Just about every device nowadays is equipped with a wireless radio. This has made life easier for IT teams: Network cabling no longer needs to run to every desk, every system, or every printer. The conference room now has a Smart TV, a wireless sound system, and every employee and executive carries two, three, or even four wireless devices (laptop, phone, tablet, and smart watch). Wi-Fi has completely revolutionized our world: But with what risks? Consider over the past few years the wireless-borne threats that have emerged: From rogue access points to WPA1 / WPA2-PSK and KRACK vulnerabilities. What are the best practices to follow to enhance your organization’s wireless security posture? This blog post is by no means comprehensive and your organization’s needs may differ from what is described below. For a unique assessment of your business’ approach to wireless security, please reach out to BizzSecure using the chat box in the bottom right-hand corner of your screen.
The first step to securing wireless networks should always take place on the physical layer: Access points should be securely mounted using unique security screws, specialized locks, or placed in a location that is impossible to access without drawing attention (mounted to a high ceiling that requires an aerial work platform to access). The system should be architected to provide instantaneous alerts if the network cabling or access point becomes disconnected from the upstream switches for any reason. The instantaneous alerts, coupled with other settings to prevent rogue access points and rogue DHCP servers, can ensure that clients don’t authenticate against and run traffic through a compromised third-party wireless access point.
For guest networks, ensure that the Guest SSID is not contained within the Cardholder Data Environment (CDE) subnet to help achieve PCI DSS compliance. In fact, take it a step further when it comes to guest networks: Always set associated devices to receive IP addresses in an isolated 10.0.0.0/8 network using NAT mode. Then, ensure that firewall settings reflect that associated clients cannot communicate with each other nor with any devices on the wired network. Because the rotation of wireless passwords can often be time-consuming or shared on social media sites, splash pages that require SMS authentication provide a unique way to track guests who must provide a valid phone number before hopping on the network. For optimum security, it’s recommended the captive portal strength be set to block all internet access until the sign-on has been completed.
For production networks that are not intended for guest use, the association requirements—at a minimum—should use a pre-shared key, or for a more robust security posture, the use of WPA2-Enterprise with a RADIUS server to verify user credentials at the time of wireless association.
This has been a 30,000-foot view of brief best practices for Wi-Fi security. Given the risks associated with data literally streaming through the air, it’s best to build things right the first time.