Enterprise WiFi Security Tips

By: Richard “Zippy” Grigonis

Security for WiFi (News - Alert) has experienced something of a roller coaster ride over the years. It’s been the subject of more rumor-mongering and urban legends than anything in recent history. Certainly anything that sends data over a wireless, radio connection is intrinsically easier to “tap” or intercept than Category 5 network cable or broadband connections to an Internet Service Provider. WiFi thus must rely heavily on encryption, and there hangs many a tale…

Wired Equivalent Privacy (WEP) encryption was for a time “standard” security for wireless routers and access points. WEP users soon became worried with WEP’s many inadequacies came to light, American FBI agents have demonstrated how to break WEP protection in only three minutes using generally available tools. WEP used the RC4 stream cipher provided by RSA security. Problems with WEP included its small IV (Initialization Vector) lengths, weak IVs, and direct use of master key in encryption.

WEP was followed by the more advanced WiFi Protected Access (WPA and WPA2) security protocols. However, if users employ a “weak” password, such your name or a dictionary word or a short character string, WPA and WPA2 can be cracked. A long random password or phrase or random words greatly increases the time that a nefarious individual can “aircrack” pre-shared key WPA or WPA2, which is based on the final IEEE (News - Alert) 802.11i amendment to the 802.11 standard. Wireless routers and Access Points also rely on their access control features such as MAC (Media Access Control) address filtering that denies network requests from hostile clients. (Every WiFi device has a unique MAC or unique physical address.) Routers and access points maintain a list of the MAC addresses of all devices that connect to them. In many cases you can manually input MAC addresses, restricting the network to only your WiFi-enabled devices, but hackers using commonly available software tools can fake MAC addresses.

End-to-end encryption would seem to be a solution, but to be effective each service to be secured must have encryption enabled and every connection must be lit up separately. When using Virtual Private Networks (VPNs) however, a single switch encrypts all of the traffic, making them inherently secure (though VPNs generally do require some considerable computing resources).

Another problem is that enterprise users are increasingly mobile, and connecting to an airport’s WiFi to check email can be tempting, even if one suspects a hacker could be nearby attempting to sniff out and eavesdrop on your data stream. There are 68,000 WiFi hotspots in the U.S., at airports, hotels, coffee shops, bookstores, schools, and other locations where hundreds or thousands of people pass through every day. Some of these are secure, some aren’t. Certainly you should change your laptop settings so that you don’t auto-connect to any available (and perhaps unsecured) WiFi Network. Hackers can set up a bogus but credible-looking WiFi network with a strong signal near a known hotspot, and soon an unsuspecting user will connect to it, thus making the user’s laptop fully accessible. The hacker can even direct you to phony websites so that your password keystrokes can be captured.

You should ensure that your laptop security is up-to-date, with current versions of your operating system, firewalls, web browser, firewalls, and antivirus and anti-spyware software.

Even in an enterprise environment, a “rogue” WiFi Access Point (News - Alert) having no security settings can be clandestinely connected to your network without authorization, enabling any WiFi equipped device to peruse your corporate network. The Swedish company AirMobile has a solution that enables service providers and enterprises to protect networks from wireless security vulnerabilities. The AirMobile solution is a secure and inexpensive solution using mobile sensors to send alarms about the WiFi security status. The AirMobile server handles reporting, alarms and mitigation on the wired network, and just two to three AirMobile agents (running on Windows CE 5.0 or 6.0) at each office location will typically cover relatively complex buildings. Best of all, you don’t need to be a network expert to run AirMobile agent. You can even choose what kind of network to use to send data from an AirMobile agent to the AirMobile Server (PDA sync, WLAN or GPRS).

The Not-So-Important SSID

WiFi routers and access point manufacturers ship their devices with a pre-defined network name called a Service Set Identifier (SSID) which is used to identify the particular 802.11 wireless LANs to which a user wants to attach. You can change an SSID at any time (it’s a good idea to do this periodically) but you must remember to make the same change on all of your WiFi devices. Don’t use your birthday or other personal information as your SSID, but do make the SSID as long as possible and include both letters and numbers. Remember that an SSID is not a password, just a network name, so don’t treat it as if it’s an important security feature.

Some small Linksys (now Cisco) routers and access points have SecureEasySetup (SES (News - Alert)) buttons. Push it and the system will automatically set up and secure the network with a unique SSID and activate WPA or WPA2 encryption.

In theory you should disable the router or access point’s SSID Broadcast feature, which periodically broadcasts the SSID over the air at precise time intervals so that WiFi devices can dynamically discover and roam between WLANs (a great feature for hotspots). It also makes it easy for hackers to intercept an SSID. However, I’ve heard that both Windows XP and Vista have better performance when your router and access points broadcast their SSIDs.

Check Your WiFi Security for Free

If you’d like to check your WiFi security, visit JiWire’s free WiFi Security Test. In a few seconds, JiWire (News - Alert)’s test will give you information about your WiFi connection and whether or not it is vulnerable to wireless hackers. It will tell you whether or not your wireless connection is secure using WEP, WPA, or JiWire Hotspot Helper (yes, they do have a security product they can sell you). The test will also display the name, signal strength and WiFi channel of the wireless network you’re using, the MAC address of the network router and the IP address it has assigned to you, and your computer’s Wi-Fi adapter and its driver software.

What to do?

Use a firewall on your router (and perhaps personal firewall software on each PC), anti-viral software (such as Symantec (News - Alert)’s) and anti-malware (such as CounterSpy from Sunbelt Software) and enable WPA or WPA2 encryption – which can be done right in XP and Vista. That should stop 99.9 percent of hackers.

What kind of WiFi security system do I use, you ask? Er, who ever said I use WiFi? IT

» Internet Telephony Magazine Table of Contents