We had our Managed Services Provider (MSP) put up some new WLAN access points in our office over the weekend. Now our employees and authorized visitors can more easily connect to the Internet with their computer devices and smartphones when they’re in our office.
A wireless local area network (WLAN) uses high-frequency radio waves, in conjunction with access points (AP), to distribute signals so users can move around your facility and maintain a network connection.
I wanted to make sure that the signals stayed within the boundary of our office space. I didn’t want them to spread out into the parking lot for a hacker to find. So, I asked our IT Provider to do this and to also explain what I needed to know.
Always have an expert set up and install your access points.
Because wireless networking devices like access points are easy to obtain and reasonably priced, business owners like me are adding them to their offices. Some people try to set them up themselves. This isn’t a good idea. Why? – You set up your wireless network and access points at home, right? However, the enterprise versions come with more settings than your typical home devices. This is because you never know who’s “lurking” outside your facility trying to hack in. Your IT provider knows this and will configure the security features on your access points to ensure only those you want can pick up the signal.
Secure the administration interface.
- Almost all routers and access points require an administrator password to login and modify configurations. They come with a default password, but this is usually weak and easy for hackers to guess. The first thing you should do is change this password to a complex one. Here are some suggestions:
- Make sure your password is longer than eight characters. Use a mix of numbers, symbols, and letters. Don’t use common phrases, places or names in your password.
- If you use a word in your password, spell it wrong, so it’s more difficult to guess. For example, instead of Beach21@!#, use Beich21@!#.
- Don’t copy passwords from other devices or accounts. Choose a new, unique one.
You probably won’t use the password for your access points very often, so you should write them down and keep them in a safe place for future reference. If you forget or lose your password, you’ll have to start over and reconfigure your access point.
Disable the remote administration capability.
You should only use the remote administration feature if it lets you define a specific IP address or limit the range of addresses that can connect to your router. If you don’t, anyone, from any place can locate and access your router. Remote administration is usually set to the off position by default–but make sure that it is.
Turn off SSID.
This will make your access point invisible to unauthorized users. If you don’t do this, your WLAN access points will continually broadcast your network’s name, or SSID (Service Set Identifier). This makes it easy for people to locate your WLAN, but it will also make it visible to any wireless systems that are within range. Turn off SSID for added security.
Use WPA encryption–Not WEP.
A WEP (Wired Equivalency Privacy) encryption makes it relatively easy for a hacker to crack the encryption, and access your wireless network. Instead of WEP use WPA (Wi-Fi Protected Access). This provides more protection for your WLAN. It’s also easier to sign into. With WEP your password is limited to 0-9 and A-F. Plus, WPA support is built into all wireless hardware and operating systems used today. WPA2 is also used in most hardware today and has even stronger encryption than WPA.
If you have no choice, you can use WEP.
Some non-PC devices like media players and digital video recorders (DVRs) only support WEP encryption. In this case, you should use it. Don’t skip encryption because of this. WEP is better than nothing. Because it’s not as secure as WPA or WPA2, make sure you use an encryption passcode that’s very hard to guess.
Use PoE.
Sometimes it’s hard to find a nearby power source for your access points. In this case, you can use Power over Ethernet (PoE). This allows you to get power from the unused wires in your Ethernet cable. PoE modules ensure your hardware isn’t exposed to the electricity in the cable.
Use MAC filtering for your access control.
MAC (media access control) is used to distinguish different network interfaces. Unlike Internet Protocol (IP) addresses, a MAC address can limit access to only your systems. To use it, you must locate the MAC address of every system you want to connect to on the network. However, this can be bothersome if you have a lot of wireless devices.
If possible, lower the power on your access point.
Some access points let you reduce the power of the WLAN transmitter and range of the signal. This way, you can confine the signal to your office or building and minimize the chance that unauthorized users outside your space can access your WLAN.
Treat all wireless connections as if they are insecure.
Don’t trust anyone. Treat your wireless networks the same way you would treat your Internet connection. Make your users authenticate via a VPN or another mechanism before giving them access to your APs and network.
Watch Out for Rogue Access Points
A rogue access point is any wireless AP that’s installed on your network’s wired infrastructure without your consent. Sometimes Rogue Access Points are installed by employees who want access to the Internet when they don’t have it. By installing your own wireless access points, you can reduce the chance that your employees will install their own. However, in most cases, someone uses a wireless device outside your organization to receive signals sent from your AP. This is aptly called an “evil twin.” It then transmits identical beacons so that bad actors can access your network. To find rogue access points you can use a tool for detecting wireless networks.
Use IPSec
Always activate the Internet Protocol Security (IPSec) encryption on your network. It uses cryptography to provide an extra layer of security. IPSec encrypts your data before it’s transmitted over the airwaves. You can create a group policy that requires all systems use IPSec encryption. This will take up some of your bandwidth and potentially slow down your network traffic to some degree, but it’s worth doing to keep hackers from attempting to access information from an insecure Rogue AP.
IPSec Uses 2 Security Services:
- AH (Authentication Header): This authenticates the sender, and it detects any changes in the data during transmission.
- ESP (Encapsulating Security Payload): This also authenticates the sender, plus it encrypts the data in transit.
IPSec Uses 2 Modes:
- Tunnel: This encapsulates the entire IP packet to set up secure communication between two data communication devices or places.
- Transport: This encapsulates the IP payload (not the whole IP packet like tunnel mode) to set up a secure channel of communication.
You can also use IPSec encryption to securely set up VPNs (Virtual Private Networks).
Connect all your access points to a UPS (Uninterrupted Power Supply)
If the power fails, and APs aren’t connected to a UPS your wireless users will get knocked off the network. This can be a minor or major inconvenience depending on how long the power is off. But, even if it’s off for just a minute, everyone will be disconnected, and some may be locked out until they re-authenticate.
Don’t install your APs near any metal structures.
If you do, this could cause interference with the radio signal. Locate them away from steel beams or away from a metal roof. If you don’t know what’s behind your walls or ceiling, you may want to ask your landlord or check the plans for your office building.
Don’t Overlap Dynamic Host Configurations.
DHCP servers manage the provisioning of IP addresses. Your access points should be able to detect any conflicts in your network before assigning IP leases. But if not, overlapped DHCP scopes can cause a lot of problems for your end users.
As you can see, using APs in a business setting isn’t as easy as just plugging in the device. Always defer to your IT MSP to ensure your network and data remains secure.