Network security is a multilayered process, as no single method, tool, or process can provide full protection. Network management tools such as firewalls can manage access from outside addresses and limitations on protocols and ports allowed. A managed switch can control which data gets where and control devices by setting up VLANs
Wireless distribution of media and data can add yet another layer of security risk to the network. Although it’s the most convenient method for connecting devices, it is also the least efficient and problematic. Still, when it comes to end users, convenience almost always rules over stability.
From media streaming devices, such as the Amazon Fire TV Stick, Roku, Apple TV, to tablets, mobile phones, and laptops, a fair number of devices will access a network via a wireless connection. Our clients want to simultaneously use the latest content delivery devices, toys, and gadgets, yet still feel secure that their network will not be compromised. It is our responsibility to verify all steps have been taken to satisfy their wants and needs.
SSID or Don’t
One of the simplest steps that one can take to project wireless devices is to turn off the SSID Broadcast function. By default, many wireless connection points provide a public broadcast of the name, making it easier to locate. While making it easier to identify the router or access point when initially setting up, it is best to not take Thomas Dolby’s call to ‘Be in my Broadcast.’ Once the need to call out the unit is done, this option should be turned off.
Truth be told, turning off the broadcast feature will provide only limited wireless security benefits, as most off-the-shelf Wi-Fi scanners can strip this information from the signal and report it back even with the feature turned off. As a first line of defense, however, and as a way to thwart the casual bandwidth thief, it is still worth implementing.
Complicated is Good
When it comes to interfaces, manuals, or set-up instructions, simplicity is always the best approach; get straight to the point with little fuss or unnecessary steps. On the other hand, when dealing with network security, the more complex something is, the safer it will be from hackers.
Wi-Fi devices often offer a selection of security standards, and most can be described as “harmless.” Always choose the highest level of security that the majority of devices can utilize. At a minimum, use WPA2 with PSK.
Complicated is also best when creating encryptions passkeys and passwords. We often make the mistake of choosing catchphrases or names that are familiar to us, easy to create, and easy to remember. The trouble is, these are also among the easiest combinations to figure out, often without the need of matching software. While it will seem like somewhat of a hassle, use the longest random combination of letters, numbers, and special characters.
DHCP allows for quick allocation of network IP addresses without the need to manually manage devices and users. Unfortunately, this also allows interlopers the ability to gain permissions without prior consent.
Limiting the number of users who can connect by specific static IP addresses prevents accidental access. Each device, computer, tablet, and mobile device should be assigned an address and added to an “access only” list.
While not a failsafe method—IP addresses can be spoofed—this does prevent an open address on a DHCP table from continuing to have access or be assigned without strict knowledge. Any double address on the network will generate an alert of conflict, giving you a leg up on the intrusion. If allowing guests access to the internet is necessary, then a separate wireless router with as small DHCP table can be set up outside the main firewall.
Be a MAC Daddy
Every device that can connect to a network has a unique serial number that identifies it. This physical address is on every Ethernet connection and wireless radio.
The MAC address can also be added to a MAC address filter to further restrict which devices can gain access. In many cases, the static IP address and MAC address can be linked, further reducing the chance of spoofing the IP or physical address.
Restricting access via IP and MAC addresses does, however, have a major downside. The network will require more hands-on maintenance and additional setup to accommodate new connections.
When we think of managing wireless antennas and transmission power, it is often framed in terms of maximizing coverage. Moving or extending antennas or using specialized types can help ensure that every corner is covered. We can use this ability to tweak the RF signal to help minimize access. It is not uncommon for the Wi-Fi signal to reach beyond the home and out into the yard or street.
In general, it is best to locate the router or main antennas central to a room, rather than in a corner or near to windows. Providing more “air-space” between the antenna and exterior of the building (and therefore less signal strength), makes the unit a less attractive target.
Antenna orientation can have a dramatic effect on the shape and direction the radio signal. More often than not, we recommend keeping the antennas with the “sides” facing the space. Changing this to a harsher angle or pointing the tips slightly askew can provide coverage without radiating signal to the outside or up/downstairs.
Directional antennas also can limit the area that a signal covers. Higher-end or commercial-grade units provide a means to replace or extend antennas. Many commercial-grade wireless routers provide a means to control the power of the RF signal. Lowering the power naturally limits the reach, containing the signal to a small, defined area.
Logs and Alerts
Security is not a set-it-and-forget-it process; it takes vigilance, observation, and maintenance. One of the best ways to keep track of a systems security performance is to utilize alert settings and logs.
Most enterprise-class wireless systems, (and you should be using enterprise class as often as possible), provide settings that can alert the administrator (most likely you) of failed attempts at access or unusual activity.
The logs can be reviewed weekly for any unusual activity, alerts, warnings, and performance issues. Looking these over also can give you the power of preemptively solving issues of which the end client may only be vaguely aware.
To be sure, security is not for the lazy, especially when it pertains to wireless. It is a balancing act between keeping the system secure and providing efficient delivery of content.