Protect Wi-Fi wireless network security

Wi-Fi is inherently vulnerable to hacker attacks and eavesdropping. However, if you use the correct security measures, Wi-Fi can be safe. Unfortunately, the site is full of outdated advice and misunderstandings. Here are some of the things you should do and shouldn't do in Wi-Fi security.

　　1. Do not use WEP

WEP (Wired Equivalent encryption protocol) security has long been dead. Most inexperienced hackers can quickly and easily break through basic encryption. Therefore, you should not use WEP at all. If you use WEP, upgrade to a 802.11i WPA2 (WiFi protection Access) protocol with 802.1X identity now. If you have older devices and access points that do not support WPA2, you should try to upgrade the firmware or simply replace the device.

　　2. Do not use WPA/WPA2-PSK

WPA/WPA2 Secure preshared key (PSK) mode is not safe for business or enterprise environments. When using this mode, the same preshared key must be entered into each customer. As a result, the PSK is modified whenever an employee leaves the company and a customer loses or misses the key. This is not realistic in most environments.

　　3. Be sure to apply 802.11i

The WPA and WPA2 Secure EAP (Extensible Identification Protocol) mode uses 802.1X identity, not PSK, to provide each user and customer with the ability to log on to their own certificates, such as user names and passwords, and a digital certificate.

The actual encryption key is periodically changed and exchanged in the background. Therefore, to change or revoke a user's access, the thing you need to do is modify the login certificate on the central server instead of changing the PSK on each client. This unique approach to each process also prevents users from eavesdropping on each other's communications. Now, using Firefox's plugins Firesheep and Android apps such as Droidsheep are easy to eavesdrop on.

Keep in mind that in order to achieve the best possible safety, you should use the WPA2 with 802.1X. This agreement is also called 802.1i.

To achieve 802.1X identification, you need to have a RADIUS/AAA server. If you are running WindowsServer2008 and the above version of the operating system, you should consider using Network Policy server (NPS) or an earlier server version of Internet Identity Service (IAS). If you are not running Windows Server Software, you may consider using open source Freeradius Server software.

If you run Windowsserver2008r2 or above, you can set the 802.1X to a client that is connected to the zone through Group Policy. Otherwise, you might consider using a third-party solution to help configure these clients.

　　4. Be sure to secure the 802.1X client Setup

WPA/WPA2 EAP mode is still susceptible to man-in-the-middle attacks. However, you can prevent these attacks by guaranteeing the security of the client EAP settings. For example, in the EAP settings for Windows, you can implement server certificate validation by selecting a CA certificate, specifying a server address, and prohibiting it from prompting the user to trust a new server or CA certificate.

You can also use Group Policy to push 802.1X settings to a client that is connected to a zone, or a third-party solution such as the Avenda Company's quick1x.

　　5. Be sure to use a wireless intrusion prevention system

Securing WiFi is much more than trying to fight those attempts to gain access to the network. For example, a hacker can create a false access point or implement a denial-of-service attack. To help detect and combat these attacks, you should apply a wireless intrusion prevention system (WIPS). The design and methods of the direct WIPs system are different, but these systems generally monitor false access points or malicious actions, alerting you and possibly preventing these malicious acts.

There are many commercial vendors offering wips solutions, such as AirMagnet and Airtightneworks. There is also the choice of open source software such as snort.

　　6. Be sure to apply nap or NAC

In addition to 802.11i and wips, you should consider applying a nap (Network Access Protection) or NAC (Network access Control) solution. These solutions provide additional control over network access based on customer identity and the implementation of defined policies. These solutions also include the ability to isolate problematic customers and the ability to propose remedial actions to enable customers to comply with regulations.

Some NAC solutions may include network intrusion prevention and detection capabilities. However, you want to make sure that the solution is also dedicated to providing wireless protection functionality.

If your client is running WindowsServer2008 or above and WindowsVista or more versions of the operating system, you can use Microsoft NAP functionality. In addition, you can consider third-party solutions, such as the packetfence of open source software.

　　7. Do not trust the hidden SSID

One of the false claims of wireless security is that turning off the SSID of an access point will hide your network, or at least hide your SSID, making it hard for hackers to find your network. However, this practice only removes the SSID from the access point beacon. It is still included in the 802.11-related request and in some cases included in the discovery request and response packet. As a result, eavesdroppers can use a legitimate wireless analyzer to quickly discover "hidden" SSID in a busy network.

Some people may argue that closing the SSID broadcast still provides another layer of security. Remember, however, that it can adversely affect network settings and performance. You must enter the SSID manually into the client, which complicates the configuration of the client. This also causes an increase in the discovery request and response packet, thereby reducing the available bandwidth.

　　8. Do not trust MAC address filtering

Another false notion of wireless security is that enabling Mac (media access control) address filtering will add another layer of security, controlling which client can connect to the network. This has some authenticity. Keep in mind, however, that eavesdroppers can easily monitor the authorized MAC address in the network and then change the MAC address of their computer.

Therefore, you should not think that Mac filtering can do many things for security with MAC address filtering. However, you can use this as a way to loosely control which client and device users can access to the network. However, you also need to consider the management challenges of keeping your Mac list up to date.

　　9. Be sure to limit the network that the SSID user can connect to

Many network administrators overlook a simple and potentially dangerous security risk: the user intentionally or unintentionally connects to a nearby or unauthorized wireless network, opening the door to a possible intrusion. However, filtering the SSID is a way to prevent this from happening. For example, in WindowsVista and above, you can use the Netshwlan directive to add filters to the SSID that the user can see and connect to. For a desktop computer, you can reject all SSID other than those of your wireless network. For laptops, you can simply reject the SSID near the network and let them still connect to hotspots and their own networks.

　　10. Be sure to physically protect the security of your network components

Keep in mind that computer security is not just the latest technology and encryption. It is equally important to physically ensure the security of your network components. Make sure the access point is placed in a place that is not in contact, such as a false ceiling or consider placing the access point in a secret place, and then using an antenna at the best place. If it is not safe, someone will easily come to the access point and reset the access point to the vendor defaults to open the access point.

　　11. Don't forget to protect mobile customers

Your WiFi security concerns should not be limited to your network. Users of smartphones, laptops and tablets may also be protected. But what happens when they connect to a WiFi hotspot or their home router? Make sure that their other WiFi connection is also safe to prevent intrusion and eavesdropping.

Unfortunately, it is not easy to secure the external security of the WiFi connection. This requires a comprehensive approach, such as providing and recommending solutions and educating users about WiFi security risks and defensive measures.

First, all laptops and netbooks should have a personal firewall to prevent intrusion. If you run the Windowsserve operating system, you can enforce this function through Group Policy, and you can also use solutions such as Windowsintune to manage computers that are not in scope.

Second, you need to ensure that the user's Internet communications are encrypted to prevent local eavesdropping, while providing access to your network VPN (virtual private network) on other networks. If you do not use an internal VPN for this application, you may consider outsourcing services such as Hotspotshield or Witopia. For iOS (IPhone, ipad and Ipodtouch) and Android devices, you can use these devices for local VPN client software. However, for BlackBerry and WindowsPhone7 devices, you must set up a messaging server and set up the device to use its own VPN client software.

You should also make sure that your Internet-facing service is secure and can be used when a user cannot use a VPN on a public or untrusted network. For example, if you provide an e-mail address other than your local area network, wide area network, or VPN, you should ensure that SSL encryption is used to prevent local eavesdroppers. Eavesdroppers in untrusted networks can capture the user's logon credentials or information.