Perimeter security is no longer ample for today’s networks. That’s because there are so many ways to bypass your robust firewall and simply slip in the back door. Some of the ways that hackers use to skirt around perimeter defenses include phishing attacks, depositing malicious code on legitimate websites and attacking the wireless system. For small businesses, this means the wireless router, that all-inclusive appliance that your users depend on for not just wireless, but often times firewall security as well. For small companies, protecting the wireless router is job one. However, even if you use enterprise access points to provide blanket wireless coverage, your wireless system remains a point of vulnerability.
Below are seven steps you can take to secure your Wi-Fi. Keep in mind that many of these recommendations could be used by home users as well.
1. Change Your Router Admin Credentials
This seems obvious and we almost hate to include it for fear that readers may opt out of reading further for being of being trite. Yet, even the largest and most credible companies fail to do this sometimes. Two months ago it was discovered by a school system that their WAN provider, a major global network services provider, had failed to change the passwords of the routers that had been in service within the school system for years. The password was the default Cisco password that can easily be obtained from the internet. Yes, even the most common and fundamental steps are often ignored. Whether it is a wireless router or a wireless controller, changing the default administrator password should be the first task.
2. Disable the Admin via Wireless Feature on your Router
Most wireless routers give you the ability to manage them remotely by using a web browser. This is a great convenience for when you are off-site. Unfortunately, it makes it convenient for remote attackers as well. A remote attacker could be the person in the office down the hall or an attacker that found your router’s connection while trolling the internet. In this day and age, however, security trumps convenience. You should have a secure means to remote into your network in order to manage your router or wireless appliances. This does not mean opening your network up for RDP, which is highly vulnerable outside of the firewall. Every company should use a secure VPN connection instead.
3. Monitor your DNS Settings
The safeguarding of your DNS settings is absolutely critical in order to ensure that your users are not being redirected to malicious phishing websites. For businesses that do not have an internal DNS server, the wireless router often fills this role. Wireless router DNS settings are a prime target for hackers that want to redirect traffic to their own websites. For instance, hackers may create phony websites that are made to impersonate the look of popular online banking sites in an attempt to capture login credentials.
4. Turn on your Guest Network
Network segmentation should be a guiding principle when it comes to network architecture. Untrusted devices need to be segmented from your own enterprise devices and shared files. If you only offer a single SSID however, then everyone is sharing the same network area. By enabling your guest network, visitors have a designated place to connect their devices to that keeps them at arms distance from your primary network. It also serves as the default network for unknown devices.
5. Reduce your Wi-Fi Range
Whether you rent office space from a traditional office building or a retail space at a strip mall, your Wi-Fi signal is being broadcast beyond your four walls. This means that individuals beyond the line of sight can attempt to access your network using brute force attacks and other tools that can easily be downloaded from the Internet. Visibility plays an important role in a security plan. What you cannot see is harder to defend against. You can reduce the power of your wireless signal in order to reduce the surface area of your SSID coverage. This will prevent potential attackers from making repeated attempts to access your wireless.
6. Keep All of your Equipment Updated
This just doesn’t apply to your wireless router. It goes for all of your network equipment. Keeping your router’s firmware is essential for two reasons. The first is that you want your device to operate with the newest security protocols. There are millions of devices in the world today running outdated protocols that are easily compromised by hackers. In addition, vendors issue patches to eliminate exploits that are perpetually discovered.
7. Use the Highest Encryption Level Possible
Just like the first recommendation, this should go without saying. An open network means just that, it is open. This means hackers can sniff wireless traffic and capture information and data. At the very minimum, you should be using WPA encryption. If you have a severely outdated device that only supports WEP it should really be thrown away as WEP can no longer offer any real protection. The current standard of WPA2 should be used. If you are purchasing a new wireless router, look for one that supports the new WPA3 which has distinct advantages over its predecessor.