Securing your wireless network
WLAN security best practices and tips to help you protect your corporate wireless network from common security threats
Wireless local area networks (WLANs) are convenient, cheap and easy to install. They allow for mobility around the office and deliver great flexibility. However, all WLANs potentially have major flaws and weaknesses.
This guide describes the potential security issues in wireless networks that may affect your business - for example the denial of service attacks, spoofing and session hijacking. Eavesdropping is also a concern with wireless transmission - others 'listening in' on your business activities and using this information against you, eg to undercut your prices.
Unless you set up suitable security measures, your corporate WLAN may be insecure. It may even compromise your business. To protect it, it is important to set up your wireless network components correctly, choose the right Wi-Fi protected access (WPA) and use the appropriate wireless networking standards.
Wireless network components
To set up a basic wireless network for your business, you will need several key components - a wireless access point, a network information card and Wi-Fi enabled devices
Wireless local area networks (WLANs) use the same basic structure of components as the traditional Ethernet-wired networks. However, instead of cables, WLANs use infrared or radio frequency technology to transmit data around the network.
Businesses typically use wireless networks within a single building, or as a building-to-building connection, often as an extension to a wired network.
What are the main components of a wireless network?
The physical WLAN architecture is fairly simple. Basic components of WLAN are typically:
- wireless access points
- network interface cards (NICs) or client adaptors
You can use other components, such as wireless bridges and repeaters, to extend the reach of your network.
Wireless access points
A central access point is basically the wireless equivalent of a LAN hub. It is a small box (with one or more aerials) that uses a connector to attach it to the rest of your wired LAN.
Access points receive and transmit data from and to all the wireless devices in their area. They can handle many different connections between different devices all talking to each other at once, but the more devices you have working with an access point, the slower they will operate.
You may need more than one access point to cover a building, depending on its range and the composition of any walls or floors between the access point and the wireless network card.
Wireless network interface card (NIC)
The network interface card acts as the radio receiver and transmitter for a specific computer and connects it into the WLAN. It is coupled with the device operating system using a software driver. Many modern laptops or tablets have this Wi-Fi capability built-in, but with older desktop PCs you may need to install one.
Most wireless network cards connect to an access point. However, some NICs can enable a peer-to-peer connection - ie they can talk to other compatible network cards that are within its range. This may be useful for small roaming workgroups of devices that do not require access to the LAN backbone.
Wireless range extenders
Wireless repeaters can improve or extend coverage of your network. They work by receiving your existing Wi-Fi signal and relaying your requests and responses between your device and your main Wi-Fi router/access point. With a repeater, you can effectively double the range of your WLAN.
Most WLANs are installed using access points that have omnidirectional aerials or antennae. These transmit wireless signals in all directions, as opposed to directional antennae, which produce a more concentrated signal focused on a narrower area. Depending on the type of signal you need, replacing the antenna of your wireless access point may give you a better range.
Wireless bridges enable high-speed long-range outdoor links between buildings. Their range is typically up to 25 miles. They are based on line-of-sight, so physical obstacles such as railroads or bodies of water generally do not affect them.
How to set up your WLAN?
The different components need to be compatible for the WLAN to function correctly. This is possible because they comply with a set of wireless networking standards intended to enable devices from different manufacturers to work together.
Wireless networking standards
The different types of WLAN standards, including IEEE 802.11 and Wi-Fi 6, and their role in ensuring that your business devices and network operate safely, quickly and properly
The Institute of Electrical and Electronic Engineers (IEEE) develops official standards to enable wireless local area network (WLAN) devices to work together, regardless of which manufacturer made them.
These standards are driven by two factors:
- speed - getting data transmitted faster between PCs and access points
- security - making sure that the wireless capability is not abused
You need to be aware of both factors when choosing wireless networking equipment.
Current IEEE standards
At present, the IEEE 802.11b and 802.11g standard are widely accepted throughout the industry. 802.11a standard is uncommon in standard office systems and incompatible with any of the other standards.
802.11b standard supports operation up to 100 metres away in unobstructed areas, but it has limited security capability, particularly in older devices.
802.11g standard offers greater speed and security and is available in most new equipment. If you are setting up your first WLAN, or upgrading an existing system, you should buy equipment that incorporates at least 802.11g standard. Using 802.11b and 802.11g devices together is possible, but if you do, you may find that your 802.11g equipment is less effective.
