Wi-Fi security with advanced techniques

If you conduct a search on Wi-Fi security on Google, then surely what you get will be: Do not use WEP but use WPA or WPA2, disable SSID broadcasting, instead Change the default settings, . These are very basic problems, in Wi-Fi security. However, in this article, we will ignore those basic methods and introduce you to advanced techniques to increase the security of your wireless network.

1. Switch to enterprise encryption - Enterprise

If you have created a WPA or WPA2 encryption key of any type and have to enter this key when connecting to a wireless network, you will only be using Personal mode or Pre-shared key (PSK) of Wi- Fi Protected Access (WPA). Enterprise networks - large or small - still need to be protected with Enterprise mode, which adds 802.1X / EAP authentication to the wireless connection process. Instead of entering the encryption key on all computers, users will log in with their name and password. Encryption keys are securely provided in the background and unique to each user as well as each session.

This method allows centralized and comprehensive management of Wi-Fi network security.
Instead of loading encryption keys into computers where employees and other users can discover them, each user will log into the network with his own account when using the Enterprise mode. You can easily change or revoke access if needed. This method is especially useful when employees leave the company or the laptop is stolen. If you use Personal mode, you will have to manually change the encryption keys on all computers and access points (APs).

A special component of the Enterprise mode is the RADIUS / AAA server. This server will communicate with APs on the network and look up user databases. Consider using Internet Authentication Service (IAS) of Windows Server 2003 or Network Policy Server (NPS) of Windows Sever 2008.

2. Physical security verification

Security for a wireless system is not merely technical work. You can get the best Wi-Fi encryption technology, but someone can still access your network using an ethernet port. Or someone can enter your company or home and press the access point reset button and restore the factory default settings and to fully open your wireless network.

Make sure all your APs are out of reach for people who are not needed and out of sight for employees in the company. Instead of placing APs on a table, attaching it to a wall or ceiling is the best way.

You might consider attaching out-of-sight APs and installing extra antennas to increase the AP's transceiver signal. This method allows you to secure the AP while still providing good wireless signals through high gain gain antennas.

However, it is not only APs that you need to care about. All network components need to be properly protected, even ethernet cables. Hackers can cut off your ethernet cable and access your network that way.

Along with mounting and protecting APs, you also need to closely check your APs. Create a spreadsheet to record the AP models used with IP and MAC addresses. Add to that the place to put them. This way helps you know exactly where to place the AP when performing checks or checking a problematic AP.

3. Install intrusion detection and prevention system (IDS / IPS)

These systems often have a software program to use your wireless adapter to detect whether Wi-Fi signals have any problems. They can detect fake APs, a new AP that appears on the network or an existing AP that is reset to default settings or doesn't match a set of standards you've defined.

These systems can also analyze network packets to see if someone may be using hacking or jamming techniques.

There are many different intrusion detection and prevention systems and use many different techniques. You can use free or open source options to talk about like Kismet and Snort. Besides, there are many commercial products of other companies like AirMagnet, AirDefense and AirTight.

4. Create policies to use wireless networks

Along with the instructions for using the computer, you need to have a special set of policies for accessing Wi-Fi networks, at least those policies must be the same as those listed below:

1. List of appraised devices with wireless access : This is the best way to deny all devices and allow desired devices using MAC address filtering on your network router. . Although MAC addresses can be spoofed, this method still provides some degree of control over the devices that your employees are using on the network. You need to keep one copy containing all the authorized devices and their details for comparison when checking the network and entering intrusion detection systems.
2. List of authorized individuals to access Wi-Fi network . This list can be adjusted when using 802.1X authentication (WPA / WPA2-Enterprise) by creating accounts in the RADIUS server for those who need Wi-Fi access. If 802.1X authentication is also being used on the wired network, you can specify the user to receive wired or wireless access by changing Active Directory or using authentication policies on the RADIUS server itself. .
3. Rules for setting up wireless routers or AP : For example, only the IT department has the right to set up additional APs so employees cannot bring APs from their homes and plug into the network to expand the signal range . An internal rule for the IT department is to be able to define device models and configurations that can be used.
4. Rules are used on Wi-Fi hotspots or connected to home networks with corporate devices. Because data on a device or laptop can be compromised and Internet actions can be checked on unsecured wireless networks, you can restrict Wi-Fi connections only to corporate networks. This problem can be controlled by placing additional network filters with the Network Shell utility (netsh) in Windows. Alternatively, you can request a VPN connection for the corporate network to protect Internet activity and remote access files.

5. Use SSL or IPsec above Wi-Fi encryption

Although you may be using the latest Wi-Fi encryption (on layer 2 of the OSI model), you still need to consider implementing another security mechanism, such as IPSec (on layer 3 of the model). for OSI). In addition to providing double encryption on wireless systems, it can also protect wired connections. This method will prevent eavesdropping from the staff or bad guys outside penetrating the ethernet port.