Table of Content
Very likely, your company has a wireless network. Whether it is for your colleagues to use for their day-to-day work or for your customer's convenience, you need to take steps to secure them. Many organizations have moved from wired to wireless networks that have had a negative effect on their overall security posture. Wired networks are easier to secure than wireless networks - any cyber criminals know this. In this article we'll have some simple steps you can take to better secure your wireless network.
As a small business, you may not have the budget or the staff to support an elaborate system to secure your wireless network. The suggestions offered in this article is intended to give you some simple tips to effectively secure your wireless network with minimal to moderate cost and administrative effort. Very likely, if you have an off-the-shelf wireless access point purchased from a local electronic store, some of the tips given here might not be possible to implement. In this case, I recommend upgrading your wireless network equipment to those geared for businesses with robust security features.
Wireless Network Segmentation
If you are providing wireless network connectivity to your workforce company-issued devices, workforce personal devices, and visiting guests or customers, it's strongly recommended to segment each of those types of users to their own dedicate wireless network. For the purpose of this article, we'll assume you need to provide Wi-Fi to all three groups of users. Having wireless devices of your customers and personal devices of your workforce co-mingling with your company's devices on the same network is a big no-no. Best practices dictate you want to isolate each of these users onto its own network. This is what's called network segmentation and is an effective way to increase your security. Out of all the tips in this article, network segmentation is likely your most difficult to implement - either in cost or in a required skill set (e.g., VLANs).
Network segmentation can be accomplished in one of two ways: physically or virtually. Both yield the same result and which method you use will be depending on the capabilities of your network equipment and/or your skill set. Physical network segmentation is essentially, if our case, setting up three sets of wireless networks. You will have a dedicated access point for your company-issued devices, another for your staff's personal devices, and another for your customers. The three wireless networks can be all wired into your router, provide segmentation can be maintained.
There are a few significant advantages of segmenting your network:
- Better Containment - If malware, for example, from a customer's device starts to infect other devices, your company's equipment will not be affected. Your customers however, may not so as fortunately. As a side note, you would want your customers to read and acknowledge a disclaimer that essentially says that the Wi-Fi service you provide is for convenience and that they use "at their own risk". This should provide some legal protection. I am not a lawyer, so you will want to consult one to learn more about your liabilities.
- Better Security - Your corporate data is isolated from your customers. Any sensitive data you have on your network (such as customer database and company financial information) cannot be touched by your customers.
- Better Performance - Isolating your customer's traffic from your company's helps make sure that any intensive streaming your customers may be do would not affect your ability to conduct business functions related to your network or Internet connection.
- Better Oversight - Depending on your equipment, you may have the ability to generate log data on Internet activities. Having a log can be useful to identify suspicious or malicious activities
Another option to consider is opening up another service account with your local Internet service provider to bring in another line into your business. Dedicate this Internet connection for your customers and do not tie this into your company's network. Keep this physically separate for your other network as there should not be a reason customers would need access to any of your on-premise network resources. Depending on your situation, this would be a simple network setup that would comprise of just your ISP provided router. Obviously, setting up a secondary ISP service account involves a recurring monthly charge. This could mean an extra few dollars a day in operating cost. However, the peace of mind you get from knowing that any potential malicious activities stemming from your customer's devices and Internet activities (whether knowingly or unknowingly) won't affect your company's network is something I personally value greatly.
Wireless Network Access for Company Devices
For your company's owned wireless devices to be able to establish a connection to your corporate wireless network, you should have at least two security controls need to be satisfied before it connects. Implementing these controls at a minimum will guard against unknown or unauthorized devices from connecting to your network wirelessly.
- Wi-Fi / SSID Password - One of the security controls you should have in place for any of your wireless networks is an SSID password. Do not offer open wireless connections. A staff person with a company-issued device that wishes to connect to your wireless network will need to be provided the password. The Wi-Fi password should be changed regularly throughout the year. I recommend every 90 days.
- MAC Address Whitelist - If your equipment support it, create a MAC address (the 6-byte 'burned-in' physical/hardware address) whitelist of all your company-issued wireless devices. If your Wi-Fi password is compromised, and cyber-criminals tries to connect to your wireless network, they will not be able to establish a connection if their MAC address is not whitelisted. It should be noted that a MAC address can be spoofed. If cyber-criminals happen to know of your equipment's MAC addresses, they can re-configure their computer with it to connect to your wireless network. Although using a MAC address whitelist is not 100% fool-proof, it is easy to implement and does make it harder for cyber-badguys to break into your wireless network.
- Hidden SSID - As a way to minimize casual snooping, you can hidden the SSID of your wireless network. Typically this is accomplished by configuring your wireless access point to not broadcast your SSID. Your staff who need to connect to this network will need to manually add this Wi-Fi network on their computer the first time they connect to it. Although any hacker worth their salt will likely find your wireless network anyways, implementing this can help you stay off the radar of cyber-criminals driving around your neighborhood looking for a target of opportunity with malicious intent. Again, not 100% fool-proof but it is easy to implement.
