10 Tips to Secure Your Wireless Network: Protect Your Network from Unauthorized Access

More traffic today is going over wireless networks than ever before. Unfortunately, malicious actors are trying to take advantage of that by eavesdropping on communications links or taking advantage of inadequately secured wireless access points.

Here we present some best practices to enable a secure wireless network. Many of these suggestions make it harder for hackers to do damage. 

Why you should secure your wireless network

In most enterprises, the wireless network is the entry point that provides access to the corporate backbone, applications, systems, data, and more. Once users connect their laptops, tablets, or smartphones via Wi-Fi, they are full-fledged members of the network.

They have great visibility into other devices on the network, and frequently, by default, they are participants in file sharing done by others. An unscrupulous user can take advantage of this access to steal data, corrupt files and systems, implant malware, and more.

Thus, securing your wireless network is critical.

Complicating matters is the fact that many users are now working from home, at least part of the time. They access enterprise systems, email, company SaaS applications, corporate databases, and more via a home Wi-Fi network.

So, not only must IT managers secure their on-premises wireless networks, but they must also educate and help users working from home do the same on their end so they will have a secure wireless network, too.

Here are ten tips to help in both arenas that can be applied on-premises and shared with home users. The result will be a more secure wireless network.

WAP3-2CM0F4R.jpg

The ten steps on how to secure your wireless network

Securing wireless networks can be done in multiple ways. Many techniques are common sense IT things that a manager can do to make wireless connections more secure. Here are Network Computing’s recommendations for securing wireless networks and securing wireless connections.

Step 1: Change the default login settings of your wireless network

All wireless access points and Wi-Fi routers ship with default Set Service Identifiers (SSIDs, aka, the name of the Wi-Fi network) and admin passwords. Often these are not changed for one of two reasons.

Within the enterprise, there may be a hesitancy to make a change due to a lack of a way to keep track of such changes. In an organization with dozens or hundreds of wireless routers and access points, such an approach is a very understandable, though insecure, way to operate. Some enterprises use wireless controllers to manage their Wi-Fi access points via web interfaces. If that is the case in your organization, the same default password issues apply to the wireless controllers.

With more people working from home, the same issues apply. Unfortunately, many home users may simply not know they need to change the default admin credentials or know how to change them.

Why is changing the default admin settings so important? It can help secure a wireless network. Smart hackers can easily identify internet-connected systems. Knowing a device’s make and model, passwords can be found in product documentation and compiled lists available on the Internet. Having that information, they can access the device and the network.

In addition to changing the admin credentials, IT managers and home users should force those seeking to connect to the wireless network to use a password.

Takeaway tip: To set up a secure enterprise and secure home network, change your Wi-Fi connection devices’ default admin passwords. And password-protect your Wi-Fi network for user access.

Step 2: Limit physical access to your wireless equipment

Physical access to wireless devices offers several ways to cause problems.

Many vendors print the default Service Set Identifier (SSID), and some print the default admin password on a plate attached to their wireless devices. If the password of a wireless device is not changed, a hacker with little technical expertise can easily read the SSID, enter the written password of the device, or look up the default password for that make and model online.

Changing the admin password (and even the SSID) can help. But with physical access to a device, a malicious actor might be able to manually reset the device to the original factory settings. That renders any password change moot.

Takeaway tip: While perhaps not an option for the home user, enterprise wireless routers and access points should be in secure locations. That can include passcard-protected data centers or locked wiring closets and equipment racks. Taking these steps will help in securing network connections.

Step 3: Use a strong password for your Wi-Fi router

As noted above, changing default admin and user access passwords is a must. But changing for change’s sake is not enough. Passwords must be chosen carefully.

Why? The availability of relatively inexpensive high-performance computing capacity has made brute-force password cracking available to the masses. According to one industry source: “In 2023, a simple 10-character password made up of just numbers or lowercase letters can be cracked in under 24 hours.”

Unfortunately, many people do not make it even that hard for the hackers. Look at any list of the most common passwords, and you will likely find the entries like 123456789 or shorter strings of these numbers, password, qwerty, or guest. Or many use easy-to-guess info like birthdates or phrases like Iloveyou.

These issues apply to both the admin and user access passwords. The value of having strong admin credentials is essential for protecting the device itself. But there are many other security issues that can be problems if a hacker can easily access the network as a user.

Takeaway tip: Avoid many security problems by picking strong admin and user access passwords. There is no definitive guide to doing so, but some common ways to proceed are to pick longer passwords (12 to 14 characters) that include a mix of upper- and lowercase letters, characters, and symbols. Many suggest using a phrase familiar to you, but not something someone would easily guess, that contains this mix. 

