Security Best Practices for Wireless Networks
The key to securing data is to have positive control of it so only the people that need to access it can and when they need to. Wireless networks pose a challenge to this goal because unlike wired connections wireless networks are reachable for up to 100 feet outside of the home or business. If someone is within the range of the signal, then they have the opportunity to gain unauthorized access to your information. The following is a list of best practices for securing your wireless network.
Change the Default Password
Change the default administrator password using the guidance below.
The advice in the past has always been to use a complex password that consists of uppercase and lowercase letters, special characters, and numbers that is at least 12 characters long. The reason for this guidance was because the preferred attack method at the time was to use a dictionary attack to guess the network password. Since the issuance of the current guidance, random password generators have become common making a dictionary attack have a higher likelihood of being successful. The current, and best advice to date is to use a passphrase. A passphrase consists of two or more words that are of personal nature that only you and the people closest to you would know with the option of replacing letters with their lookalike number counterparts. A passphrase is more comfortable to memorize and with it being considerably longer than traditional passwords is far harder to crack mathematically.
Businesses have more options if they have Active Directory. Active Directory is a repository of usernames and passwords in Windows Server operating systems that provide a secure login to workstations. Wireless networks can use 802.1x to authenticate a user on a wireless device through a RADIUS or TACACS+ server. A RADIUS server contacts Active Directory to authenticate users and is available in Windows Server and a standalone product called FreeRADIUS. A TACACS+ server uses the same mechanism to authenticate users to a RADIUS server. For more information on these two protocols take a look at Cisco’s website.
Reducing the power output of the antennas so that the signal reaches just outside of the home or business walls lessen the opportunity for someone to try to connect to your network through password guessing by using a dictionary attack and mathematically cracking the wireless signal encryption. Reducing signal strength also mitigates the KRACK vulnerability explained here.
Hide Your SSID (Network Name)
Hiding your SSID is optional based on your environment. If there are a lot of wireless networks in your area with a lot of foot traffic, e.g., apartment complex or if you live next to a park or business complex you can consider hiding your SSID. Hiding your SSID does not prevent a determined attacker from discovering your SSID and attempting to gain unauthorized access and may make attackers more curious, and with your SSID hidden you must manually enter the network name the first time you connect to the wireless network. There isn’t much security gained by hiding your SSID, so I don’t recommend it, I include this only for the sake of thoroughness.
There are a few options for encryption in modern consumer wireless products. Older encryption types are WEP (Wireless Equivalent Privacy) that was adopted in 1999 and WPA (WiFi Protected Access) that was adopted in 2003 and is considered weak because of the encryption standards they support such as DES and 3DES at 64-bit length. WPA2 was adopted in 2006 and has been the gold standard ever since because it allows for only AES (Advanced Encryption Standard) that comes in 128-bit and 256-bit. Disable WPS (WiFi Protected Setup) because the passkey consists of 9 digits with a value of 0-9. WPS can be cracked in a few minutes using a modern cell phone; a laptop can crack WPS within 1 minute. The purpose of WPS is to be a convenience, but convenience in cybersecurity makes you insecure.
A guest network allows people to connect to an isolated wireless network that cannot communicate with devices connected to the wireless network you use for laptops, desktops, cell phones, and tablets. You can choose whether to put a password on the guest network or not, but if you choose to put a password on the network then you’ll have to give everyone the password that needs it, and you should have the network available only during times when you have people over that need internet access. You should use WPA2 AES 256-bit encryption because you should protect your guest’s data as you would protect your own.
Domain name servers take the name of a website you type into the URL bar and find the IP address. The internet works on IP address; not website names. The DNS servers you use play a large role in the time it takes for a website to load and filter out malicious websites. I recommend using OpenDNS servers because they help prevent you from reaching phishing, and other types of malicious websites. The IP address of the OpenDNS servers is 22.214.171.124 and 126.96.36.199. If you want more information on what OpenDNS does, you can find them here.
You can access your router from anywhere with remote management, but so can hackers. Manufacturers don’t do a good job of writing secure code for their remote management web pages making the web page vulnerable to unauthorized access. Turn remote management off!
Keeping your firmware updated is important because the updates fix bugs and vulnerabilities in the software.
Find Netgear firmware here.
Find Linksys firmware here.
Find D-Link firmware here.
Find TP-Link firmware here.
Find Ubiquiti firmware here.
MAC (Media Access Control) filtering is when you place the MAC address of the devices you will allow to connect to the network on a list in the router. A MAC address is the physical address of the network card that is in your device, as opposed to an IP address that can change. MAC filter can be easily circumvented by manually putting a MAC address in the advanced settings of your network card and is called MAC spoofing. MAC spoofing is relatively easy to do, and as such, I don’t recommend MAC FIltering. MAC filtering is a lot of work for little security reward.