|
Securing Wi-Fi at an SMB
 Wi-Fi
is one of those technologies that confer a ton of advantages to a company’s
employees, at least those of them who are laptop warriors, and at the same time,
it leaves a company ripe for attack. This is especially true if you are talking
about SOHO/SMB equipment that is not as secure as enterprise equipment.
So what is an SMB to do? Well, to begin with there are many options that can
be used to harden even a basic Wi-Fi router or Access Point. Some expert tips
from the CTO of Aujas Networks are listed in the box Protecting a Wi-Fi network.
The first thing to do is to disable wireless access to the configuration page
on your wireless router or access point. Only make changes while connected by
an Ethernet cable, that way the chances of anybody mucking around with your
configuration are a lot lesser.
| In case routine security measures aren’t enough,
Ruckus Wireless has a patented technology called Dynamic PSK, which is an
automated provisioning of Pre-shared Keys that does not require user intervention.
Here the Controller assigns each authorized laptop a unique key that is
bound to the machine. The first time this is done, the admin or user connects
the notebook to the Zone Director (a hardware controller) through an Ethernet
cable and executes a batch file that is assigned by the Zone director. This
can be achieved with/without an external RADIUS server or Active Directory.
Any user who has not gone through the authorization process is asked for
a PSK which rules out the possibility of unauthorized access.
Sudarshan Boosupalli, General Manager- India Operations,
Ruckus Wireless Inc. added, “Web authentication can also be enabled,
in which case the authentication can be done either by local database,
external radius server or AD. No additional software is required for enabling
these security features. We have made the network plug and play simple
and easily manageable so that SMBs need not have a team to manage their
Wi-Fi network.”
|
You can use a longer Pre-shared Key (PSK) although SOHO routers will choke and
die if you use too long a key. I have found that about twenty or so characters
should work even in a basic router. The longer the key, the more difficult it
is for someone to break the encryption.
Nevertheless, there is no protection from Social Engineering attacks. If someone
scams one of your employees into handing over the PSK to your Wi-Fi network
your network will be compromised.
You could always change the PSK periodically. Then again, you will have to set
up some sort of mechanism for automatically updating PSKs on all of your company’s
laptops and that will mean either setting up a moderately sophisticated system
or manually updating the keys, which is a royal pain for anything more than
a handful of machines.
- Disable SSID broadcast: This would make it harder for a hacker
to know the presence of a Wi-Fi access point
- Enable MAC address filtering: Each network interface has a
unique MAC address, by filtering based on a list of MAC addresses, one
can, to an extent, control which machines can use the access point
- Turn on WPA/ WEP encryption: So that traffic between a legitimate
machine and an access point is not readable
- Change default admin passwords for access points
- Ensure access points are placed securely (e.g. in the center
of a room/ office etc. to minimize its signal strength outside the office
Even after following the above, your network
could be compromised. Here are some more things to look at:
- Monitor usage of the access point. Have a clear inventory
and knowledge about the position of each access point
- Monitor the usage of the Internet link, to know what traffic
is going out. E.g., some corporate block public e-mail sites such as
Yahoo or Hotmail. Hence, even if the access point is compromised the
hacker may not be able to use public email systems
- Think about a specific security policy for wireless networks.
E.g., most companies primarily use wired networks in the office as the
primary media. Access points are used in common areas such as conferences
rooms etc. Hence, strict policies can be deployed on wireless networks
as compared to wired networks
Source: Sameer Shelke, co-founder
& CTO, Aujas Networks
|
Always keep it in mind that out-of-the-box setups are vulnerable as all too
often the PSK generated is too short to be useful. You must add layers of security
like using the router/access point’s MAC Address Filter and a longer PSK.
Last but not least, monitoring the router access logs is
another important task for an IT manager in a simple Wi-Fi set-up. This way,
if someone does break in, you find out and are in a position to take remedial
action.
prashant.rao@expressindia.com
|