Step 4: Enable MAC authentication for your users

Beyond strong passwords, another way to enhance Wi-Fi network security is to use alternative authentication mechanisms.

That could include things like Kerberos, x.509 certificates, or multi-factor authentication. Safeguarding a Wi-Fi network using these techniques is often reserved for environments that need extra protection. They are the equivalent of complementing a physically locked door with harder-to-pick locks or biometric access control. One challenge with using these technologies is that they are much harder to implement, manage, and use.

A simpler yet powerful different approach is based on a device's media access control (MAC) ID. Every network interface card has a MAC address. It is a 12-digit hexadecimal number assigned to each device connected to the network. The MAC address is a unique identifier the NIC manufacturer assigns during the production of the device.

Enabling MAC authentication to access a Wi-Fi network requires that an enterprise set up a list of MAC addresses that are allowed to access the network. That approach is often called MAC filtering since it filters out devices that are not authorized.

There is great debate within the industry about the merits of MAC address filtering. On the plus side, it makes it harder for a random hacker to connect to a Wi-Fi network it discovers. On the points to consider side of the equation, setting up MAC filtering can be an onerous task. And some say MAC filtering gives a false sense of security as there are ways (such as spoofing the MAC address) or compromising an approved device for a sophisticated hacker to gain access to the network.

Takeaway tip: Strong passwords for access control to Wi-Fi networks can be complemented with other technologies, including Kerberos, multi-factor authentication, and MAC authentication. While each method or technology requires additional skills and management, they all offer enhanced security.

Step 5: Turn on encryption

Data encryption has been a part of securing home networks and securing network connections from the very beginning. It was obvious that wired networks offered a level of protection against eavesdropping. The hacker had to physically tap a cable to intercept traffic. With wireless, anyone could snoop on the traffic between an endpoint and wireless access point or router.

Over the years, there have been several commonly used wireless encryption protocols. They include Wired Equivalent Privacy (WEP) and different versions of Wi-Fi Protected Access (WPA).

WPA2 has served as the industry standard for wireless encryption for many years. Virtually every wireless device (wireless NICs, access points, routers, etc.) supported WPA2. Several years ago, security researchers identified an issue with WPA2. They found that there was a flaw called a Key Reinstallation Attack (known as KRACK) that could be exploited by a man-in-the-middle attack to steal sensitive data sent over a WPA-encrypted Wi-Fi connection.

In January 2018, the Wi-Fi Alliance announced WPA3 as a replacement for WPA2. Its main advantage over WPA2 is that it supports stronger authentication and cryptography technologies. Additionally, the standard includes different capabilities for home versus enterprise users.

Takeaway tip: WPA2 has been the wireless security protocol of choice for many years. It is widely supported on all forms of devices. Those seeking more robust encryption and authentication capabilities should consider devices that support the newer WPA3 protocol.

Step 6: Set up a guest network

The first thing most visitors to an office ask for is the Wi-Fi password. Many companies simply share the password without giving it a thought.

That is one of the worst security practices an enterprise can do. Anyone with that password has full access to the corporate network. A malicious user can poke around and look for vulnerable systems. A user without malicious intent could accidentally install or pass along malware, ransomware, keyloggers, and more. Or they could do malicious things over the Internet that would be traced back to your corporate IP address.

Regardless of the intentions, providing outside users with access to the corporate network via a Wi-Fi router or access point opens the door to major security problems.

What businesses should do to safeguard data, systems, the network, and other enterprise assets is to set up and provide a guest network for visitors. Most Wi-Fi routers and access point vendors offer such an option. Doing so gives users access to the Internet and nothing else.

To set up such access, log into the device as an admin and look in the router settings for “Allow guest access” or “Guest network.” Then select a name (the broadcast SSID) for the network. Then enable security features. Set a strong password. Enable encryption. And uncheck “Allow access to settings.”

Takeaway tip: Do not share the password of your corporate Wi-Fi network with visitors. Set up a guest network with appropriate security that allows them Internet access and nothing more. A guest network is essential in the enterprise, and it is something IT managers might encourage their home users to do, too.

Step 7: Use a VPN

Virtual private networking has been around for decades. The key feature that has made a virtual private network (VPN) connection so useful is that it creates an encrypted session between the user's device and the host server. It can be used in conjunction with access control solutions to tightly control which users get access to specific hosts and systems on a network.

That goes a long way to securing home networks and securing network connections. Where a VPN and wireless networking truly complement one another is with the remote and mobile users. They often have no control over the security of the available Wi-Fi connection.