New generation of wireless standards
If you're in the market for new wireless networking equipment, it may be worth looking at the emerging IEEE standards to make sure you don't buy a wireless technology that quickly becomes obsolete. Some of the more recent standards include:
- IEEE 802.11i - an amendment to the original IEEE 802.11 standard that specifies security mechanisms for wireless networks.
- IEEE 802.11n - an amendment to the previous IEEE 802.11-2007 standard to improve wireless network throughput. 802.11n will offer the fastest maximum speed and best signal range, and be more resistant to signal interference from outside sources.
- IEEE 11ac - a newer standard that can potentially offer even faster throughput.
A common strategy for many businesses is to set up 802.11g client devices - the local equipment - while gradually moving to 802.11n or 802.11ac as part of new equipment purchases. The 802.11n or 802.11ac equipment will be backward compatible with 802.11g.
Wi-Fi 6 standard
Wi-Fi 6, or 802.11ax, is the newest version of the 802.11 standard for wireless network transmissions. It offers backwards compatibility and promises to improve speed and reliability at a network level. It enables more devices to simultaneously operate on the same Wi-Fi channel, which improves the efficiency, latency times, and data throughput of your wireless network.
When considering standards and networking equipment, choose devices that the Wi-Fi Alliance has tested and certified. This guarantees that they meet industry requirements and can work together.
Security issues in wireless networks
Basic security features of WLAN products - such as SSIDs, WEP and access control - offer limited protection against common WLAN security issues and threats
Wireless local area networks (WLANs) transmit and receive data using radio waves rather than wires. This lack of a physical barrier makes WLANs vulnerable to unlawful interception, eavesdropping, hacking and a range of other cyber security issues.
Wireless network security issues and threats
Three most common WLAN security threats include:
- denial of service attacks - where the intruder floods the network with messages affecting the availability of the network resources
- spoofing and session hijacking - where the attacker gains access to network data and resources by assuming the identity of a valid user
- eavesdropping - where unauthorised third-parties intercept the data being transmitted over the secure network
To counter these threats, you should make every effort to configure your WLAN correctly. You should also enable a range of security features, such as standard authentication and encryption, alongside other access control mechanisms.
Basic WLAN security features
Early WLAN hardware used a number of basic security methods, including:
- Service Set Identifiers (SSIDs) - these prevent connection to access points unless a device uses a given identifier correctly
- Media Access Control (MAC) - this involves using addresses attached to each device to limit connection to access points
- Wired Equivalent Privacy (WEP) - WEP uses encryption keys so that only devices with the correct key can communicate with access points
WEP still exists in many devices as users have found compatibility problems when introducing new equipment. However, WEP has been proven ineffective against hackers. You should consider upgrading any devices relying on this technology.
Even with all these security measures combined, basic WLAN features cannot guarantee that your network will remain secure. What is more, WLAN equipment often comes with the security measures switched off entirely. If you don't switch these on, then you have absolutely no security at all.
Upgrade your WLAN security protocols
If you are using a WLAN that relies only on these basic security features, it is crucial that they are correctly set up and working. Preferably, you should upgrade to more modern security methods, such as Wi-Fi protected access (WPA) and WPA2.
Read more about Wi-Fi protected access (WPA).
Wi-Fi protected access (WPA)
An overview of the WPA, WPA2 and WPA3 - the key wireless security protocols commonly used in modern wireless network products
The early wireless local area network (WLAN) security methods were not very robust. Wired equivalent privacy (WEP) devices have particularly been prone to hacking.
As a result, the Wi-Fi Alliance, which represents most suppliers of wireless hardware, has produced better security protocols called Wi-Fi protected access (WPA) and its successors, WPA2 and WPA3.
What is Wi-Fi protected access?
Wi-Fi protected access uses different methods of encryption that are stronger and better designed than WEP. You can select products that use Wi-Fi protected access by looking for 'Wi-Fi WPA' in their specifications. Products that comply with WPA will work together - a critically important requirement.
Wi-Fi protected access can operate in two modes:
- Personal mode - uses a pre-shared password or pass phrase for authentication. This simple approach makes sure a computer can only get access to the WLAN if the password matches the access point's password.
- Enterprise mode - uses a more sophisticated method of encryption better suited to larger organisations that need stronger protection.
WPA3 is the third and current generation of the WPA security. It retains interoperability with WPA2 devices, but offers greater protection for simple passwords, individualised encryption for personal and open networks, and even more secure encryption for enterprise networks.
Which Wi-Fi protected access is the best?
WPA is now fairly out of date and can make wireless networks vulnerable to outside threats. If you have a router or a wireless access point which supports WPA, you should consider replacing it with a newer device compatible with WPA2 or WPA3.
