By now, your institution is probably wireless in some capacity, or at least heading in that direction. Management wanted to work from anywhere with laptops, auditors wanted to access the Internet, or your board members wanted to access their meeting materials on tablets. Whichever the case, you’re there.
Now, you want to protect your wireless network, perhaps because you saw our presentation at BankWorld. You saw that someone can be sitting in your parking lot or down the street, trying to crack your encryption code, sniff your network traffic and hijack information from your network. You saw that free tools available for download (as long as you know where to find them) can help someone accomplish the task from beginning to end. While no network, wired or wireless, is completely impenetrable, here are five ways to help ensure that your wireless network is only accessible to the right people.
Use strong passwords. This may seem obvious, but it’s the primary line of defense between your network and the outside world. Since attackers may use dictionary and brute force attacks to find their way into your network, a complex, lengthy password serves as a good, preliminary deterrent. We recommend passwords of twenty (yes, 20) or more characters, including numbers and symbols. After all, your end-users only have to enter the password one time.
Don’t use WEP. Wired Equivalent Privacy (WEP) is an outdated, compromised security algorithm. Though the use of WEP has been discouraged since 2004, a large proportion of wireless networks still use it. While not completely bulletproof, WPA2 is currently considered the standard encryption algorithm. Luckily, most commercial-grade wireless routers will default to WPA2 encryption.
Disable unused services. Wireless routers and access points have many services, features and protocols that your institution may not necessarily need. If turned on, these features could represent additional attack vectors for hackers to exploit, which ultimately expose your institution to unnecessary risk. Where possible, we recommend disabling services such as broadcasting, ICMP (ping) requests, WAN management and universal plug and play (UPnP).
Implement a wireless intrusion detection system (WIDS). Depending on the sophistication of the tool you use, your WIDS should be able to detect all access points that allow a user to connect to your wireless network. Particularly in larger organizations, there is the possibility of an employee setting up a poorly configured access point or a rogue access point with substandard security settings. An effective WIDS can also detect and analyze packets being sent to your wireless access points and kick a user sending suspicious traffic off the network.
Test regularly. Periodically review the strength of the security controls you previously put in place. Use available security tools or a third party to put your security infrastructure to the test. Will your wireless access points be able to withstand a denial of service attack? Are there any hardware or software vulnerabilities that will allow someone to bypass your security architecture? Are the configurations in place consistent and appropriate? Testing will be able to answer these questions and assure you that your network is appropriately protected against wireless attacks.
Every point of entry into your network represents a potential vulnerability, and wireless access points are no different. They allow enhanced opportunities to utilize your network and the data on it, but they also put the network at risk if the proper security measures are not in place. Taking these five steps are not a panacea, but they can go a long way toward making sure that your wireless network is only accessed by those who are authorized to do so.
Dan Vassallo is a senior associate at GraVoc Associates, a security and technology consulting firm in Peabody.
