Using AuthAnvil with RADIUS
None of these things are not like the others. Each of them is an oxymoron.
So, you’re thinking of setting up a wireless network for your business? I could try and convince you that it’s not a good idea, but I’m sure it’s something you feel you need, so how about I provide you with some handy tips to help secure the process.
Why is running a wireless network for your business risky?
Think of it this way. If you wanted the information stored inside a well-fortified vault, and that vault happened to have a window, would you try to go through the wall to get the information, or would you just go through the window? Walls can be reinforced and shielded. While a window can only go so far to protect your information. Wireless in this case is the window and, unless you want to spend a lot of money Wi-Fi-proofing your workplace so no signal escapes, all the information transferred across your wireless network is just floating around for anyone to monitor.
But I don’t broadcast my SSID/Filter by MAC address/Have a Wi-Fi Password!
Whoa… one at a time.
Not broadcasting your SSID is completely ineffective as a means of security. Anyone with an understanding of how Wi-Fi communications work can easily sniff packets to find your “secret” SSID. Your wireless devices are literally broadcasting that information every few moments to make sure the server is still there. It can actually be riskier to not broadcast your SSID because, without mentioning a few of the troublesome technical reasons, it can mark you as someone with weak security practices who also wants their information to be secure.
Filtering by MAC address is also a weak method of securing your systems. Again, all messages sent from the computers to the source of the Wi-Fi effectively contain that information. The attacker just has to sniff the packets, copy the MAC address down, and emulate it to impersonate that computer and gain access.
Strong Wi-Fi passwords are a good thing, but they’re hardly adequate when it comes to securing the valuable information your company handles. All one has to do to get that password is capture the “handshake” between the router and a device that has the password. There are a lot of ways to do this, however the easiest would waiting for someone to start their computer for the day and monitoring the packets as the computer connects to the network. Again, I’m not going to go into the details, but if someone manages to intercept the full handshake… Let’s just say that the address may as well be public.
Really, there’s no such thing as secure wireless, but if you still want or need to set a wireless network up at your workplace, then here are a few rules of thumb that can, at the very least, mitigate the risk.
Rules of Thumb
- If it wouldn’t be okay to publicly mention the information, then don’t access it via Wi-Fi.
- If you only need the Wi-Fi for internet access, consider setting up the wireless connection on the outside of any internal security network.
- Wireless routers generally have a number of features you’ll never need. If you don’t need it, then it’s likely safer to just turn it off.
- Never trust the default settings. Change as much as you are knowledgeable about. Give it a new SSID, password, admin username and password, disable “wireless web access” if at all possible… Just change as much as you can.
- Finally, if at all possible, use a RADIUS capable server. Bonus points if you integrate some sort of Multi-Factor Authentication as a login requirement.
In closing, let me just reiterate one recurring theme you will keep seeing in our articles. There’s no such thing as absolute security, and with wireless connections that’s just as, if not more, accurate. If you absolutely need a wireless connection in your workplace, then you should secure it as much as possible.