Use Strong Passphrases for SOHO WLANs
Home and café-style WLANs typically use simple WPA or WPA2 encryption based on a pre-shared key or passphrase. The passphrase is assigned when the wireless network is created, and has to be communicated to each user. As with any network password, longer and more complex passwords are typically considered more secure.
Use a VPN When On Guest WLANs
Travelling is a fact of life for many IT professionals. And though open guest networks in hotels and airports are appreciated, they can be risky to use. One easy answer? Your corporate VPN. All mainstream operating systems and most mobile devices support a range of VPN protocols. VPN encryption will prevent other users from snooping on your communications.
Use RADIUS for Enterprise WLAN Clients
A typical business WLAN uses 802.1x authentication and WPA2 encryption. A range of configuration choices are available under 802.1x, but they all use common RADIUS underpinnings. Wireless client devices are supplicants, access points or controllers are authenticators, and a RADIUS authentication server is either populated with user credentials or queries Active Directory (or LDAP) for user verification.
Control the Controller
There is a fair amount of sophistication to configuring the WLAN hardware for 802.1x-based security. This is a Cisco controller, but all enterprise wireless makers support the same typical wireless security options. All settings have to match the wireless client/supplicant configuration or users will not function properly on the WLAN.
Manual Supplicant Configuration Is Good...
One of the more difficult parts of wireless security is getting the supplicant settings right on wireless client devices. Typically, at least half a dozen settings need to be touched. Get any one incorrect, and connectivity won't work, which can make manual configuration dicey. Thankfully, there is a better way...
But Automated Configuration Is Better
Cloudpath Networks is a respected provider of supplicant configuration tools. This is a screenshot of Cloudpath's XpressConnect configuration utility running through an automated process that will correctly set all required parameters for this client device to be compatible with its secure WLAN. This capability is also available from some WLAN vendors, such as Aruba Networks and its ClearPass option.
Find the Rogues
Client authentication and encryption are only part of the enterprise wireless security story. The ability to identify and neutralize self-installed "rogue" wireless access points is also important, as they can be nuisance devices or sources of critical data leakage. Each WLAN vendor detects rogue APs differently, so this is one area to pay attention to when shopping for a system.
Detect and Prevent Intrusions
When your network lives in the air, it can be a target for a range of malicious behaviors that wired Ethernet never had to consider. Wireless intrusion detection and prevention, like rogue detection, is another component to wireless security that each vendor approaches differently. There are also third-party overlays for WLANs that lack native detection/prevention support.
Get Outside the Enterprise
For many IT folks, the world of WLAN starts and ends with the enterprise. But some of us occasionally need to get out of the enterprise WLAN market and into spaces where various government, military, and special customers need hardened, proprietary, and ultra-secure WLAN. To get acclimated to this fascinating niche in WLAN security, visit General Dynamics Broadband for an overview of what military-grade Wi-Fi technology looks like.
- Lee Badman
- Connect Directly
How To Secure WLANs: A Visual Overview
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.