WLAN security: the best protection for your network
Whether you’re using a private or business network, the need for security is a top priority. Traditional networks that use cables can provide some protection against external attacks. This is because without physical access to the cables, which run through buildings, strangers cannot easily intercept or read data.
However, if you want to use a more practical wireless network, you have a higher chance of encountering security problems. If a device in the wireless local network – better known as WiFi – sends data, a spy only needs a receiver within the range of transmitted radio signals to intercept this data. In order to use this form of wireless communication path without any worries, it is important to ensure you have good WiFi security.
What actually is WiFi?
WiFi is a wireless technology and is a type of WLAN (Wireless Local Area Network). It’s used to connect computers, tablets, smartphones and other devices to the internet. Wireless connections are particularly widespread in the private sector, since they are a good solution for implementing internet access through entire living quarters without having to rely on cables. Radio networks are also useful in offices, especially when a variety of portable devices such as laptops, tablets or smartphones are in use.
There are three different modes for operating wireless networks:
- Infrastructure mode: The structure of this mode is similar to a mobile network. A wireless access point takes care of the coordination of all network users and sends them small packets, at adjustable intervals, with information about the network name, the supported transmission rates and the type of encryption. The access point is often a router.
- Wireless distribution system: A WDS is used to extend a WiFi hotspot to a larger geographic area without the need to connect wires to each access point. This is also how networks are linked together.
- Ad-hoc mode: In ad-hoc networks, the central control unit is missing, which means that the coordination must be taken over by the respective terminals. These networks are used for fast, direct communication between individual participants. However, this mode isn’t used as frequently. Alternative techniques, such as Bluetooth, are much more common.
The disadvantages of wireless networks
The standards for communication in radio networks have been specified by the Institute of Electrical and Electronics Engineers (IEEE) in New Jersey in IEEE 802.11. At the beginning, however, not much emphasis was placed on security. Unencrypted transmission and an absence of user authentication requirements meant that anyone within the appropriate area had access to a wireless network. Ultimately, the requirement of WiFi security promoted the development of the following encryption and authentication methods:
- Wired Equivalent Privacy (WEP): WEP is the oldest standard for WiFi encryption and dates back to 1997. It offers two authentication methods: open system authentication (enabled for all clients) and shared key authentication (activated by password). In addition, WEP includes the encryption methods RC4. Due to various weaknesses, WEP is considered unsafe and outdated today.
- WiFi Protected Access (WPA): WPA builds on the WEP architecture and is designed to eradicate weaknesses in the same process. To ensure this, WPA operates with a dynamic key based on the Temporal Key Integrity Protocol (TKIP). Since WPA also has certain security deficiencies, new wireless access points (since 2011) and all WiF-enabled devices (since 2012) are no longer allowed to support this protocol.
- WiFi Protected Access 2 (WPA2): The current, safest WLAN encryption and authentication method WPA2 was released in 2004 with the IEEE 802.11i standard. Instead of TKIP, WPA2 uses the much more modern AES encryption method. Therefore, if you want tight WiFi security, you should opt for WPA2 instead of the older WEP and WPA standards.
- WiFi Protected Setup (WPS): The standard WPS is not a transmission nor encryption technique, but is rather an automatic configuration feature, which aims to make setting up a WiFi network easier for new users. The authentication is carried out at the push of a button (WPS PBC) – physically at the access point or virtually via a software-implemented button – or by entering a PIN (WPS PIN). Alternatively, you can change the network settings via USB stick or via NFC (Near Field Communication).
Although WEP and WPA have a legitimate, more secure successor with WPA2, some operators are still using these outdated standards (as long as they are supported by the wireless action point) in order to encrypt their network. Whether this is unintentional or for compatibility reasons (to grant access to older devices) is incidental. What is clear is that networks like this are at a high risk of unauthorised access, which is one of the main reasons for the critical assessment of WiFi security. Additional errors that make it easier for attackers to intercept data include:
- Having standard usernames and passwords for wireless access points
- Having unsafe basic configurations for wireless access points
- Implementing WPA2 and WPS incorrectly
In addition, wireless networks are vulnerable to common DoS or DDoS attacks as well as evil twin attacks. With the latter, malicious attackers plant fake wireless access points in the network with special firmware. Network users believe these to be real and then connect to them. The evil twin responds with its own authentication request and receives the access data from the unsuspecting network device. It also takes over the MAC address of the client (MAC spoofing), obtaining all necessary data to establish the connection. Publicly accessible WiFi points are particularly at risk for this kind of attack.
