Protect Your Wi-Fi Network Against Bandwidth Intruders

Welcome to Accidental IT, a series of technical how-tos for people whose job descriptions don't necessarily include tech support but who often find themselves doing just that for their co-workers.

Wi-Fi has become a common part of the workplace. It's easy to set up and sufficiently fast for most applications. But one of the main sticking points that keeps many organizations from installing it is the lack of a standardized, secure connectivity scheme. That doesn't mean that Wi-Fi connections are necessarily insecure. In fact, there are several very secure technologies that are generally included with most operating systems and Wi-Fi devices. For small businesses, the real questions are "How secure does your connection need to be, and how much effort do you want to devote to securing it?"

Many corporate environments are already familiar with VPNs and RADIUS connections, both of which were originally designed to secure traditional remote connections. If your organization is using one of these methods, it may be easier to extend these connections to include your Wi-Fi networks. Both are proven to be secure, though setup and management requires more specialized knowledge and ongoing maintenance than many small businesses possess.

That's why, for many small organizations, keeping the wireless network safe from casual intruders is enough protection. Implementing a multi-layered set of relatively simple protection measures can provide a surprisingly secure environment.

The obvious items As a first step, locate your router and access points toward the inside of the building and away from windows. Use the exterior walls as natural barriers to the Wi-Fi signal. This will limit the visibility of your network to only those users inside the building.

Then change the default settings including SSID and administrator passwords on your Wi-Fi routers. Use the same kinds of complex passwords you use when assigning administrator passwords on servers: no words that can be found in the dictionary, and using a combination of letters and numbers.

Disable the automatic broadcast of SSIDs and select non-default channel assignments if possible.

Enable WEP (Wired Equivalent Protocol). Select the highest level of encryption offered by the device, preferably 128-bit or higher. As an added precaution, don't use the pass phrase function, but use a random hexadecimal sequence. Many Wi-Fi routers will generate a random WEP key for you.

Choose WPA (Wi-Fi Protected Access) if available. WPA provides a higher level of encryption than does WEP, however devices that don't support this newer security protocol will not be able to connect to the network. Be sure all the devices you want to connect support WPA before you configure it on your Wi-Fi router. Turn off services like file and print sharing that expose network resources to unauthorized access.

More complex precautions

Additional levels of security can be added by blocking all but the most necessary ports on your router/firewall. Enable only the basic ports: 80 (HTTP), 110 and 25 (Email). You can enable additional ports as users report problems accessing services that you wish to allow.

Another level of security can be created by establishing an ACL (Access Control List). This technique limits access to the network to only those devices specifically listed in the ACL by their MAC (message authentication code)addresses. If your environment consists of more than just a few wireless devices, maintaining the list of approved devices can become a maintenance headache.

If you want to limit the number of devices that can attach to the network simultaneously, you can restrict the number of IP addresses in the DHCP pool. Alternatively, you can disable DHCP and manually assign addresses to your wireless devices. However like the ACL technique, maintaining fixed IP addresses can become burdensome. Choose the combination of protection that suits your business environment. Periodically check the logs that are accumulated in your Wi-Fi routers for suspicious access patterns and add security layers as they appear necessary. The tricky part, as with any security arrangement, is to restrict unwanted use of your network resources while allow legitimate use with a minimum amount of inconvenience to both the users and administrators.