- Reduced Signal Strength - If your physical office space is relatively small you would want to consider reducing the signal strength of your wireless network. You don't want a cyber-badguy attempting to hack into your wireless network discretely from an adjacent building, across the street or sitting in their car in the parking lot. Your signal strength should be throttled back to where you can effectively establish a stable connection from within your office space. You can do a fairly good assessment on how strong your Wi-Fi signal strength is by taking your smartphone or tablet and walking out to the streets and outlining the circumference around your office space where your signal strength starts to become unusable. Alternatively, you can find a payware tool that o can install onto your smartphone that will display actual signal strength in dB that will simplify this the assessment process.Once you identify your wireless coverage, you can then lower your signal strength accordingly and perform another reassessment.
Set Up an Isolated Wireless Network Access for Guests and Staff's Personal Devices
For non-corporate wireless devices, such as a staff's personal device or those of your guests, you should set up a separate "guest" wireless network to service this group. The guest wireless network should be physically or logically segmented from your corporate network. For most businesses, the intent for offering Wi-Fi access to guest is to offer Internet connectivity as a convenience and courtesy service. Despite this, there are things you can do to guard against unknown or unauthorized devices from connecting to your guest wireless network.
- Wi-Fi Password - One of the security controls to put in place for your guest Wi-Fi network is a SSID password. Do not offer open wireless connections for guests. A person with a device that wishes to connect to your wireless network will need to be provided the password. The Wi-Fi password should be changed regularly throughout the year. Being a guest network with the potential of many different people connecting to it, you might want to change it daily or weekly. Depending on your situation, you can display your SSID password in your lobby or your customer's receipt to reduce the number of inquiries from your customer on what the password is. What you want to avoid is a person persistently connecting to your wireless guest network who is not a customer of yours (such as a tenant living in an adjacent apartment building tapping into your guest Wi-Fi for free Internet service). From my perspective, free wireless Internet access is a privilege and not a right. I would offer free wireless access for those that patronize my business every day they use it.
- Credential Expiration - When a credential for a guest wireless user is created, you should, if possible, define an expiration date for the account. Your wireless access point should then be able to automatically prevent the guest user from gaining access from their device after the expiration date. This makes sure your guest will have access to your guest Wi-Fi network only for the duration of your business engagement.
- None Descriptive SSID - As a way to deflect your company's identity, your guest Wi-Fi SSID should named in a way to not incorporate your business name. This helps in minimizing casual snoopers from identifying a particular Wi-Fi network as yours. This is not prevent someone from trying to hack into your network. But it does make it harder for cyber-badguys to readily identify which SSID belongs to your organization.
- Reduced Signal Strength - Just like for the wireless network for your company staff, your guest wireless signal strength should be reduce to provide good coverage just within the physical space where your guest will be. What you want to avoid is your Wi-Fi coverage extending out to the adjacent building or across the street.
Set Up a Wireless Network Access Schedule to Limit Access
For your wireless networks, a schedule should be created that will automatically disable access after business hours. This limits exposing your wireless network to potentially to malicious activities when not use. Your network equipment would need to support this to effective implement this. Some wireless access point comes with a scheduling feature. If yours does not, explore the features on your network switch. Some switches enable you to disable and enable specific ports based on a schedule. In this case, you identify which port on your network switch your wireless access point is plugged into, then either via a web interface or an SSH connection, configure your switch to "turn off" that port during non-business hours.
If this is not possible with your network setup, you can MacGyver something similar by using a programmable or mechanical electrical outlet timer. Plug the AC cord of your wireless access point to this timer, configure it to turn off during non-business hours and you effectively end up have the same effect. Certainly not pretty but from a security standpoint, it works.
Depending on how advance your wireless network equipment are, you may have a feature that will enable you to block certain websites from being access by your users. Alternatively, if you have a firewall, you might have some level of web filtering on that platform there as well. For network equipment geared for small to medium size businesses, website filtering on these devices are fairly easy to enable and configure.
For many, it is a matter of selecting what types of websites to block based on category. We typically see categories such as gambling, pornography, social media, dating, video streaming, and weapons - to name a few. You simply place a check mark next to the category of website to block. If users do attempt to visit websites you have blocked, the device will display a web page with a message to the user that the website is block. Some devices enable you to customize this message.
The importance of blocking certain websites is to protect your users and your network from web-based threats. Additionally, it will prevent your network/Internet bandwidth from being used unnecessarily to download or stream content that can affect your overall network performance. Lastly, your workforce have little reasons to access certain websites in your workplace using company resources.
Update Firmware Promptly
Practically all software and devices contain some vulnerabilities that will be discovered. Software developers and device manufacturers will release updates to address these them once they learn about them.. For your wireless access points and controllers, you will need to make sure that the firmware and application version you are using are that latest available. You should be able to easily identify your device firmware version from the administration interface. Compare your version with the latest version available from the manufacturer's website.
For the most part, updating the firmware and application is a matter of a few click of the mouse so it is not a huge undertaking. The only downside is that you will need to perform the upgrade after business hours as a device restart is typically required. As a best practice, you should add to your regular maintenance checklist to make sure your wireless equipment is on the latest firmware and/or application version.