Happy Monday everyone! I hope you've all had a good and safe Labor Day. Today I'm going to talk about WLAN (Wireless Local Area Network) Security. What you're going to read here is not an all inclusive guide, but it should set you up pretty well. Keep in mind that a lot of this is geared towards home use, but many concepts can be applied to business as well.
Getting Set Up
When worrying about our equipment, most of us at home are just going to use whatever our ISP (Internet Service Provider) provides, but it's not a bad idea to go out and purchase different equipment and give them their stuff back. With this being said, you should always get your equipment from well-known, reputable vendors. Doing this lowers the risk of occurrence of supply-chain attacks. These larger vendors will also have the resources necessary to provide support for their products as well as provide necessary security patches to their equipment.
You should also consider the age of the device(s) you're purchasing. You typically do not want equipment that has just been released, as this gear will most likely have bugs and security flaws. This isn't exactly priority for those putting these devices on the shelf, they're more worried about profit up front. Additionally, you most definitely will not want to use anything that's outdated. That 20 year old modem you found for free at a garage sale? Don't even think about it. Legacy devices, systems, and software typically are not supported by vendors. This means that any vulnerabilities and flaws found with them will not be fixed. It's time to move on to bigger and better things. Looking at you, Vladimir Putin (or anyone else still using WinXP).
Now that you have your equipment and you're all plugged in, it's time to begin securely configuring your devices. For starters, change all of the defaults that come on the router. Change your default password to login to the router, change the network name, change the network password/passphrase. For businesses, don't name your wireless network in a way that is indicative of what it's being used for. When you're changing your credentials for the network, be sure to utilize best practices- a passphrase consisting of more than 2 words, lower-case and upper-case letters, numbers, as well as special characters.
Once you've changed all of the default information, it's time to get a little more technical. Or as technical as you can be with a home router's GUI. For starters, disable broadcasting off your SSID (Service Set Identifier). Keep in mind, this is not a security measure, there are still ways an attacker can get your SSID. This is advice I give as it's a step towards defense-in-depth. Next, you'll want to lower the power levels of your signal. You don't want your neighbors being able to have great reception of your network, and you don't want an attacker to come wardriving through your neighborhood and picking up your network from the street. Now you'll need to disable your WPS (Wi-Fi Protected Setup) push button. If you don't want someone on your network that's visiting or perhaps performing maintenance, a button could thwart all other actions. There is also an attack called a pixie-dust attack that relies on this feature.
The last bit of configurations you'll need to check on are your security protocols. For authentication, you're going to want to use WPA2 (Wi-Fi Protected Access) (or WPA3 when it's available). Anything prior to WPA2 is going to be very easy to crack. Next you'll need to disable UPnP (Universal Plug-n-Play). The utilization of UPnP allows applications to essentially unlock the way into your network at any point. If malicious software were to find its way on your systems, you can see how this would be a problem. Lastly, you'll need to protect your management frames wherever possible. To do this you'll need to use a standard called 802.11w. Different vendors will call this different things on their equipment, so just dig around and see what's available.
Something I have heard a few people discuss with differing opinions is whether or not to share your network with others. If you're considering this in your business environment, this might be a more complicated discussion than for home use. However, in either situation, it's perfectly fine to share your wireless network. Here are some things you should do when sharing your network:
1: Create a separate VLAN (Virtual Local Area Network), or utilize guest network at home, for your guests. This will keep guests from accessing your primary network and any sensitive resources/systems that they shouldn't have access to.
2: Restrict what kind of content your guests can access. You wouldn't want someone downloading pornography on your corporate network, or accessing malicious sites thus infecting your network. By restricting content you can keep your this guest network (as well as your primary) clean and safe.
3: Restrict protocols that can be utilized. If you allow protocols such as FTP to be utilized, what's to stop an attacker to transfer malicious files? You should also force secure protocols such as HTTPS so that it is harder for attackers to intercept information.
We're talking about wireless networks here. So you may have done a double take when you read this heading (or the title). But physical security is one of the most important aspects of any secure setup. You should always keep any and all networking equipment either out of reach from someone unauthorized, or in plain view where it would be hard for someone snooping around to go unnoticed. You should also monitor for anyone that may be attempting to wardrive, or go around collecting network information to record and possibly attempt to crack at a later date.
Part 2 Coming Soon...
I hope you've enjoyed reading! Next week I'll be publishing another article covering the rest of the topics you should consider when operating on a secure wireless network. In the meantime, please let me know what you think!!
All images seen here have been sourced from Unsplash. All metadata should be intact if you would like to examine it to thank the creators.