In Best Practices, Blog, Security, WiFi

Best Practices for WiFi Security

The move to WiFi networks is having a profound impact on IT organizations and end users. WiFi creates flexibility for users to work wherever they want within an organization’s campus. This creates more agility, productivity, and better morale. Users are no longer forced into working from their desk or conference rooms where there are network drops. Huddle spaces, cafeterias, lounges, and much more are turning into highly productive spaces within an office.

The challenge that WiFi has created is that it’s a security risk. This post is focused on providing you with best practices for WiFi security.

Why WiFi Security Matters

wifi security

Many IT admins will counter that key servers and applications are moving to the cloud so there is nothing of value on the wireless network. This belies a simple truth. Your end users’ systems are on the WiFi network. If a hacker can directly access your users’ systems, they have a chance to try to break through. For these reasons and more, having strong WiFi security is critical.

Three Best Practices for WiFi Security

data breach hack

For years, a lax approach to WiFi security prevailed. But with modern innovations and knowledge, there is no longer any reason not to employ the best practices in WiFi security.

It’s always better to fix your security weaknesses before they’re exposed (not after). So, without further ado, here are the key steps to take to significantly step-up your WiFi security.

1. Choose a Wise SSID

Make sure that your SSID doesn’t call attention to your organization. This is especially important if your office resides in a densely populated area. Even with an innocuous SSID, Hackers can keep looking for your WiFi network – and they may find it. But it does add to the level of effort for them to find and break into your network if your SSID isn’t a dead giveaway to the identity of your organization. While not a “must have”, selecting SSIDs that are innocuous helps to promote good WiFi security.

2. Separate Your Private Network From Your Guest Network

You should not allow any guests onto your private corporate network. It is easy to create a separate network for your guests in your wireless access points and then grant them a passphrase when they visit the office. In a best-case scenario, you would have a system that generates unique access for them. But that really is more of a bonus than a requirement. The essential, required portion of this step is very simple: keep your production network separate from your network for guests.

3. Uniquely Connect Users To Your Wireless Network

Perhaps the most important item for WiFi security is to uniquely authenticate each user to your wireless network. This is how wired networks function and it has been highly successful from a security standpoint. That unique access should carry over to the WiFi network.

The reason that organizations have stopped short of implementing this approach is due to the level of effort. Providing authenticated access to the WiFi network requires IT organizations to implement RADIUS servers and connect those to a central directory service. Many organizations have neither of those solutions and very little time to implement them.

With modern SaaS-based solutions, both directory services and RADIUS can be delivered as-a-service, thereby relieving IT from the heavy lifting of installation, configuration, and management. IT admins simply point their WAPs to the cloud RADIUS servers while the rest is taken care of by the IDaaS platform. IT organizations get a network that only can be accessed by the correct individuals.

Your Guide to WiFi Security

WiFi CloudRADIUS

These steps are three of the most important best practices for WiFi security. However, ensuring that only the individuals that have credentials in the core directory service can access the network keeps the network accessible to only your staff.

Over the years, there have been a number of ideas on how to increase security for WiFi networks. Many of them have focused on how to securely provide access via shared credentials or by knowing which devices are on the network. Other approaches have focused on having the end users sign in each time they gain access via a web portal. While potentially more secure, this creates friction for end users. Yet other suggestions have been to monitor network traffic to ensure that nothing malicious or untoward is going on.

Each of these approaches has significant drawbacks. And they are really just aimed at trying to step-up security without taking the big step that wired networks do – having unique access.

From Wired to WiFi – Why Unique Access is So Important

WiFi Security single sign-on

Wired network access was controlled through access to the domain. Each user would plug into the network via an Ethernet port and then be authenticated via Microsoft Active Directory®. That authentication would then give them access to whatever IT resources were on the network, including their systems, file servers, applications, and the Internet. Generally, users who would plug into the network and couldn’t authenticate weren’t given any services. Further, a standard called 802.1x would control the port itself and enable it to be completely shut down until a valid authentication occurred. As a result, the security within a network was generally strong. Not only did you need physical access to the network, but you also needed to have valid credentials.

WiFi networks changed virtually all of these parameters. Users didn’t need to have physical access to the facility to have access to the network. Many WiFi networks no longer have the concept of the domain and thus unique authentication doesn’t happen. A shared SSID and passphrase are all that’s needed to access the WiFi network.

This simply isn’t secure. If you do one thing to step up the security of your WiFi network, start by connecting users to the network with their own, unique credentials. This system still allows for guests, but they can only use the guest network, so malicious individuals will need to compromise credentials from one of your users before they can access your network.

JumpCloud’s RADIUS-as-a-Service Can Help

If you would like to learn more about the best practices for WiFi security, drop us a note. We’d be happy to walk you through how you can uniquely authenticate users to your WiFi network – even using their G Suite or Office 365 credentials.

Recent Posts