As an introduction
Some time ago, when we communicated with customers on the topic of Wireless networks performance and security, we have often heard the following arguments:
- Why do we need it?
- From whom do we need to protect?
- Everything works well and nobody hacks us!
Fortunately, we hear such phrases less often lately, but, still, not everything in the garden is rosy. There are still many companies, where IT specialists do not consider it necessary to provide the proper security of the wireless segment of the corporate network.
WE WILL TELL HOW TO PROTECT WI-FI NETWORK AND GIVE SPECIFIC RECOMMENDATIONS FOR IT
The common situation
The most common situation is when the wireless networks in organizations are organized the following way:
- Wireless network is made based on SOHO routers/access points, not designed for operation in loaded networks
- Authentication based on pre-shared keys is used
- Wireless network has a non-restricted access to servers and other resources
- Internet access is set without any restrictions/verifications
- Equipment firmware update is not monitored properly
- Default equipment settings are used
This is true not for all companies and not all mentioned items are true at once, but usually there are always several remarks.
Let’s examine several situations and imagine, what can happen in this case.
Easiest network access
Any unauthorized user, in other words – intruder, can obtain the access to organization’s LAN, even from the outside! Pre-shared authentication keys are not usually changed for a long time and known for a wide range of people. Then, using simple methods, it is possible to attack any server/PC and obtain access to almost any information.
Unprotected BYOD (bring your own device)
Large amount of personal devices of employees and guests, protection of which can not be controlled, are also connected to the network. Thus a risk appears of malware infiltration to LAN through such devices, e.g. by cryptographers and cryptominers.
Outdated versions of firmware contain a lot of vulnerabilities, through which the access to control can be obtained, and, as a result, the wireless network control can be lost. Also the outdated versions can be unstable, equipment can “freeze and misbehave”.
Default passwords and IP addresses, not changed during network commissioning, can be easily found in documentation, especially when the installed equipment model is known, that can also be defined by a simple scanning.
Lack of modern protection means
And, finally, as an option, wireless network operation can be blocked by DoS attack on equipment, since SOHO devices do not have protection function!
10 steps to Wi-Fi network security provision
Step No.1 Protect the wireless network devices control
Change the default settings and restrict access to control interfaces. Use only secured control protocols HTTPS/SSH.
This step allows to exclude the possibility of equipment control loss. Only authorized administrators can change wireless network parameters.
Step No.2 Look for updates
Regularly check for updates and update the operating systems software (firmware) of wireless network equipment.
By completing this simple step you are preventing from the known and common vulnerabilities use by intruders, and equipment will operate more stable and without lags.
Step No.3 Set the relevant technologies and encryption algorithms
Use only the proven access technologies and encryption algorithms such as WPA2/WPA3 and AES. WEP/WPA/TKIP are not recommended
These settings will help you to prevent the key hacking, that requires just a several dozen minutes.
Step No.4 Separate Wi-Fi networks
We strongly recommend to separate the wireless network into guest and corporate ones. Guest network can have only Internet access. Corporate network can have LAN access. Use segmentation (VLAN) for various networks.
By following this recommendation, you will improve the security of your organization, since the guest devices, personal smartphones and laptops of employees will have no access to LAN resources. Such devices are hard or impossible to control in terms of correspondence to security rules.
Corporate smartphones, tablets and laptops with access to LAN resources are subject to strong verifications.
Step No.5 Use strong user authentication
Set the strong user authentification/authorization for the corporate network and temporary passwords for the guest network. For instance, for the corporate network you can use accounts and passwords based on Microsoft Active Directory data. For that you need a server with RADIUS protocol support. For instance, Cisco ISE or Microsoft NPS.
This will allow to obtain the complete picture of actions of users and their devices in wireless network, that will help in prevention and investigation of the possible information security incidents. Microsoft AD password policy will also be applied to the wireless network.
Accounts for guests with the limited duration can be created from the wireless network controller interface. At the same time there will be no possibility to obtain the permanent access using the same passwords for a long time, thus minimizing the possibility of illegitimate actions of the public users.
Step No.6 Do not forget about firewall
Access to LAN from the wireless network should be made with firewall use only, in which only the rules, required for operations, are allowed.
The most secured option is a connection of the wireless network devices to separate switches without connection to LAN switches.
At the same time the access to LAN can be set through firewall and VPN technology.
Step No.7 Do not forget about firewall, part 2
Access to Internet from all segments of wireless network should be arranged through firewall only (NGFW), in which the advanced filtration functions are activated, e.g. intrusion prevention system, DNS requests control and antivirus. If firewall is not an option, at least use the cloud service Cisco Umbrella for wireless network users protection.
Such measures will not allow a malware to infiltrate the corporate network, and protect the uncontrolled and usually poor protected guest and personal devices.
Step No.8 Use Wi-Fi network controller protection functions
Seth the functions of intrusion prevention system (Wireless IPS), as well as Management Frame Protection, which are included in all fully functional wireless network controllers.
WIPS will protect from fake Wi-Fi networks and block the attacks, corresponding to the known templates (signatures), MFP will prevent from the network operation failure by means of management frames replacement
Step No.9 Perform monitoring
Regularly perform monitoring of wireless network access events and traffic flows into LAN and Internet. Any simple Syslog server, that is a part of any Linux distributive, or professional solution, e.g. SolarWinds, will fit.
This will allow to analyze the previous incidents and to prevent from the new ones.
Step No.10 Before protecting something you need to properly build it
- If quality indicators of your Wi-Fi network operation do not correspond to the specified requirements, we recommend to perform audit and, after finding out the reason of low performance, eliminate it.
- If you are just planning the wireless network in your organization, approach this task with the proper responsibility level – delegate this task to professionals.
- Professional services related to wireless networks are one of the focus activity areas for our company, therefore LWCOM team of radio engineers is ready to join you project at any time.