Tactical Advice

How to Build a Secure Wireless Network

Take these wireless security measures to ensure that company data is safe without impeding the end-user experience.
This story appears in the Summer 2012 issue of BizTech Magazine.
How to Build a Secure Wireless Network

TJX, the parent company of Marshalls, T.J. Maxx and other retailers, lost 45 million credit card numbers several years ago because of an improperly secured wireless network. With cyberthreats becoming more prevalent, companies need to ensure that the security controls surrounding their wireless networks are up to par.

Securing a wireless network isn't rocket science, yet organizations continue to make fundamental mistakes that jeopardize their security. There are a few simple steps that IT managers should follow to ensure that users are being provided a secure wireless experience. By deploying encryption, security policies and guest access management, a business can build a secure, reliable wireless network.

Encryption: The Secret Code

The single most important way to secure a wireless network is to protect it with strong encryption. Encryption technology basically scrambles network traffic using mathematical algorithms that prevents eavesdroppers from understanding the content. Encryption is fairly straightforward to set up, but there are two important choices that must be made when using encryption to properly secure a network.

First, choose a good encryption method. Refrain from using the Wired Equivalent Privacy (WEP) encryption algorithm. This technology is outdated, and there are many known vulnerabilities that essentially render it useless. An attacker with a little knowledge and some free tools can defeat WEP encryption in a matter of seconds. Instead, choose Wi-Fi Protected Access (WPA or WPA2) encryption. Both versions employ strong encryption algorithms to protect traffic sent over a wireless network.

Second, choose whether to use a pre-shared encryption key or enterprise authentication technology. In a pre-shared key approach, a network has a single shared password that all users must key in to access the network. This is the approach commonly used on home networks, but it is only appropriate for the smallest business networks. It's simply too difficult to control knowledge of the shared key without changing it every time someone leaves an organization or a guest is given access to the key.

If using pre-shared key authentication, there are some potential vulnerabilities that might allow an attacker to crack an organization's encryption key if the company uses a common service set identifier (SSID) for its wireless network. Be sure to check the 1000 Most Common SSIDs from the Wireless Geographic Logging Engine and choose something that's not on the list.

The alternative, enterprise encryption, leverages an existing authentication infrastructure to allow users to join the wireless network using the same username and password they provide to access their computers, e-mail and other enterprise resources. Using enterprise encryption makes dealing with employee terminations a breeze. When an enterprise account is deactivated, a user simultaneously loses access to the wireless network. No key changes are required.

Wireless, BYOD and Visitors

Network administrators have always grappled with the challenges posed by those who want to bring outside devices onto corporate networks. In the past, the quick response to those requests was “No, the corporate network is limited to company-owned devices.” Over the past few years, however, two emerging trends have rendered this position indefensible in many environments. First, many businesses are instituting a “bring your own device” (BYOD) strategy that allows employees to bring smartphones, tablets and notebook computers from home into the office, where they expect to have access to the company network.

At the same time, company guests are starting to have the same expectations for ubiquitous network access. While these guests certainly don't need access to corporate data, guest network access has become a standard expectation, especially in facilities where cell phone signals might not penetrate to interior conference rooms. Organizations need to develop clear policies around who may join external devices to the network, what access is afforded to those devices, and who may approve such requests.

One increasingly common approach to this problem is to create an open, unsecured wireless network that allows access to the Internet and nothing else. Visitors can then connect their personal devices to this network without affecting the security of corporate systems or data. It essentially recreates the coffee shop wireless experience within the facility while isolating the guest network from a business's secure systems. Anyone on the guest network who attempts to access company resources would have the same experience as if they were working at home: They'd have to secure their connection using a VPN or other security technology.

Battling Rogue Access Points

Once an organization builds a secure wireless network, there's still one big issue to worry about - rogue wireless access points. It's far too easy for an employee, frustrated with security controls or coverage issues, to drop $60 on a wireless AP and connect it to a wired network. This creates a small “private” wireless network that may not be appropriately secured and limits IT staff's visibility into the devices that connect to it.

In order to reduce this risk, conduct periodic scans for rogue APs. This may be as simple as having a technician walk around the building with a notebook running a tool such as NetStumbler to discover wireless networks. Another option is to invest in an automated wireless intrusion prevention system that continuously monitors an environment and automatically alerts IT staff to the presence of rogue wireless networks. These systems fingerprint the unique electronic characteristics of wireless devices to identify APs not on the approved list.

Wireless networking is changing the way employees interact with corporate resources. It is increasingly common for staff to go days or weeks without ever connecting to a traditional wired network. It's essential for the administrators running these networks to understand user behavior and develop secure, flexible options that balance security concerns with business requirements. Developing solid wireless policies and backing them up with strong encryption technology and rogue AP detection capabilities can go a long way toward creating a secure wireless environment.

Sign up for our e-newsletter

About the Author

Mike Chapple

Mike Chapple is an IT professional and assistant professor of computer applications at the University of Notre Dame. He is a frequent contributor to BizTech magazine, SearchSecurity and About.com as well as the author of over a dozen books including the CISSP Study Guide, Information Security Illuminated and SQL Server 2008 for Dummies.

Security

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
Tools to Maintain Mobile Sec... |
Far-flung devices pose serious challenges, but a variety of technologies can help protect...
Edward Snowden Personifies t... |
The NSA leak shows critical areas where organizations can better protect their data.

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...
Curse Builds a Private Cloud... |
One of the top resources in online gaming builds out a robust infrastructure that can...
SDN at the Forefront of HP’s... |
Computing giant kicks off Interop 2014 with a series of announcements aimed at turning...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...
XP-iration Date: Today Is th... |
It’s officially lights out for Windows XP as an operating system. Here’s how the world is...