time, thus minimizing the possibility of illegitimate actions of the public users.

users authentication

Step No.6 Do not forget about firewall

Access to LAN from the wireless network should be made with firewall use only, in which only the rules, required for operations, are allowed.

The most secured option is a connection of the wireless network devices to separate switches without connection to LAN switches.

At the same time the access to LAN can be set through firewall and VPN technology.

Step No.7 Do not forget about firewall, part 2

Access to Internet from all segments of wireless network should be arranged through firewall only (NGFW), in which the advanced filtration functions are activated, e.g. intrusion prevention system, DNS requests control and antivirus. If firewall is not an option, at least use the cloud service Cisco Umbrella for wireless network users protection.

Wi-Fi network security

Such measures will not allow a malware to infiltrate the corporate network, and protect the uncontrolled and usually poor protected guest and personal devices.

Step No.8 Use Wi-Fi network controller protection functions

Seth the functions of intrusion prevention system (Wireless IPS), as well as Management Frame Protection, which are included in all fully functional wireless network controllers.

WIPS will protect from fake Wi-Fi networks and block the attacks, corresponding to the known templates (signatures), MFP will prevent from the network operation failure by means of management frames replacement

wireless LAN security

Step No.9 Perform monitoring

Regularly perform monitoring of wireless network access events and traffic flows into LAN and Internet. Any simple Syslog server, that is a part of any Linux distributive, or professional solution, e.g. SolarWinds, will fit.

This will allow to analyze the previous incidents and to prevent from the new ones.

wireless computer networks monitoring

Step No.10 Before protecting something you need to properly build it

  • If quality indicators of your Wi-Fi network operation do not correspond to the specified requirements, we recommend to perform audit and, after finding out the reason of low performance, eliminate it.
  • If you are just planning the wireless network in your organization, approach this task with the proper responsibility level – delegate this task to professionals.
  • Professional services related to wireless networks are one of the focus activity areas for our company, therefore LWCOM team of radio engineers is ready to join you project at any time.

Ask the article author a question
expert on network solutions
Quantity - up to 3 files, size - not more than 5 MB
By clicking the button, you consent to the processing of personal data.