Wi-Fi is inherently vulnerable to hacker attacks and eavesdropping. However, if you use the correct security measures, Wi-Fi can be safe. Unfortunately, the site is full of outdated advice and misunderstandings. Here are some of the things you should do and shouldn't do in Wi-Fi security.
1. Do not use WEP
WEP (Wired Equivalent encryption protocol) security has long been dead. Most inexperienced hackers can quickly and easily break through basic encryption. Therefore, you should not use WEP at all. If you use WEP, upgrade to a 802.11i WPA2 (WiFi protection Access) protocol with 802.1X identity now. If you have older devices and access points that do not support WPA2, you should try to upgrade the firmware or simply replace the device.
2. Do not use WPA/WPA2-PSK
WPA/WPA2 Secure preshared key (PSK) mode is not safe for business or enterprise environments. When using this mode, the same preshared key must be entered into each customer. As a result, the PSK is modified whenever an employee leaves the company and a customer loses or misses the key. This is not realistic in most environments.
3. Be sure to apply 802.11i
The WPA and WPA2 Secure EAP (Extensible Identification Protocol) mode uses 802.1X identity, not PSK, to provide each user and customer with the ability to log on to their own certificates, such as user names and passwords, and a digital certificate.
The actual encryption key is periodically changed and exchanged in the background. Therefore, to change or revoke a user's access, the thing you need to do is modify the login certificate on the central server instead of changing the PSK on each client. This unique approach to each process also prevents users from eavesdropping on each other's communications. Now, using Firefox's plugins Firesheep and Android apps such as Droidsheep are easy to eavesdrop on.
Keep in mind that in order to achieve the best possible safety, you should use the WPA2 with 802.1X. This agreement is also called 802.1i.
To achieve 802.1X identification, you need to have a RADIUS/AAA server. If you are running WindowsServer2008 and the above version of the operating system, you should consider using Network Policy server (NPS) or an earlier server version of Internet Identity Service (IAS). If you are not running Windows Server Software, you may consider using open source Freeradius Server software.
If you run Windowsserver2008r2 or above, you can set the 802.1X to a client that is connected to the zone through Group Policy. Otherwise, you might consider using a third-party solution to help configure these clients.
4. Be sure to secure the 802.1X client Setup
WPA/WPA2 EAP mode is still susceptible to man-in-the-middle attacks. However, you can prevent these attacks by guaranteeing the security of the client EAP settings. For example, in the EAP settings for Windows, you can implement server certificate validation by selecting a CA certificate, specifying a server address, and prohibiting it from prompting the user to trust a new server or CA certificate.
You can also use Group Policy to push 802.1X settings to a client that is connected to a zone, or a third-party solution such as the Avenda Company's quick1x.
5. Be sure to use a wireless intrusion prevention system
Securing WiFi is much more than trying to fight those attempts to gain access to the network. For example, a hacker can create a false access point or implement a denial-of-service attack. To help detect and combat these attacks, you should apply a wireless intrusion prevention system (WIPS). The design and methods of the direct WIPs system are different, but these systems generally monitor false access points or malicious actions, alerting you and possibly preventing these malicious acts.
There are many commercial vendors offering wips solutions, such as AirMagnet and Airtightneworks. There is also the choice of open source software such as snort.