In such cases, a VPN would offer enhanced security, encrypting the traffic from the user's device to the enterprise server or host he or she is connecting to. Installing VPN software on devices lets IT ensure traffic is encrypted regardless of the security features of the public or private cellular or wireless network the user employs to do his or her work.

Takeaway tip: Make use of VPN software on end-user devices, especially in cases where the user connects from home, while traveling, or in a customer or client’s site.

Step 8: Turn off network name broadcasting

Security through obscurity is an old security adage (or perhaps one might say principle). The idea behind it is that secrecy helps an organization safeguard systems, assets, and resources. The basic idea is to hide things from malicious actors. In practice, it can be something as simple as changing the name of a folder or system holding critical information.

When it comes to wireless networks, a common security through obscurity tactic is to turn off name broadcasting. That prevents anyone looking for available Wi-Fi networks from seeing your Wi-Fi SSID. The network simply does not appear in their list of networks to connect to.

Like many uses of security through obscurity, simply hiding the network name is not enough. There are tools that can scan for all SSIDs, including hidden ones. Turning off name broadcasting will prevent the less ambitious hacker from finding a network. But the serious hacker will not be completely deterred. And so, an enterprise must still use other wireless security best practices, including changing default passwords on admin accounts, enforcing the use of strong passwords, making use of encryption, and more.

The one downside to turning off name broadcasting is that users who legitimately need access to the network must be told the SSID. They then must enter that when trying to connect to a corporate access point, hotspot, or wireless router.

Takeaway tip: Hiding a wireless network’s SSID reduces the chance of an attack, as hackers will not know a network exists. That makes the network more difficult to find. Still, turning off name broadcasting must be combined with other security measures.

 Step 9: Turn on your router firewall

In a large enterprise, wireless access points simply provide users with access to the corporate network and the Internet. Most would not necessarily need to incorporate a router or firewall. Those functions would be handled by separate devices designed to support enterprise-class traffic volumes and many users.

Specifically, a large site or enterprise would set up standalone firewalls that provide a demarcation point between the outside network (the Internet, in most cases) and the internal network.

In contrast, small sites (a branch office of a bank or insurance company, a retail store, or more) need all three functions, namely wireless access, routing, and a firewall. But most sites do not have an IT staff to manage such complex equipment. Instead, they want a single device that includes all three functions.

For such sites, it is essential to turn on the firewall features as this will be the only way to ensure outsiders and suspect traffic are prevented from gaining access to the local network within the site. The firewall would also be needed to prevent users from accessing prohibited sites on the Internet that could expose the company to malware, legal issues, and more.

Takeaway tip: Remote sites need a method to monitor traffic to and from the internal network. A firewall performs that function and allows or blocks traffic based on a defined set of security rules. For small sites without enterprise firewalls, choose a wireless router that has firewall features. And turn those features on.

Step 10: Keep software and patches up to date

Late last year, a bug was found impacting multiple Netgear Wi-Fi router models. The company issued an advisory listing the flaw as a high-severity issue that received a Common Vulnerability Scoring System (CVSS) score of 7.4. At the time, Netgear urged all users to download the latest firmware for their devices from the company’s website.

Home Wi-Fi equipment is particularly susceptible to problems in this area. If the home Wi-Fi device is managed by a cable or Internet Service Provider, the provider may routinely ensure the device is updated. But many users buy their own Wi-Fi router to avoid the monthly charge from their service provider. Some of these users may not be aware they need to update to software and firmware or know how to do it.

How severe is the problem? Old Wi-Fi routers are a prime target for hackers. And as a result, cyberattacks against insecure routers have skyrocketed. A hacker gaining access to such a router could turn off security features like encryption and then steal corporate passwords, data, and other information traveling to the router in the open.

Takeaway tip: Keep the software and firmware on your Wi-Fi equipment, be it a standalone Wi-Fi router in a user’s home or a dense Wi-Fi access point in the office, up to date.

wi-fi-router-KKEA3M.jpg

What do you need to do once your wireless network is secure?

Using these tips can go a long way to securing Wi-Fi networks. Consider them a guide on how to secure a wireless network. But keep in mind wireless security, and specifically Wi-Fi network security, is an evolving endeavor.

Security threats are constantly evolving. But so, too, are the security mechanisms that are designed to secure network connections. Keep pace with these changes through Network Computing's continued coverage of the tactics malicious actors are taking to breach your Wi-Fi networks and the technologies and solutions Wi-Fi vendors are developing to counter those attacks and methodologies. Following these strategies will help you enable a secure wireless network.