There’s a lot of information flying around your office via your wireless network. So, how can you make sure that you keep your network secure while maintaining the convenience of wireless access?
Security starts with where you put your hardware. You almost certainly will have a wireless access point, or router, in your office, which communicates with the computers using radio signals. Position this router so that the signal inside the office is optimal while radiation outside the building is minimal. This will prevent someone in the café across the road from sniffing your wireless signal.
One effective way to do this is to replace the antenna on your wireless router. Most routers have an omnidirectional antenna, which radiates signals all around. Instead, use a unidirectional antenna so you can confine the signal. Putting your router in a corner pointing across the office is a good way to maximize the signal all the way down the corridor while making it more difficult for Starbucks patrons to snoop.
Logical security is just as important, and this all happens from the administration page in your wireless router. This enables you to change your network settings, tweaking everything from performance to security on your wireless system.
Start by using your router’s admin page to encrypt your network communications, so that even if someone intercepts them, they won’t be understandable. If your router offers you “wired equivalent privacy” (WEP) encryption, ignore that option – it has been hacked successfully elsewhere. Instead, look for “Wi-Fi protected access” (WPA or WPA2) encryption; WPA2 is better. If your router doesn’t support either of these formats, get one that does.
WPA and WPA2 encryption come with several modes. For small offices, you’ll probably use the WPA-PSK (personal) option, which lets everyone connect to the wireless network using the same password key. This is the most frequently used option for small networks used by fewer than 10 people.
For more employees or additional security, you can use the “enterprise” (EAP) option to stop the encryption password from being stored on employee devices when they access the network, requiring employees to sign in using their own usernames and passwords. This option is more complicated to set up, as it requires an additional computer to handle authentication.
– Protect the perimeter
There are plenty of other things you can do to protect your office’s network. A firewall is a must for solid network security. Many Wi-Fi routers feature basic firewall functionality, although you can buy relatively cheap dedicated firewalls with extra features. For true protection, explore the latter option.
Look for the ability to block multiple categories of objectionable web content (to prevent employees from visiting the wrong places online) and for advanced features, such as “stateful packet inspection,” which inspects all traffic travelling over your network in order to stop attackers trying to fool the computers on your network into giving up valuable information.
Some routers also will scan incoming and outgoing traffic for telltale signatures of an attack to block problems before they start. These routers can check for malware that can be downloaded inadvertently.
– Never the twain shall meet
If you get regular visitors to your office and want to give them Internet access, it’s best not to mix their Internet traffic with your own. Some wireless routers will allow you to configure two, separate wireless networks through the same router. One of these networks can be for guests, while the other can be purely for your office’s traffic. You may still want to protect the guest network with a password.
Protect your private network further by ensuring that only certain devices can connect. Each device that connects to your wireless network, whether it’s a laptop, tablet or smartphone, has a MAC address, which is a unique “name” that doesn’t change and identifies each device on your network. You can create a list of these names on the admin page for your router so that it will allow only certain devices to join the network.
That said, MAC addresses can be spoofed by hackers who know what they are doing. Add an extra layer of protection by configuring your “dynamic host configuration protocol” (DHCP). Although a MAC address identifies a device to your wireless router, the router then needs to give the device its own address on the network. DHCP is responsible for handing out these addresses.
Think of your wireless router as the train station and the DHCP as a train to the Internet. Whenever a computer wants to get to the Internet, DHCP gives that computer a seat on the train. Generally, DHCP just keeps assigning seats on request, whenever a device asks to be connected.
However, you can set DHCP to allow only a certain number of people on board – meaning that once the seats are full, no one else is allowed on. Set your DHCP to the number of employees in your office to make joining your network and snooping around even more difficult for an intruder.
Properly configuring DHCP prevents too many people from getting on the train, while an authorized list of MAC addresses means that the people who do board need to present their ID and have it match the list. Encrypting your wireless network means that devices also need a ticket to open the entry gate to the station platform. Even with all of these measures, a determined hacker could find a way onto the train – but would have to try an awful lot harder.
– Hiding in plain sight
Make accessing your network even more difficult by hiding the station. By default, most wireless routers will broadcast a “service set identifier” (SSID). This is the name of your network. You can turn off this broadcast, so that people can find your wireless network only by typing its name manually into a mobile device. For extra protection, choose an obscure name. Never use a default one – and don’t use obvious ones either because it makes it easier for hackers to try to crack your network passwords (You can find a list of the most commonly used SSIDs at www.wigle.net/gps/gps/main/ssidstats).
– Other measures
Always upgrade your router’s firmware, which is the software that it runs on. Generally, the router will update itself over the Internet but usually will want your permission to do so. This requires you to log into the admin page periodically.
And, talking of the admin page, make sure that you always change the default username and password. Otherwise, it will be relatively easy for anyone to access your wireless network, log in as an administrator and change everything. Once you’ve done that, make sure that you disable “remote router configuration” so that no one can try to log into your admin page remotely via the Internet.
© 2013 Investment Executive. All rights reserved.