Wireless Network Security Considerations

The increasing proliferation of wireless networks in businesses, public places, and private homes, along with the widespread use of smartphones, tablets, computers, and IoT devices, has resulted in a vastly increased attack surface for malicious actors.  Security in both business and non-business environments is essential for the protection of valuable data and personal information.  While businesses and organizations invest significantly in wireless network security, security in-home wireless networks are often not considered.  Both business and home networks face the same risks related to wireless networks.  Some of these risks include piggybacking, wardriving, evil twin attacks, wireless sniffing, unauthorized computer access, shoulder surfing, and theft of mobile devices (Securing wireless networks, n.d).  Some general best practices security concepts for wireless networks include strong passwords policies, encryption, the use of appropriately configured firewalls, restriction of access using Mac Address Filtering (Cisco), and ensuring that software is up to date.

Encryption

All wireless networks should be secured by effective encryption standards.  Older versions of wireless encryption such as WEP and WPA should not be used because they are easily hacked using widely available key cracking tools.  Both home and business wireless networks should use WPA2 or WPA3 encryption to secure their data.  WPA2 uses strong Advanced Encryption Standard (AES) encryption and effectively protects data transmitted over wireless networks.  However, WPA2 can be vulnerable to password attacks such a Dictionary Attacks and Password List attacks.  Dictionary attacks use automated software to quickly try thousands of common passwords to access the wireless network.  Password List attacks are similar to Dictionary Attacks, but they use lists of common passwords available on the Dark Web.  WPA3 is the latest developed standard for wireless encryption (Wireless security protocols, n.d.).  WPA3 also uses AES encryption and has protections that prevent Dictionary and Password List attacks. 

Wireless piggybacking is a wireless attack that can be mitigated using encryption.  Piggybacking is when unauthorized users connect to the wireless network. This real-world threat can occur when the network is not adequately secured using a robust encryption standard such as WPA2/WPA3.  Piggybacking often occurs when a person uses a neighbor’s Wi-Fi without permission or parks outside a business location to connect to the business’s wireless network without permission.  Encryption must be paired with a strong password to ensure effectiveness.  The use of strong passwords can be an inconvenience to users.  Therefore, users often create passwords that are composed of simple words that are easy to remember.  These easy-to-remember passwords are also easy to crack using tools such as Aircrack-ng and BoopSuite.  Therefore, strong wireless passwords should be used for both business and home networks. 

Firewalls

A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules (What is a firewall, n.d.).  There are two categories of firewalls: software firewalls and hardware firewalls.  Software firewalls is a program that is installed on a computer that inspects and filters data that may be malicious.  Hardware firewalls are separate devices that inspect and filter data before it gets to the network.  

Firewalls can be either stateful or stateless.  Stateful firewalls scrutinize multiple aspects of network traffic, including the context of the traffic.  These firewalls analyze the communication channels and characteristics of the data to determine what traffic is permitted.  Stateless firewalls, on the other hand, inspect the packets alone without considering the context.  Stateless firewalls are generally less expensive and are faster than stateful firewalls.

Firewalls on wireless networks can help prevent attacks such as malware and viruses by stopping this malicious traffic before it enters the network or device.  Firewalls should also be deployed on mobile devices such as phones.  Attacks in which other devices attempt to connect to a phone or mobile device can be thwarted with a properly configured mobile firewall.

Restrict Wireless Access using MAC Address Filtering

Access to wireless networks can be restricted through the use of MAC address filtering.  Since every device has a MAC address, the network can be configured only to allow connections from specifically authorized devices.  MAC address filtering enables the organizations to allow connections from devices that meet required security requirements and pre-screen for malware or viruses threats.  Organizations may even choose to enable company-owned devices and prevent personally owned devices from connecting to the network.  Restrictions such a these can be a powerful method to reduce the attack surface of a wireless network.

Wireless Network Design

The wireless network should be designed to limit the ability to access the network from outside an organization’s workspace.  Wireless networks must meet the users’ needs but can also be configured to restrict the ability of intruders to gain access to the wireless signal.  This can be accomplished by positioning the wireless access points in the center of the building or strategic locations within the workspace and adjusting the signal strength so that the wireless signal does not reach outside the building. 

SSID Broadcasting

The Service Set Identifier (SSID) is the broadcasted name of the wireless network.  It is common for manufacturers to use the same SSID for all wireless routers that they produce.  Therefore, it is essential to change the default SSID so that the router manufacturer is not disclosed.

SSID broadcasting can be disabled so that the network is not discoverable.  This can be helpful because it will prevent the causal user from attempting to connect to the network.  However, disabling the SSID is not a real security measure because it does nothing more than hiding the network name.  The network is still easily discovered using Kismet or other programs that look for available networks without SSID broadcasts.

References

 Securing wireless networks. (n.d.). Cybersecurity & Infrastructure Security Agency. Retrieved October 25, 2021 from https://us-cert.cisa.gov/ncas/tips/ST05-003

Wireless security protocols, (n.d). Cisco. Retrieved October 25, 2021 from https://ipcisco.com/lesson/wireless-security-protocols/

What is a firewall?. (n.d.). Cisco. Retrieved October 25, 2021 from https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html

Photo of author

Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3

Donald Korinchak is a Cybersecurity Professional in the Washington DC area. Donald holds an MBA from the University of Pittsburgh Katz School of Business. Donald is considered a thought leader in business, leadership, and cybersecurity issues.

Leave a Comment