All we need is an easy explanation of the problem, so here it is.
What do I have to do to secure a WiFi network? Is there any best practices?
I have been recommended to use WPA2 encryption on the router, is that enough? What can I do to improve the security even more? Is it recommended to only allow specific MAC-addresses, or isn’t that needed?
I have heard that if someone else set up a WiFi net with the same SSID and stronger signal strength, my computer will connect to that network instead of my own. What can I do to protect against that?
How to solve :
I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.
- I take it when you say WPA2 you mean WPA2-Personal. It is good enough in most cases at the moment as long as its combined with a really good password. https://www.grc.com/passwords.htm is a good generator for them.
- Disable Wi-Fi Protected Setup (WPS). Otherwise, an attacker only needs to break an 8 digit PIN — and that is perfectly doable.
- Cloak your SSID. It won’t stop a determined attacker but will stop some of the script kiddie like attackers.
- Only allowing specific MAC addresses can be a good step to manage user access. But once again won’t really slow down a determined attacker, as they can just see what MAC addresses are currently connected to wireless in plain text anyway.
- If possible a good tactic to reduce the chance of your WiFi being attacked is to position your wireless access point well so that the minimum amount of signal is broadcast outside of your building. That way the attacker needs to be closer to start the attack unless they have improved wireless antennas to grab from miles away.
Yes people can broadcast a stronger signal to try and get you to connect to them instead of your actual desired access point using tools like Karma. I don’t know any specific ways to protect against this except not to allow any automatic associations instead each time you wish to connect to wireless, you should do it manually and verify you are connecting to the correct access point.
It depends on the network/environment. For SOHO wireless networks WPA 2 Personal with a strong pass-phrase used for the PSK should be sufficient.
For Enterprise networks or networks that deal with sensitive information the following controls should be used:
- WPA 2 Enterprise tied to IEEE 802.1X/EAP
- Wireless network segregated from internal network
- WIPS and log monitoring in place to detect/prevent local attacks
- Wireless clients that need internal access should have to connect via VPN
- Limit coverage to what is absolutely necessary through physical controls and/or manipulation of signal strength
I agree with all the points mentioned so far, and as both Mark Davidson and sdanelson have mentioned radio coverage I just wanted to slightly expand on this as there are a couple of areas:
Signal strength – generally you want to use the minimum signal strength possible in a particular area, so an attacker outside your side can’t gain access, but this can leave you open to an Evil Twin attack if a malicious access point copies your SSID and uses a much higher signal strength.
A solution is to think of your propagation paths – locating your access points around the outside of your site with antennae configured to be directional into your site will help a lot as you can increase the access point signal strength (so looking stronger to the clients) without propagating your signal so far outside the side.
A simpler, but more effective solution I have seen (which may be overkill for you – I have seen it used in a very sensitive establishment) is metal clad walls and ceiling with mesh in the windows – a wireless site survey of this site picked up zero RF leakage!
Security through Obscurity – in this case hiding SSID beacons – gives you a false sense of security. Your Access Point will still broadcast SSID, just not in the beacon frames. Many ordinary users will still be able to connect as drivers for many platforms will still identify the SSID, and all attackers will be able to find you as they normally would – try any of the tools on the Russix LiveCD and they will work quite happily with SSID broadcast disabled.
Just to throw this in here.
The single best “wireless” security model is to replace those wireless routers with regular CAT-5 wiring.
The next best item is to ensure all traffic between machines is secured using kerberos in addition to the encryption provided by the wireless router. This can be done with group policy settings on windows domains.
Whatever you do, don’t natively trust any machine that is able to authenticate against your router.
On the assumption that this is a Wireless Router for a Home or Small Business I would have to recommend the following:
As a general rule change anything that is default on the router including but no limited to the SSID, and the web interface.
You should use WPA2 with AES encryption only and a strong key with alphanumeric password containing more than 8 characters. You do not need a 63 character password to secure your home network.
Use Wireless Mac Filtering to only allow permitted wireless devices to connect to the network. This information is referred to as the physical address or the MAC address and can be found on a windows machine by typing ipconfig /all from the command prompt.
If your wireless router supports it you should limit your range to within the confines of your property to reduce the area in which a hacker could position him or her self.
Lastly hiding the SSID will do nothing in the way of protecting your network and will actually make it more susceptible to attacks. Furthermore any one who is capable of cracking a strong WPA2 password is not going to be deterred by a hidden SSID. To learn more on this please take a look at the following article: http://www.howtogeek.com/howto/28653/debunking-myths-is-hiding-your-wireless-ssid-really-more-secure/
Good defense is layered, so there won’t be one guide to rule them all. For wireless in particular, you might want to take a look at DISA’s implementation guides. You’ll want to include other technologies for enpoint authentication, etc., but this is a good start.
Or, you could just run a drop and eliminate a lot of these issues.
If you are willing to run your own AP software (which will most likely mean hostapd), you can setup password-based EAP.
You can then have one password per MAC you know about, and a default password you rotate frequently otherwise.
Personally, I think that’s a reasonable alternative to MAC filtering, but you could implement both.
It isn’t as strong as a properly layered approach, but for SOHO and the mildly concerned, reasonable (I used a Pi3 for this).
I would definitely recommend making a VPN mandatory for anything significant (i.e. anything more than browsing public websites) if that is a concern.
Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