WiFi networks, when working in a secure and efficient manner, provide great business benefits. They ensure employee connectivity across multiple devices and even buildings, and can drive employee productivity throughout an organization’s entire footprint. However, wireless connectivity across business networks also comes with many seen and unseen risks to organizational privacy.
With the increasing adoption of bring your own device (BYOD) in modern workplace culture, the risks have grown. When dealing with WiFi networks for an enterprise, administrators need to worry not just about spotty coverage and dropped connections, but also security and privacy. Some of these risks might seem very obvious, but they often get overlooked. Leaving even a small loophole in WLAN security is an open invitation to hackers eager to eavesdrop into corporate networks.
With advancements in technology, organizations continually have new options for making their premises secure. The major concern often involves choosing between the flexibility to work quickly and the assurance of tight security.
Flexibility and security can be achieved with a robust WiFi platform by supporting the right devices with customized configurations based on your organizational requirements. However, organizations also need to keep in mind that hackers are getting smarter with every passing day, and relying on technology alone might not provide the ultimate security. Having the right combination of technology and supporting policies is the key to a secure and healthy WiFi environment for your organization.
With that in mind, here are common security mistakes to avoid when deploying and operating a WLAN for your organization.
Overreliance on firewalls and antivirus software
Many organizations rely entirely on network firewalls and antivirus software, avoiding discussions regarding additional investments for cybersecurity. A we dont-require-extra-security attitude often prevails until a cybercrime impacts the organization. However, firewalls and antivirus software do not address several common loopholes in corporate WiFi networks. Organizations need to realize that while their investments in security may not directly contribute to the bottom line, these investments are as important as insurance. Depending upon the criticality of an organizations digital information and IT infrastructure, proper strategy and budgets for additional security must be implemented.
Not considering WLAN security features
When buying WLAN gear, organizations often restrict their research to coverage area, upload/download speed, number or types of devices to connect, or even types of walls or floors. However, there are tons of additional security feature sets available with WiFi devices, including QoS control options, support for WPA/WPA2, WPS, port filtering, IP packet filtering, URL keyword filtering, MAC address filtering, and integrated firewall support. A keen eye on various features available with the new generation of devices can save you from having to make investments in multiple products, and ensure you receive the maximum benefit out of your Wi Fi equipment.
Substandard device configuration
When setting up your WLAN nodes (routers, access points, bridges or client adapters) you must evaluate device encryption. Having an encrypted communication mechanism ensures the validity of client systems, but may have a negative impact on network performance. The Wired Equivalent Privacy (WEP) mechanism was deprecated in 2003, and since then Wi-Fi Protected Access (WPA) and WPA2 have become the new standard. These are also available in different configurations like Pre-Shared Key (PSK), Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard (AES), each having support for varying key lengths (64-bit, 128-bit or 256-bit). Large enterprises may also opt for the Enterprise mode of WPA or WPA2, which prevents WLAN users from eavesdropping on each others traffic.
However, having the most advanced configuration certainly provides better security, but often comes at the expense of performance. When encryption keys are lengthy, devices require more time and resources to perform encryption and decryption, which degrades network performance. The encryption configuration should be tight enough to ensure desired security, but loose enough to allow acceptable performance levels for the network.
Pro tip: when configuring/upgrading your devices, record and/or make a backup of the old routers settings, like port forwarding, QoS prioritization settings, or other settings and passcodes that might be associated with the old device. Overlooking this small point can lead to spending a lot of effort on device configuration.
Guest access without a password
Allowing random people to connect to a WiFi network without any password requirement is the worst-case scenario for the security of that system. All organizations, even those with frequent exposure to random guests like malls, airports or restaurant chains prefer to have some kind of PIN-based, time-bound or data-limit-bound access mechanism to keep track of guest users. For an enterprise-level WiFi network, a password or PIN-based authentication system for guest users is usually the first and foremost security requirement implemented.
No network encryption
There are a bunch of nasty hackers out there constantly trying to eavesdrop on enterprise networks and sniff out anything they can from a cozy corner of the Internet. Equipped with modern gadgets and apps, they can easily locate and break into most WiFi networks. Even WLANs with WPA or WPA2 encryption standards are susceptible to brute-force cracking, which an attacker can use to steal passwords or hijack your website or service accounts. Using encryption like Secure Sockets Layer (SSL) and Transport Layer Security (TSL) for critical applications could protect you from such eavesdropping attempts and restrict access to your shared folders and other critical network resources.
Lack of additional layers of authentication
Organizations can reduce WLAN security risks with additional authentication. When using the Enterprise mode of WPA or WPA2, installation of a separate Remote Authentication Dial-In User Service (RADIUS) server is required to do the 802.1x authentication. For this, there are multiple options available. Windows Server versions 2008 and later provide Network Policy Server (NPS), which can be leveraged for configuring a RADIUS server. For other operating systems, a third- party RADIUS server is required. Some WLAN access points also include a built-in RADIUS server.
There are also hosted services such as AuthenticateMyWiFi that can be used for additional authentication security. Organizations should consider all options before making any investments based on their requirements.
Relying entirely on MAC address filtering
MAC address filtering, an integrated security mechanism in many WLAN devices, lets administrators define a list of computers and client devices that are allowed or not allowed to connect, based on their unique MAC addresses. This mechanism provides basic security, but cannot be considered a fool-proof security mechanism as MAC addresses can easily be spoofed. Many devices offer the ability to change MAC addresses. By knowing the list of authorized MAC address for your organization or simply by procuring a device already authorized for your network, hackers can get into your network and steal bandwidth or perform malicious activities.
To avoid this, use encryption along with MAC filtering. Encryption prevents hackers from eavesdropping on the network, and provides more robust security than just using MAC filtering.
Incorrect SSID setup
Setting up the Service Set Identifier (SSID) correctly helps minimize several risk factors. For instance, many WLAN devices allow admins to turn off the broadcast of the SSID name, which removes the SSID from the list of visible networks available for connection. This helps protect the network from unauthorized users. However, hard-core hackers can find hidden networks; security requires a combination of methods previously discussed.
Another important SSID setting has to do with the number of SSIDs client devices can see and connect to. In Windows 7 and later versions of the Windows OS, you can limit the number of SSIDs client devices can connect to. This helps prevent client devices from connecting to an unsecured public WiFi network, thus avoiding exposure of devices and credentials to external networks.
Lack of password policies
Policies forcing users to keep a strong password, including a mix of alphabets, numbers and special characters, and having a password expire after a specified time duration, are also essential attributes organizations must attend to when defining a robust security policy.