Internet users are widely using Wi-Fi devices to access Internet. Every year millions of wireless based devices are sold in the market. Out of these most of the devices are vulnerable in their default configuration mode. Since end users are not fully aware of security levels to be set on these devices, these get rendered vulnerable.
Wi-Fi is a trademark name to brand devices compliant to IEEE 802.11 standards i.e. WLAN devices. WLAN is more vulnerable compared to traditional Ethernet based wired technology since any unauthorized user within the range of a Wireless Network can access and seamlessly use their network if proper security is not implemented.
Following Security Algorithms are used to protect the confidentiality of the data transmitted over wireless Network:
- WEP (Wired Equivalent Privacy)
- WPA (Wi-Fi Protected Access)
- WPS (Wi-Fi Protected Setup)
WEP the original Security Standard used to maintain the confidentiality of the data transmitted over the wireless networks. WEP provides two type’s of authentication i.e. Open Authentication and Shared Key Authentication mechanisms that can be used to give Wireless Network access to authorized users.
Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, WEP (Wired Equivalent Privacy).
WPA is also referred to as 802.11i Standard is made available in 2003. To improve the security and complexity of the encryption WPA2 was improved and made available in 2004.
WPS is designed in view to simply the configuration to easily connect to the Wireless Home Network. But it is prone to Brute Force attack which could easily be exploited if the access point is not safe guarded.
Remember that a wireless security plan requires five components to be successful: policy, strong authentication, strong encryption, monitoring and auditing.
1. Use a strong password.
Companies are waking up to the inherent risks of password-based authentication; brute-force attacks and educated guesses are both serious risks to
There’s no lack of keys in WPA2 networks, requiring up to 7 key values before the first encrypted packet is sent on the network. For WPA2-PSK networks, the first key value is based on the pre-shared secret passphrase that is configured on access points and client hardware. This passphrase
must be between 8 and 63 characters in length, and should be a strong password that is not based on a dictionary word.
This isn’t limited to WPA2-PSK networks, it affects the selection of RADIUS shared-secrets, TACACS+ shared secrets, service account passwords and many more.
The passwords we generally use are deliberately terrible, but unfortunately, many users don’t behave much better when it comes to passwords. Organisations can force users to create strong passwords, but as passwords become more complex, they become harder to remember. Users are likely to leave a password that they can’t remember in a file on their computer, in their smartphone, or even on a Post-it note, because it’s just easier to keep of track them that way. Of course, passwords that can be discovered lying around in plaintext undermine the security of using a strong password.
2. Enable MAC address filtering
Wireless networking and wireless Internet Service Providers (WISPs) have been popping up more and more every year. Vendors such as Baltimore Wireless, D-Link, Netgear and the seemingly unlimited number of coffee and pizza shops in major cities around the world offer free wireless Internet data services. These services were designed and created on the backs of strong antennas, the 802.11g and 802.11n protocols, and custom MAC address filtering logic.
Every device that is connected to the internet has a MAC address. Most routers have the possibility to add this unique identification number in the settings and restrict access to the network to devices whose mac address has been added.
3. Enable network encryption
Most routers have a web page on which you can view and adjust all settings. Consult the manual of your router or for information on how to access this web page. Usually you go to your address with your browser. Preferably you do this from a computer that is connected to the router with a fixed line. This has the advantage that you can always reach the router, even if you set something wrong on the wireless part. Once on the settings page, go to the security settings.
In general, the settings are divided into tabs and the security settings can be found on a tab called security. Sometimes all settings for wireless connections are on the wireless tab.
Depending on your options, choose WPA or WPA2 for security (also known as encryption) on your router.
When dealing with wireless security, many organizations assume their wired infrastructure is safe from wireless attacks. With the threat of rogue APs or compromised authentication credentials however, it is possible for an attacker to mount any attack against the wired network from a wireless station.
For large enterprises, use WPA2-Enterprise with EAP-TLS. This uses both the client and server side certificates for authentication, and currently is unbreakable.
4. Enable router firewall
A firewall is essential for keeping attackers out and crucial data in. Out of the box, your routers are not secure. Turn on Access Control Lists and Port Security to keep attackers out.
