November 17, 2011, 9:35 AM — Wi-Fi gives us freedom from wires, but it's not secure by default. Data is transmitted through the air, and anyone nearby can easily capture it with the right tools. As discussed below, whether you have your own Wi-Fi network or use someone else's, employing security measures is necessary to protect company files, online accounts, and user privacy.
Why Protect Your Wi-Fi Network?
By default, Wi-Fi routers and access points aren't secure when you purchase them. Unless you enable encryption, people nearby can easily connect to your network. At best, they just use the free wireless Internet for browsing and downloading, possibly slowing down your connections. However, if they wanted to, they could possibly access your PCs and files. They also could easily capture your passwords or hijack your accounts for websites and services that don't use SSL encryption, such as some Web-based email clients, Facebook, and Twitter.
If your Internet service provider (ISP) set up your Wi-Fi, it likely enabled encryption. This version of encryption, however, may be an older security option that's now easily breakable: Wired Equivalent Privacy (WEP).
Why protect your connections on other Wi-Fi networks? When you connect to outside networks, such as hotspots in coffee shops, airports, and other public places, the connection is almost always insecure. Eavesdroppers don't even have to connect to the Wi-Fi hotspot to capture your traffic. And as with using any other unencrypted Wi-Fi network, they could possibly get hold of your passwords or hijack your online accounts.
To check the security status of your Wi-Fi--and raise its security level as needed--follow these best practices.
1. Choose the Right Wi-Fi Security Options
You can use any of several separate protocols that provide different levels of security: WEP, WPA, and WPA2. You see these options when enabling or changing the wireless security on your wireless router or access points (APs). Depending upon your device, you may have to select WPA first to see the WPA2 option.
WEP is easily breakable and protects you only from casual Wi-Fi users. Wi-Fi Protected Access (WPA) has two versions: the first is simply WPA, for a reasonable level of protection, and the second is WPA2, which provides the best protection to date. To confuse you even more, you can implement both WPA and WPA2 in two very different modes: Personal, aka Pre-Shared Key (PSK), and Enterprise (802.1X, RADIUS, or EAP). Most wireless routers and APs support both modes, which you'll see listed in the wireless settings.
The Personal mode of WPA/WPA2 is easier to set up, but is subject to brute-force dictionary cracking. This means that someone could potentially come up with your encryption passphrase by running software that repeatedly tries to guess it from a dictionary of common words, passwords, and combinations. However, this isn't a big issue if you create a long and strong passphrase when setting up the encryption, using no words or phrases that might be in a dictionary.
The Personal mode, though, is not suitable if your organization has more than a couple of Wi-Fi users. In this mode, all computers and devices connecting to the network are set with the same encryption passphrase, which creates issues when employees leave the company or a device becomes lost. You'd want to change the passphrase when such occasions arise--but that means you must change it on all access points and every Wi-Fi device.
The Enterprise mode of WPA/WPA2 is much more complex to set up and requires a server, but it provides better security for organizations. Along with the security itself being stronger, this mode provides each Wi-Fi user with their own username and password for logging onto the Wi-Fi instead of a global passphrase. This means that if an employee leaves the company or their device is stolen, you just have to change their password on the server.
The Enterprise mode also prevents users on your network from snooping on each other's traffic, capturing passwords, or hijacking accounts, since the encryption keys (exchanged in the background) are unique to each user session.
