Wireless Network Security: More Achievable Than You Might Think
WiFi has well and truly changed the world. It’s enabled the tech-focused, always connected world we live in – for better and for worse. WiFi is incredibly liberating – think how restricted you would be if you had to plug an Ethernet cable into your phone in order to idly check your emails. But any kind of connectivity comes with a security trade-off.
It’s the shadier elements that keep some organisations; especially in sensitive fields like finance and healthcare; from embracing wireless connectivity in all of its convenient glory. Yes, even in 2021, there are companies out there who are holding off on using WiFi due to security concerns.
As we’ve discussed on the blog before now, WiFi security worries are numerous and ever-present. But is kicking the WiFi can down the road really a future-focused solution for the 2020s and beyond?
We’d say “no”.
Especially given the WiFi security solutions that are currently available – and improving every day. But let’s start from the top.
Well-Founded WiFi Worries
Some businesses, especially those that handle sensitive data or those with strict regulatory concerns, are rightly worried about implementing WiFi within their premises.
It’s totally understandable. After all, it’s far easier to define and corral a purely wired network – to know who’s connected and how at all times. Don’t want a device on your network? Simple – don’t plug it in. Yet WiFi relies on indiscernible frequencies floating about within your airspace, so you’d think it would be much harder to control – never mind secure.
And to an extent, that’s true. However, great strides have been made in making WiFi networks just as secure as wired ones. But before we discuss how modern wireless network security tools work, let’s explore a few wireless woes that might keep highly regulated organisations up at night:
- Evil Twin/Rogue Access Points– These are nearby wireless access points (APs) that aren’t connected to your network but they’ve been configured to look like they are. This can be as simple as broadcasting the same wireless network ID (SSID) as one of your official, authorised APs, but MAC address (a hardware ID) spoofing is also possible. The criminals’ aim here is to confuse end users into connecting to the dupe AP and harvesting whatever sensitive data flows through. It’s sometimes called a “honeypot” attack – you may also see the related term “client misassociation”.
- Misconfigured Access Points – These are misconfigured wireless access points that are connected to your network. They may have been introduced innocently by a non-IT-savvy member of your team or maliciously to serve as a backdoor into your network. They might have even been left poorly configured by an overworked IT technician. Regardless of how the AP gets misconfigured, it still poses a threat.
- Neighbour Access Points – You don’t want to begrudge your neighbours their own wireless connectivity, but it becomes a problem when your authorised devices are connecting to their free or guest WiFi – perhaps in order to do something that isn’t permitted on your network. The neighbour’s network may not have the same defences as yours, so when the user connects back to your network, there may be nasties lying in wait on their device to infect your network.
- Denial of Service Attack – A DoS attack is when a cybercriminal floods a network, device, or resource with bogus requests, rendering it slow, sluggish and unusable until the requests cease. Even then, devices that have been particularly overworked can suffer permanent damage.
- Unauthorised & Rogue Clients – This is when an unauthorised client (user device) connects to your wireless network somehow. If your security is weak or your guest WiFi provisions aren’t properly ringfenced, the general public may be able to gain access.
- Ad Hoc Peer to Peer Connections – It’s possible to set up an ad-hoc WiFi network between devices to share files and resources. However, this can be dangerous – if a company machine connects to an unauthorised machine with file-sharing privileges activated, an untold amount of data could be lost or stolen.
We’ve already explored some of these threats over on a previous blog post about WiFi security threats, so head there if you want more of a deep-dive.
The Solution: Wireless Intrusion Prevention Systems
So now we know some of the potential concerns of implementing WiFi, let’s investigate those modern WiFi security controls mentioned above. A Wireless Intrusion Prevention System (WIPS to its friends) can detect and block a number of WiFi threats, and make light work of the vulnerabilities listed above.
WIPSs work by monitoring the radio airspace that your wireless network covers, which enables it to block out or shut down unauthorised or potentially dangerous activity. Depending on the particular solution in question, WIPSs can classify connected devices, catalogue their unique usage fingerprint, and automatically halt connection to or from unauthorised hardware.
Because WIPSs come under the umbrella of Intrusion Prevention Systems (IPSs), this means that the system can actively, intelligently take action against threats, not just raise an alert that can easily be missed or ignored. There are numerous ways to implement WIPSs, but for companies who are seriously concerned about WiFi security, the most watertight option is an “overlay” system. This is where you install wireless access points as normal to cover all areas where WiFi is needed, but you also install WIPS sensor hardware to cover the same area. As the regular access points do their thing, the WIPS sensors will monitor the airwaves for anything untoward.
Just Firewalls Case Study: One WatchGuard WIPS Win
One of our clients – a large, esteemed financial services organisation – had been putting off installing WiFi due to the perceived dangers; particularly the sorts of attacks described above. A cyber incident could wither public trust in their brand, leave them in hot water with GDPR, and affect their FCA compliance. All worthy worries for such an eminent company.
After much convincing, we showed them just how effective WatchGuard’s WIPS systems are – and they were hooked! We happily installed WatchGuard’s WIPS-enabled access points and they were chuffed to bits.
But the story doesn’t end there. Due to FCA regulations, after such a significant network change, they needed to get their network re-tested by a CREST-certified penetration tester. That CREST certification is an important factor – these folks operate in line with the highest technical and ethical standards out there.
So, they did. And their CREST pentester said that the WatchGuard wireless network setup we had provided was the most secure WiFi they had ever seen in their career! We could say that the high praise was “unbelievable”, but we know that WatchGuard’s WIPS systems and hardware are just that good. But we’ll happily take a bit of the credit!
We also offer Penetration Testing, contact us to find out more.
Just Firewalls’s Favourite WIPS Pick: Yes, It’s Still WatchGuard!
We’ve discussed wireless security a few times on this blog, and WatchGuard’s WIPS solutions always come out on top.
Even the cheapest WatchGuard wireless access point – the AP125 – features enviable WIPS functionality. Though it can be used as a normal WiFi access point, this nimble and affordable indoor unit can also serve as an overlay WIPS sensor to inspect all of your in-range wireless connectivity. Its powerful dual-band WIPS scanning hardware will keep you protected from wireless threats 24/7.
If you already use WiFi, you can still get the WIPS security benefits of the WatchGuard AP range without ripping and replacing the hardware you already use. They’ll work happily in sensor mode alongside hardware from other manufacturers, providing the same unparalleled security we’ve come to rely on from WatchGuard.
Opening a new satellite office doesn’t mean you have to shell out for a wireless AP and a WIPS sensor. Any of the AP range hardware can work in an “integrated” mode that both serves your WiFi connectivity and keeps your airwaves safe. Or maybe you need something with a little more heft? The AP225W can easily serve “a building full of demanding Wi-Fi users” – WatchGuard’s words, not ours!
Ready to get started? Choose your access point, and pair with the service bundle of your choice. Word to the wise: Secure Wi-Fi packages provide “just the WIPS” whereas Total Wi-Fi provides complete WIPS, analytics, and guest data reporting.
Not sure what to pick? Just give our friendly technicians a call on 0808 1644414 and we’ll help you discover the best bundle for your exact needs.