In “Wireless Networking and Security – Part 1, I discussed some general mechanical and functional considerations when developing or extending a wireless network. In this edition, we will be examining common wireless security vulnerabilities, data encryption for secure connectivity, network segregation and guest access.
The world is rapidly changing and so is technology. Many businesses offer “free” or “open” WiFi for their guests and in many cases for their employees. Did you know that this may also invite a host of unforeseen issues, some potentially legal, as well? Providing an “OPEN” wireless connection to any level of the public is ALWAYS a security risk as security is based on layers. Removing any one layer of security can pose many potential dangers:
• First it allows anyone with malicious intent and a wireless device the potential to see or sniff all of your network transactions. This means any clear text or unencrypted passwords (ex: Password01, etc), user names, emails, and sites visited (including your banking addresses) could potentially become public.
• Second it gives outsiders access into your networking system beyond your router’s firewall. This kind of direct access is NOT possible with a wired connection from the Internet without special configuration. Any minor flaw in your network’s security can then let in hackers. There have been some cases where hackers have taken over the router, re-configured it and kept the owner out.
• Worst of all, a local criminal could send thousands of money scams, solicit pornographic emails or downloads, or threatening email messages from your network’s IP Address. This will certainly trace back to your Internet connection, and it is your door the police will visit and your equipment they will investigate. I have personally known of and worked with actual cases of this subject matter. The police will do this regardless of whether they believe your innocence or not as it is part of their process of collecting evidence to support their case.
So now that we have some of the scary stuff out on the table, how can we protect our businesses, employees, and our guests? The best solutions for this involve combinations of wireless encryption, wireless isolation, and network segregation.
There are many methods of wireless access and encryption. The industry standard at the time of this writing is called WPA2-PSK with AES. This string of acronyms stands for “WiFi Protected Access version 2 using a Pre-Shared Key and the Advanced Encryption Standard”. WPA2 allows for a strong shared key up to 63 ASCII characters which equals 256 bits. This pre-shared key is periodically verified from the Wireless Access Point to the client device. AES offers encryption in three different key lengths 128, 192, and 256 bits. The key length is proportionate to the character length of the Wireless Key. The longer and more non-dictionary the key is, the better the device can provide strong encryption. A shared key length of 12 to 16 characters is recommended. As always, be very careful distributing wireless access keys.
A wireless network that has incorporated a “Company LAN Network” and a “Guest” network should always use wireless isolation. Wireless isolation creates a barrier between multiple wireless devices so that devices cannot “see” each other even though they are on the same wireless network. This is a good method of security by obscurity. In addition, business networks that also have a Guest wireless network should also use network segregation. This is done by using managed switches and creating Virtual Local Area Networks or VLANs. By default, traffic from one VLAN cannot see traffic from another unless implicitly allowed, yet each VLAN can share the same access to the Internet.
There are many benefits such as expandability, mobility, and productivity when investing in a wireless network. Security should never be taken for granted or ignored and should definitely be reviewed periodically. The key to having a stable and secure wireless network is to consider the current and future needs of the business and discuss it with a qualified professional. The Network Engineers at The Computer Center would be happy to meet with you to discuss your business’s needs… now and in the future.
by Michael Arnold, Senior Engineer