WPA2 replaced WPA in 2004 and is now widely deployed in the enterprise space. Whilst generally safer than WPA, WPA2 is known to be vulnerable to key reinstallation attacks (KRACK) which can be exploited for the purposes of stealing data transmitted over networks.
WPA3 addresses WPA2's KRACK vulnerability with more stringent security and encryption methods. As the most up-to-date wireless encryption protocol, it is generally considered by experts to be the most secure. In practice, however, even WPA3 is not impervious to threats. You should mitigate them via regular software upgrades, including patches to your operating systems.
Keep in mind that wireless hardware manufacturers often supply their products with the security settings turned off. Make sure that you set the device up properly before using it. See 10 tips for better wireless network security.
Improve network security with VPN and firewalls
How to use virtual private networks (or VPNs) and firewalls to improve security of your business' wireless network and wireless networking devices
The latest security protocols, based on Wi-Fi protected access, can help strengthen your wireless local area network defences.
However, there are other ways of boosting your network security, such as using virtual private networks (VPNs) and firewalls.
Virtual private networks
With a VPN, you can create a secure network even with an insecure WLAN system. You can do this by encrypting all of the data that passes over the network so that an 'eavesdropper' can't read it.
While VPN encryption is a good solution to secure wireless traffic, there are some limitations. For example, VPNs may:
- be difficult to set up internally - you may need to get expert advice to help you design and implement an effective VPN system
- cause difficulties for users with laptops to roam around your building, particularly if you have a large building with several access points, which transfer data between your devices - this is due to the need to hand over from one access point to another
See more on possible problems and security issues in wireless networking.
A firewall is a device or piece of software that controls what data is allowed to pass through it. You can use a firewall in a network to:
- separate an insecure part of the network from the secure area where your most critical data is managed
- separate all the wireless data traffic from your wired network
However, unless you have the technical knowledge, you may find setting up a firewall in this way difficult to achieve without hiring an IT specialist.
If you have an existing internet connection, you will probably have a firewall already in place. However, do not assume that you can use this to provide protection for your WLAN. You may need an additional device depending on your network design.
Unless you have good IT security skills available internally, you should seek advice from an experienced consultant to help you design your network.
It's important to understand that no single solution will give you guaranteed protection against existing network vulnerabilities. In most cases, the best way to secure your wireless network is to:
- set up and maintain the network and the connected devices correctly
- implement appropriate safety measures
- train your staff on acceptable use and networking best practices
10 tips for better wireless network security
Best practices for protecting corporate wireless networks and ensuring the best possible level of WLAN security
Having a safe, secure and reliable wireless local area network (WLAN) is critical for protecting and running your business. Here are some ideas to help you improve your WLAN security and get the most out of wireless networking:
1. Don't assume that your business is of little interest to hackers. Even if you are not the target of their attack, hackers can use your insecure network to cause damage to someone else, eg by logging on to one of your servers and installing software that can damage another business' website. To get a better understanding of online threats, see cyber security for business.
2. If your devices rely on basic WLAN security features such as Wired Equivalent Privacy, or out of date Wi-Fi Protected Access (WPA) protocols, consider upgrading them. Modern devices with the latest security protocols such as WPA3 built into them may offer better protection.
3. Make sure that your new WLAN equipment matches the required wireless networking standards. If possible, order equipment from the same manufacturer to ensure that it's compliant and compatible.
4. Always enable the security features when installing new equipment. If you forget to do so, it could leave your entire network open to attack. Read more on Wi-Fi protected access (WPA).
5. Try to position access points - which transfer data between your devices - away from the outside wall of your building to minimise leakage of radio signals. This limits the chances of interception from outside.
6. Don't allow employees to add access points without management authorisation. One insecure access point could put your entire network at risk. Read more about access points and other wireless network components.
7. If you need a high level of security for your wireless transactions, use only the latest technologies and run additional encryption such as SSL-enabled communication protocols or a Virtual Private Network (VPN) to protect the data transferred across your network. If you can, use firewalls to isolate the WLAN from the rest of your network. See how to improve network security with VPN and firewalls.
8. Monitor your network and check logs periodically to make sure that your network has not been broken into. If you are not sure how to do this, call in an outside expert.
9. Keep software and router or wireless access point firmware up-to-date as this makes it much more difficult for hackers to exploit weaknesses.
10. Finally, unless you have good technical skills in your business, consider bringing in external experts to check your security measures.
Follow other best practice tips to protect your business online.