How to Build a Secure Wireless Network

Encryption: The Secret Code

The single most important way to secure a wireless network is to protect it with strong encryption. Encryption technology basically scrambles network traffic using mathematical algorithms that prevents eavesdroppers from understanding the content. Encryption is fairly straightforward to set up, but there are two important choices that must be made when using encryption to properly secure a network.

First, choose a good encryption method. Refrain from using the Wired Equivalent Privacy (WEP) encryption algorithm. This technology is outdated, and there are many known vulnerabilities that essentially render it useless. An attacker with a little knowledge and some free tools can defeat WEP encryption in a matter of seconds. Instead, choose Wi-Fi Protected Access (WPA or WPA2) encryption. Both versions employ strong encryption algorithms to protect traffic sent over a wireless network.

Second, choose whether to use a pre-shared encryption key or enterprise authentication technology. In a pre-shared key approach, a network has a single shared password that all users must key in to access the network. This is the approach commonly used on home networks, but it is only appropriate for the smallest business networks. It's simply too difficult to control knowledge of the shared key without changing it every time someone leaves an organization or a guest is given access to the key.

If using pre-shared key authentication, there are some potential vulnerabilities that might allow an attacker to crack an organization's encryption key if the company uses a common service set identifier (SSID) for its wireless network. Be sure to check the 1000 Most Common SSIDs from the Wireless Geographic Logging Engine and choose something that's not on the list.

The alternative, enterprise encryption, leverages an existing authentication infrastructure to allow users to join the wireless network using the same username and password they provide to access their computers, e-mail and other enterprise resources. Using enterprise encryption makes dealing with employee terminations a breeze. When an enterprise account is deactivated, a user simultaneously loses access to the wireless network. No key changes are required.
Wireless, BYOD and Visitors

Network administrators have always grappled with the challenges posed by those who want to bring outside devices onto corporate networks. In the past, the quick response to those requests was “No, the corporate network is limited to company-owned devices.” Over the past few years, however, two emerging trends have rendered this position indefensible in many environments. First, many businesses are instituting a “bring your own device” (BYOD) strategy that allows employees to bring smartphones, tablets and notebook computers from home into the office, where they expect to have access to the company network.

At the same time, company guests are starting to have the same expectations for ubiquitous network access. While these guests certainly don't need access to corporate data, guest network access has become a standard expectation, especially in facilities where cell phone signals might not penetrate to interior conference rooms. Organizations need to develop clear policies around who may join external devices to the network, what access is afforded to those devices, and who may approve such requests.

One increasingly common approach to this problem is to create an open, unsecured wireless network that allows access to the Internet and nothing else. Visitors can then connect their personal devices to this network without affecting the security of corporate systems or data. It essentially recreates the coffee shop wireless experience within the facility while isolating the guest network from a business's secure systems. Anyone on the guest network who attempts to access company resources would have the same experience as if they were working at home: They'd have to secure their connection using a VPN or other security technology.
Battling Rogue Access Points

Once an organization builds a secure wireless network, there's still one big issue to worry about - rogue wireless access points. It's far too easy for an employee, frustrated with security controls or coverage issues, to drop $60 on a wireless AP and connect it to a wired network. This creates a small “private” wireless network that may not be appropriately secured and limits IT staff's visibility into the devices that connect to it.

In order to reduce this risk, conduct periodic scans for rogue APs. This may be as simple as having a technician walk around the building with a notebook running a tool such as NetStumbler to discover wireless networks. Another option is to invest in an automated wireless intrusion prevention system that continuously monitors an environment and automatically alerts IT staff to the presence of rogue wireless networks. These systems fingerprint the unique electronic characteristics of wireless devices to identify APs not on the approved list.

Wireless networking is changing the way employees interact with corporate resources. It is increasingly common for staff to go days or weeks without ever connecting to a traditional wired network. It's essential for the administrators running these networks to understand user behavior and develop secure, flexible options that balance security concerns with business requirements. Developing solid wireless policies and backing them up with strong encryption technology and rogue AP detection capabilities can go a long way toward creating a secure wireless environment.