Your router has a firewall, a virtual wall that protects your network against common attacks by, for example, viruses or hackers trying to break into your network. By default, the firewall is on and it is advisable to leave it that way. In addition, your operating system (Windows, MacOS, Linux or another) usually also has a firewall function. Turn on that too.
5. Configure Wireless router to use static IP addresses
All settings of a router can be accessed via the web interface . This page can be reached via the browser , with which you normally surf the internet (Chrome, Firefox, Internet Explorer, Safari and others). The so – called IP address of this page usually consists of a row of digits in the form of 192.168.xx or 10.xxx, where x can each be 1 to 254. It differs per brand and type as the exact address. You often find this on the router itself, in its manual or in a list of common routers.
Make your network a closed sub-network. You can do this by manually assigning an IP address and subnet mask to each user of your network and by installing a strong firewall (integrated or not) in your access point.
6. Keep your router’s software up-to-date
Firmware is the software in your router and controls your wireless router. But even though the router is new, that OS may contain errors. A safety leak can also come to light on the quality wireless routers. The manufacturers of your wireless router do everything they can to resolve security leaks and other errors as quickly as possible.
Once the manufacturer finds a security risk, the operating system of your router is partially or completely rewritten. After testing, they put this rewritten operating system on their website. This operating system is also called the firmware. And this is occasionally made available on your router to improve.
So you have to regularly see new firmware. And this to keep your wireless router safe.
7. Switch off your Home wireless network when not in use
Home network owners often leave their router, broadband modems, and other gear powered up and operating constantly, even when they aren’t constantly using them, for the sake of convenience.
More and more routers have support for a time clock. This will automatically switch your Wi-Fi on and off according to your timetable. For example, you can turn off Wi-Fi during working hours or at night.
Switch off your Wi-Fi network automatically when you are asleep or absent. Handy, because then nobody can use it. That is safer and you save on your energy costs.
Suggested Read: Top 5 Wireless Penetration Testing Tools
Turning off your network during extended periods of non-use is always a good idea. If you’re going to be away on a vacation or are purposefully pulling the plug on all your electronics over the weekend, then, by all means, shut down the devices you won’t be using.
8. Hide your wireless network SSID name
Many wireless users may accidentally connect to this malicious access point, thinking it is part of the authorized network. Once a connection is established, the attacker can orchestrate a man-in-the-middle attack (MITM) and transparently relay traffic while eavesdropping on the entire communication.
In the real world, an attacker would ideally use this attack close to the authorized network so that the user gets confused and accidentally connects to the attacker’s network. An evil twin having the same MAC address as an authorized access point is even more difficult to detect and deter. This is where access point MAC Spoofing comes in!
Make sure that you must hide your Network SSID name from router’s settings.
When you log in to your router you can choose not to broadcast your network name or SSID. You then have to manually set up your network on your laptop, smartphone or tablet. This seems like a smart security, but anyone who has a very little understanding of computers can download a program that your network can easily identify. Even more serious hackers only get more suspicious when you hide your network.
9. Change your wireless network SSID name
The SSID is the first piece of information required to connect to a wireless network. 802.11 networks use the SSID to distinguish BSSes from each other.
One of the most potent attacks on WLAN infrastructures is the evil twin. The idea is to basically introduce an attacker-controlled access point in the vicinity of the WLAN network. This access point will advertise the exact same SSID as the authorized WLAN network.
The default name, also called SSID, of your wireless network often contains the router type (e.g. D-Link or TP-Link). Routers that are susceptible to hackers fall out so quickly. Therefore give your network a different name, but no other traceable name. So avoid default SSID names.
10. A Guest Network
Do not give your password to neighbours or guests, but create a special guest network for them for better security.
Creating a guest network is always a good idea to protect your network connections. A guest network is a ‘parallel‘ network that allows your guests to access your Wi-Fi network and the Internet, but not to other network devices. Your Internet service provider can tell you more about how to add a guest network.
It is also considered an advanced mechanisms however, and should be applied after other wireless security mechanisms including the deployment of strong encryption and authentication have been deployed.