Secure WiFi in an enterprise environment from the very beginning
Wi-Fi is inherently an entry-point that hackers can use to break into your network without even setting foot in your corporate headquarters, since wireless networks are more susceptible to eavesdropping than wired networks, which is why This makes network administrators have to be more diligent in Wi-Fi network security.
Although Wifi is very vulnerable to attacks and eavesdropping, it can still be secure if you invest time in learning and applying advanced network security measures. So, follow these do's and don'ts to make your wireless network more secure. If you are looking for a solution to secure wifi networks in an enterprise environment, this article will satisfy that need as well.
Products suitable for families: Best router for multiple devices
Top 10 basic network troubleshooting tools that IT people need to know
Comprehensive set of network monitoring tools
Use a discreet SSID, don't trust hidden SSIDs
SSID (Service set identifier) is one of the most basic Wi-Fi network settings. Careless use of the SSID can jeopardize the safety of the Wi-Fi network. Using overly common SSID names like "wireless" or the default name from your carrier can make it easier for an attacker to crack the private mode of WPA or WPA2 security. This is because the encryption algorithm combines with the SSID, and hackers use a password cracking dictionary with common, default SSID names. Therefore, using the default or too popular SSID name will make the hacker's "job" easier. (However, this vulnerability cannot be exploited on networks using the Enterprise mode of WPA security, WPA2, one of the many benefits of Enterprise mode).
Name the SSID discreetly
Name the SSID routine but not too common, not related to the company
While it is possible to set an SSID according to an easy to remember criterion like company name, address, and room number, this is not a good idea, especially if your company is located in the same building as many other companies. or near other buildings or networks. Because when hackers get closer to a building location, they can quickly target a network with the most intelligible identifier and also help them predict what they will have when hacking into that network.
One of the rumors about wireless network security is that disabling SSID broadcasting of access points will help hide your network or at least create a secure SSID that makes it difficult for hackers to break. However, this will only remove the SSID from the access point. It is still included in the 802.11 request and in some cases, in the network request and response packets. Thus, a hacker or eavesdropper can easily and quickly discover the hidden SSID - especially on a busy network - with legitimate wireless analytics.
Some would argue that disabling SSID broadcasting still provides an extra layer of security for the network, but keep in mind that it has the potential to have a negative impact on the configuration and performance of the network. You will have to manually enter the SSID into the devices, followed by device configuration. It can also cause an increase in probe requests and return packets, reducing the amount of available bandwidth.
Don't forget physical security
Even if you have the best encryption method on hand, it is still vulnerable. Physical security is one of such flaws. Most access points (Access points or APs, hereinafter referred to as APs) have a reset button that restores default settings, clears your Wi-Fi security and allows anyone to connect to the network. Therefore, APs distributed throughout your company need to be protected (physically, like carefully locked boxes) to prevent fraud. Make sure that only the people involved can touch them, consider using the AP provider's inbuilt locking mechanisms to restrict access to the AP's nodes and ports.
Another physical security concern with Wi-Fi is when someone adds an unauthorized AP to the network, also known as a "rogue AP" - a rogue AP. This can be done in a legitimate way, for example, expanding Wi-Fi coverage or for malicious intentions of an employee (or even an outsider) wanting to access the network. To prevent these rogue APs, make sure any unused ethernet ports (wall-mounted or docking ports) are disabled. You can remove the ports, network cables or shorten the electrical connection or network cable on the router or switch. If you want to add more security, turn on 802.1X authentication on the wired side (if the router or switch supports that), then any device plugged into the ethernet port must enter the login credentials to Network Access.
WEP, WPA / WPA2-PSK should not be used
WEP (wired equivalent privacy) security has long been dead. Its encryption can be easily and quickly broken by most amateur hackers. Therefore, you shouldn't use WEP at all. If in use, upgrade immediately to WPA2 (Wi-Fi protected access) with 802.1X authentication. If you are new to a wifi router or access point that doesn't support WPA2, try updating the firmware or simply replacing the device.