Comptia wants administrators of small office, home office (SOHO) networks to be able to secure those networks in ways that protect the data stored on them. A wireless network is not, and never will be, 100% secure.

Its always best practice to use wired, but if you have to use wireless then make sure its the most secure it can be. Use these tips to make improvements to the wireless security:

Change the default SSID

All radio frequency signals can be intercepted. To intercept 802.11 wireless traffic, all you need is a PC with an appropriate 802.11 card installed.

Many networks will regularly broadcast their name (aka an SSID Broadcast) to announce their presence. Disable SSID broadcast immediately.

Simple software on an attacker’s PC can capture the link traffic being broadcasted and decrypt the account and password information.

You should change the SSID to keep it from being a value that many outsiders come to know.

If you use the same SSID for years, then the number of individuals who have left the company or otherwise learned of its value will only increase. Changing the variable only adds one more level of security.

Disable SSID Broadcasts

One method of protecting the network that is often recommended is to turn off the SSID broadcast.

The access point will still be there and can be accessed by those who know of it, but it prevents people who are looking at a list of available networks from finding it.

Very weak form of security, but it does add another layer.

Disable DHCP or use Static IP addresses

a SOHO network is small enough that you can get by without using DHCP to automatically issue IP addresses to each host, so if you can disable DHCP, do it!

The advantage of using Static IP Addresses is that you can make certain which host is associated with which IP address and then utilize filtering to limit network access to only those hosts.

Use MAC address filtering

MAC filtering is when you’re able to allow/block known machines from accessing your network based on their physical address.

also known as network lock

Use IP filtering

Static IP Addresses is a form of IP filtering.

It should be used on SOHO networks to keep from automatically issuing addresses to hosts other than those you recognize and want on the network.

Use a pre-authentication system, such as RADIUS.

RADIUS (Remote Authentication Dial-In User Service) is a common centralized authentication system used for computer and network systems.

Its commonly used nowadays for authentication of virtual private networks (VPNs), wireless systems, and any network system that requires a common centralized authentication system.

RADIUS operates as a client-server protocol.

RADIUS Server controls authentication, authorization, and accounting (AAA).

RADIUS Client can be wireless access points, a VPN, or wired switches.

The RADIUS client will then communicate with the RADIUS server via UDP/1812 for authentication and UDP/1813 for accounting.

Turn down the signal strength to the bare minimum needed to support connectivity

Consideration should be made to lower the radio power levels, since the wireless access point has better transmitting power than most mobile devices.

From a security stand point, power levels should be adjusted so that they do not travel past the interior of the organization’s building. If this happens, then someone in the parking lot or adjacent building could attempt to infiltrate the wireless network.

This is why you should reduce the radio power level controls that allow you to reduce the amount of output provided.

Use the strongest security available on the wireless access point

Wireless Security from weakest to strongest:

Open → WEP → WPA → WPA2

Protocols & Setting Encryption

Its important to remember that you should always enable encryption for any wireless network that you administer. You should always choose the strongest level of encryption you can work with.

Open

Open security is just that — open — with no passphrase or authentication protocol. Open security was originally how all wireless access points (WAPs) were shipped to the customer.

It’s used now for mostly guest networks now.

F-Grade

WEP (Wired Equivalent Privacy)

Shared passphrases are used with Wired Equivalent Privacy (WEP).

WEP provides 64 or 128-bit encryption via the shared passphrase

This form of wireless security can be easily cracked with tools and is no longer considered secure.

D-Grade

WPA (Wi-fi Protected Access)

WPA was standardized by the Wi-Fi Alliance in ‘03 in direct response to the vulnerabilities in WEP (Wired Equivalent Privacy).

Its a direct upgrade to WEP (WEP → WPA)

WPA used 256-bit encryption, vs the 64-bit & 128-bit keys used in WEP.

WPA operates in two modes for security

Pre-shared Key (PSK), also called Personal Mode.

PSK is the most common mode because it can be easily configured with a password/passphrase.

Enterprise Mode, also called WPA-802.1x

Requires a certificate server infrastructure

Uses the 802.1x protocol, RADIUS, and EAP

Extensible Authentication Protocol (EAP)—EAP allows WPA to synchronize keys with an external RADIUS server. The keys are updated periodically based on time or number of packets. Use EAP in larger, enterprise-like deployments where you have an existing RADIUS framework.

Used only in corporate environments

Encryption Standard

TKIP (Temporal Key Protocol) was the first encryption standard created.

No longer considered secure!

Uses WPS (wi-fi protected setup) to help consumers setup the wi-fi with ease. This tool is exploitable.

C-grade

WPA-2 (Wi-Fi Protected Access 2)

Released in 2006, also known as 802.11i

Currently the strongest wi-fi security there is

Encryption standard

AES (Advanced Encryption Standard), which is more secure than TKIP.

WPS (Wi-fi Protected Setup) is still exploitable and should be turned off

Most Secure

Seriously consider removing wireless access from your LAN

Change the static security keys (password) every two to four weeks

When new wireless protection schemes become available (and are reasonably priced), consider migrating to them.

Limit the user accounts that can use wireless connectivity.

Use remote access filters against client type, protocols used, time, date, user account, content, and so forth.

Use IPsec tunnels over the wireless links.

Authentication Methods

When setting up a wireless network, you are extending a wired network to a wireless network. Therefore, you must consider how users will authenticate to the wireless network. Below are the following ways you can do just that.

Single-Factor

single-factor authentication is a weak form of authentication. It’s based on only one of the following factors:

Something you know

Something you have

Something you are

Something you do

Setting a wireless network based on a pre-shared key or password limits you to a single authentication factor that is shared by everyone that accesses the wi-fi.

Wi-Fi passwords must be shared because there’s only correct value of it. This creates a huge gaping hole in your wireless security.

Multifactor

MFA (Multifactor Authentication) is desirable for a higher level of wireless security.

MFA requires two or more single factor authentication methods to be used to secure the wireless network.

A common multifactor authentication implementation is the use of the Extensible Authentication Protocol - Transport Layer Security (EAP-TLS) protocol.

EAP-TLS requires a digital certificate be installed in the OS along with a matching password for the computer before a user can gain access to a wireless network.

Digital Certificate + The Correct Password → MFA

RADIUS

RADIUS (Remote Authentication Dial-In User Service) is a common centralized authentication for users and computer network systems.

It’s commonly used nowadays for authentication of virtual private networks (VPNs), wireless systems, and any network system that requires a common centralized authentication system.

RADIUS encrypts only the password in the access request packet

RADIUS operates as a client-server protocol.

RADIUS Server controls authentication, authorization, and accounting (AAA).

RADIUS Client can be wireless access points, a VPN, or wired switches.

The RADIUS client will then communicate with the RADIUS server via UDP/1812 for authentication and UDP/1813 for accounting.

With RADIUS and SSO configured, users on the network can provide their user credentials one time when they initially connect to the wireless access point or another RADIUS client and are then automatically authenticated to all of the network's resources.

TACACS

TACACS+ (Terminal Access Controller Access Control Systems)+

Protocol developed by Cisco

Mainly used for authentication of users on routers and switches to allow management access.

Primarily used for device administration

Also used to authenticate to users connecting to wireless access points via a centralized database.

Separates authentication and authorization

Encrypts the entire payload of the access-request packet

Declining in popularity and being replaced by RADIUS

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.