The move to WiFi networks had a profound impact on IT organizations and end users alike. When organizations began to leverage WiFi, they found that it created a good deal of flexibility for users to work wherever they wanted within an organization’s campus. From that shift, many additional benefits became apparent. There were increases in agility, productivity, and morale. Users were no longer forced into working from their desk or conference rooms where network drops resided. But, WiFi has always presented a security risk. So, this post aims to provide the best practices for WiFi security.
Why WiFi Security Matters
Many IT admins will counter that key servers and applications are moving to the cloud, so there is nothing of value on the wireless network. This sentiment belies a simple truth. Your end users’ systems are on the WiFi network. If a hacker can directly access your users’ systems, they have a chance to break through to other IT resources. Even with key applications and pieces of infrastructure moving to the cloud, the system is still the gateway to the IT resources your users utilize daily. For that reason and more, we will now provide you with some best practices.
Four Best Practices for WiFi Security
For years now, a lax approach to WiFi security has been the norm. But, with modern innovations and knowledge, there is no longer any reason not to employ the best practices in WiFi security.
It is always better to fix your security weaknesses before they’re exposed, not after. With that in mind, here are the key steps to significantly step up your WiFi security.
1. Choose a Wise SSID Name
Make sure that your SSID doesn’t call attention to your organization. Sounds simple enough, but organizations make their networks known to attackers all the time. And, when the organization is in a densely populated area, that just increases the chances of getting hacked even more. Even with an innocuous SSID, hackers can, and probably will, keep looking for your WiFi network—and they just may find it. But, having an innocuous name does add to the level of difficulty that an attacker would have to overcome in order to break into the network. So, while not a “must have,” selecting SSIDs that are banal certainly helps to promote good WiFi security.
2. Separate Your Private Network from Your Guest Network
You should not allow any guests onto your private corporate network. It is easy to create a separate network for your guests in your wireless access points (WAPs) and then provide them a passphrase when they visit your office. In a best-case scenario, youwould have a system that generates unique access for them. Ultimately, that is reallymore of a bonus than an outright requirement. The essential, required portion of this step is very simple: keep your production network separate from your network for guests.
3. Uniquely Connect Users to Your Wireless Network
A great item for WiFi security is to uniquely authenticate each user to your wireless network. This is how wired networks function, and it has been highly successful from a security standpoint. That unique access should carry over to the WiFi network. The reason that organizations have stopped short of this approach is due to the level of effort. Providing authenticated access to the WiFi network requires IT organizations to implement RADIUS servers and connect those to a central directory service. Many organizations have neither of these solutions and very little, if any, time to implement them.
With modern SaaS-based solutions, both directory services and RADIUS can be delivered as-a-service, thereby relieving IT from the heavy lifting of installation, configuration, and management. IT admins simply point their WAPs to the cloud RADIUS servers while the rest is taken care of by the Directory-as-a-Service (DaaS) platform. IT organizations get a network that only the right people can access.
4. Per User (or Group) Network Segmentation with VLANs
Network segmentation via VLANs is the next and final step in this guide to improving your WiFi security. Provided you have compatible WAPs, when you leverage the correct DaaS platform you can segment your network so that only people assigned to specific network segments can access those segments. When you utilize a network that has not been segmented, all users are on the same network. That means marketing, finance, and engineering each share the same network space. Now, suppose somebody in finance had their machine compromised. That means the entire network is now open to that attacker. When you segment the network, now, only the finance section would be compromised. And, while that is obviously not ideal, it does limit the attack surface greatly. Plus, you can go to an even more granular level with per-user VLAN tagging. But, unfortunately, VLANs suffer the same problem of difficult implementation that a RADIUS server does. It requires an awful lot of work to make it work. That is, unless you utilize the Directory-as-a-Service platform.
Your Guide to WiFi Security
These steps are four of the most important best practices for WiFi security. Ensuring that only the individuals that have credentials in the core directory service can access the network keeps the network accessible to only your staff is the number one way to limit your risk and exposure.
Over the years, there have been a number of ideas on how to increase security for WiFi networks. Many of them have focused on how to securely provide access via shared credentials or by knowing which devices are on the network. Other approaches have focused on having the end users sign in each time they gain access via a web portal. While these methods are potentially more secure, it does create a fair amount of friction for end users. For example, they could get kicked off after a certain amount of time and perhaps and just the wrong time. Yet, other suggestions have been to monitor network traffic to ensure that nothing malicious is going on.
Each of these approaches, however, have significant drawbacks. And, they are really just aimed at trying to step up security without taking the big step that wired networks do—having unique access and tightly controlling who can be on the network.
From Wired to WiFi – Why Unique Access is so Important
Wired network access was controlled through access to the domain. Each user would plug into the network via an Ethernet port and then be authenticated via Microsoft® Active Directory®. That authentication would then give them access to whatever IT resources were on the network, including their systems, file servers, applications, and the Internet. Generally, users who would plug into the network and couldn’t authenticate weren’t given any services. Further, a standard called 802.1x would control the port itself and enable it to be completely shut down until a valid authentication occurred. As a result, the network security within a network was generally strong. Not only did you need physical access to the network, but you also needed to have valid credentials.
WiFi networks changed virtually all of these parameters. Users didn’t need to have physical access to the facility to have access to the network. Many WiFi networks no longer have the concept of the domain and thus unique authentication doesn’t happen. A shared SSID and passphrase are all that’s needed to access the WiFi network. But, that simply is not secure.
If you do one thing to step up the security of your WiFi network, start by connecting users to the network with their own unique credentials. This system still allows for guests, but they can only use the guest network, so malicious individuals will need to compromise credentials from one of your users before they can access the network. Then, take it a step further by segmenting your network and enabling dynamic VLAN assignment. So, should that malicious individual get access to a specific segment of your network, your entire infrastructure is not compromised.
JumpCloud®’s RADIUS-as-a-Service Can Help
If you’re ready to learn more about the best practices for WiFi security, drop us a note. We’d be happy to walk you through how you can uniquely authenticate users to your WiFi network—even using their G Suite™ or Office 365™ credentials. Ready to give it a shot? Feel free to sign up for a JumpCloud account. It’s free and it enables you to manage up to 10 users with the full breadth of the Directory-as-a-Service® platform. So, unique authentication and virtual networks are only a few clicks away.