To support the modern mobile workforce, businesses need to provide a secure wireless network to support their users, but what are the wireless security best practices to follow?
In today’s modern world, where it is estimated that over 22 billion devices are connected via a Wireless Network (WLAN), almost all organisations have a requirement for wireless connectivity, whether that is for use by its staff, visitors and/or customers.
Having a wireless network provides users with the convenience of being able to use their mobile devices or computers to work from anywhere in their place of work, however if these networks are not configured correctly, this can leave businesses open to serious vulnerabilities.
Having an unsecured wireless network leaves the business vulnerable to hackers, who could easily exploit gaps in the organisation’s wireless security. Such attacks could be detrimental to valuable customer information, which can result in data loss, financial ramifications and have a huge impact on a company’s reputation; here we review some of the key wireless security best practices that you can follow to help protect your organisation.
Deploy and use a Public Key Infrastructure (PKI)
In the past, many businesses have used credential-based Wi-Fi authentication, issuing and using passwords to connect users to their wireless network, whilst this is a simple solution, that works effectively for a home network, it is not suitable for a business environment, where you need to protect and secure critical systems and data. A far more secure way of setting up wireless access in a business is by using certificate-based authentication. This can be achieved by deploying and using a public key infrastructure (PKI), to provide unique digital identities for any users, devices and applications that connect to the corporate network.
A PKI is a common term for the set of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store and revoke digital certificates. PKI’s use certificate-based technology which enables businesses to identify and authenticate trusted people, systems, and devices. Using a public key infrastructure is an effective way of managing, controlling and revoking certificates on a network, for example, if a device gets lost or stolen, you can simply revoke the certificate and it will be prevented from connecting to your network. There is no need to change any passwords or have other users update their Wi-Fi passwords, the certificate is removed, and the device will no longer connect.
Once an enterprise certificate authority has been deployed and configured, it will require a network policy server, or NPS server. This NPS server will act as a Remote Authentication Dial-In User Service (RADIUS), allowing radius clients, such as Wireless Access points (APs) to connect and to authenticate users and devices against the Active Directory domain, using their certificate.
Using a certificate-based approach to wireless networking also means that users never know the password, meaning that they cannot share it with other people, or use it for their own personal devices; for example, they can’t access the internal production network with a non-corporate, untrusted device.
Segregate Wi-Fi Traffic for Internal and Guest users
In most modern businesses, there is a requirement to offer staff and often visitors, access to a Wi-Fi network. To ensure that your production environment is kept secure, with only trusted access, you should deploy multiple wireless networks, or Service Set Identifier (SSIDs). By creating multiple SSID’s you can have varying levels of access and security based on the user or device. For example, having one for your production network, one for your staff, for use of personal devices, such as mobile phones, and a separate one for visitors.
When allowing visitors to use your Wi-Fi network, it’s strongly advised that you provide them with a guest network instead of the internal or staff user network. This will mean that the visitors can only access the internet, without gaining access to internal sources of data. It’s recommended that you create separate networks, segregating the traffic across different virtual LANs (VLANs), to ensure that access cannot be gained to your production environment.
By deploying a PKI for your internal production infrastructure and having the traffic segregated, you can ensure that only trusted corporate devices are authorised or allowed to access your production network.
For non-corporate staff devices and visitor access, where only an internet connection is accessible, credential-based authentication can be offered, with passwords being regularly updated, this traffic should still pass through a firewall, being scanned, and checked against URL filtering policies.
Change Network Name / Passwords
When setting up your credential-based guest or staff SSIDs, it is essential to change the network name and password from the default choice. A strong password should be at least 20 characters long, with a mixture of numbers, letters, and symbols to ensure it can’t be easily guessed, or brute-forced, by hackers. Guest or visitor passwords should be regularly changed.
For more information on password security tips please see our password security blog post here.
Use Layer 7 Firewalls
Firewalls provide protection against hackers by protecting your device from malicious and unnecessary network traffic, not just this but it also prevents malicious software from accessing your devices via the internet. A layer 7 firewall operates on the 7th layer (the application layer), the of the OSI model, which offers advanced traffic-filtering rules, with a layer 7 firewall, you can protect traffic and your end-user devices with far greater security measures, so that when the device is back in the office and on the production network, you can be confident that there is nothing malicious on there.
Enforce a Business VPN
A virtual private network (VPN) has a huge impact on improving your companies network security. By using a VPN, all data is completely secure as it is encrypted as it’s transmitted. Even if a cybercriminal gains access to this data, they won’t be able to use it. We recommend that organisations force their users to route their internet traffic via a full tunnel VPN, which ensures that all of the user’s traffic, despite their location, will pass through the corporate firewall, this will then protect the users by applying the business defined URL filtering policies, and will block any unsecured websites.
Keep Router Firmware and Software Updated
Updating your firmware and software may be a time-consuming process, however, it is critical to your organisations network security. Every organisation should make a routine of checking that the router is running the latest firmware to maximise their wireless security. We recommend that you run your network on the most up-to-date firmware available, this will ensure that any known bugs or vulnerabilities are patched, and it will increase stability.
For more information on patch management please see our patch management tools and best practices blog post here.
Secure Location of Router & Access Points
A simple, and seemingly obvious process, that is often not considered, is ensuring that your router is in a secure location, with restricted access. This will ensure that the router does not get tampered with or even reset. Another location-based factor, that is often missed, is the placement of any wireless access points (APs) around the building, these can often be left inaccessible areas, corners of rooms, on the floor etc, where a user can easily unplug it or connect an untrusted device to it. Having them placed in central, not easily accessible areas, or hidden in the ceilings is advisable.
If you would like any further information on how you can improve the wireless security measures within your organisation, or require any advice on network security best practices, please contact us on 01932 232345 or complete the form below.
Request Further Information