The importance of WiFi security
The weaknesses listed above show the importance of becoming familiar with various possibilities for increasing WiFi security. If you expect to get the best protection with a firewall and a secret password, you will quickly find that these don’t do much if you fall victim to a targeted attack. There’s more to the comprehensive security of wireless networks than just simply turning on a router, carrying out a five-minute setup, and searching for a password that is easy for you to remember and hard for others to guess.
The more careful you are with the configuration and management, the more secure your network will be.
How to configure wireless access points correctly for better WiFi security
Wireless access points – usually routers – are the network’s central control units and are therefore responsible for their safety. How you adjust the settings for this hardware component can strongly influence whether an attacker can gain access to your wireless network within a few seconds, or whether their attempt is thwarted. These are the most important configuration steps:
Step 1: Create individual administrator access
To configure access points, firmware needs to be running. This provides you with a user interface in any regular web browser as soon as you access the IP address of the access point. Access to this interface is achieved through an administrator account with a default username and password. This login data is the same for all devices of the respective model and is also very easy to remember. It may be, for example, ‘admin’ (password and username) or ‘1234’. Change this administrator account login information at the beginning of the configuration. You can write it down and store it in a safe place, but do not store it on your computer without proper password storage.
Step 2: Select WPA2 as the encryption method
In order to encrypt your WiFi, you should definitely choose WPA2, since the two predecessors WPA and WEP are outdated and could prove a security risk. Combining or mixing WPA/WPA2 isn’t recommended either. Instead, use network devices that support WPA2 and do not rely on old encryption methods. If you are using WPS configuration software, you should only switch it on when it is needed.
Step 3: Create a secure network password
So far, only password attacks have been known for WPA2. In particular brute force attacks and dictionary attacks are very popular with cybercriminals. This is why it’s important not to underestimate the importance of a complex password. Your best bet against decryption algorithms and dictionaries that tools use is to set up a WLAN key consisting of as many characters as possible. It’s important to use both lowercase and uppercase letters as well as numbers and special characters. Avoid actual words and use random characters. You can also keep this password on paper in a safe place, just don’t write in on your computer.
Step 4: Specify an unidentifiable network name
Another WiFi security measure is to formulate a non-traceable service set identifier (SSID). The SSID displays the name of your network and is available to all in the signal range. If you are not running a public hotspot, you should avoid personal details that might be traced back to you, your company or your location. Many consider it more secure to hide the network’s name (hidden SSID). However, this technique doesn’t fully deter attackers and makes the connection set up a bit more difficult for legitimate clients. If you hide your network’s SSID, it could prevent some devices from seeing the access point, resulting in them not being able to connect to it.
Step 5: Turn on automatic firmware updates
For good WiFi security, it’s paramount that the wireless access point’s firmware is up to date. As with any software, attackers can take advantage of security flaws and take over admin rights or let malware infiltrate the system. Some access points have an automatic update function for the installed firmware, which you can promptly activate. If this isn’t the case, you should regularly check whether there are any updates for your device that you can download and install manually.
Optimise authentication with IEEE 802.1X
IEEE 802.1X is a port-based security concept that only grants connection-enabled clients access once they are verified and approved by an authentication server (RADIUS). This is based on a pre-defined list, which provides security concept information about whether the requesting client is allowed to connect to the wireless access point. The authentication method relies on the Extensible Authentication Protocol (EAP), which also supports WPA2. Also mentioned with this variant are WPA2 Enterprise, WPA2-1X, and WPA2/802.1X.
Additional useful WiFi security measures
If you have configured your wireless access point accordingly, your wireless network already has decent protection. Be sure to adjust the firewall included in the access point or configure your own firewall to filter unwanted connections on your WiFi network. It is also useful to consider intrusion detection or an intrusion prevention system, in order to detect and prevent attacks as early on as possible.
If you want to provide customers with wireless internet access, you should always work with a separate SSID, which you create and configure in addition to your workplace network. In any case, as an operator of the wireless network, you are jointly responsible for how the connection is used since any copyright infringement could quickly be traced back to you. To be safe, you should keep track of bandwidth usage and block any untrustworthy sites in the router settings.
Performing regular security checks with the help of special tools is definitely recommended. These help to simulate common hacker attacks and find out whether your WiFi security measures are working. The more thorough and precise you are, the better. Make sure to
- configure your wireless access point,
- install additional security components such as IEEE 802.1X, a firewall or an intrusion detection system,
- operate work and guest networks separately
- regularly make sure your network components are updated and are performing correctly.
By carrying out these steps, it’ll be harder for hackers to gain access to your WiFi network.