Secure your Wi-Fi network at work and at home. Here’s how
Whether it’s just you, your router, and a PC at home, or a small business network, you must protect it, or you will be hacked.
Securing your Wi-Fi network, whether at home, in a business, or within a distributed workforce, is a non-negotiable aspect of modern IT operations. Neglecting wireless security exposes not just endpoints but the entire network fabric to compromise.
Take, for example, a small business network administrator who doesn’t take security seriously, dismissing the likelihood of being targeted. Performance degradation prompts a network traffic analysis using Wireshark, my preferred network traffic analyzer, which reveals undetected Internet Relay Chat (IRC) traffic. This is a classic sign of botnet infection. In this case, it proved to be Phorpiex malware. Attack vectors, such as phishing messages, can easily bypass lax security, underscoring the need for robust, layered defenses.
Now, you may say, isn’t that an anti-virus issue, not network security? Yes and no. True, top antivirus programs such as Norton Antivirus, Bitdefender, and Malwarebytes are great for removing malware from home, home office, or small businesses once it has infected your machines.
Bigger businesses, however, need more serious viral and network protections. I recommend high-end network security solutions such as Unified Threat Management (UTM) and Next-Generation Firewalls (NGFW), Fortinet FortiGate, Palo Alto Networks NGFW, and Check Point Quantum Security Gateway or Endpoint Detection and Response (EDR) programs like CrowdStrike Falcon can stop most common malware programs in their tracks.
Mea culpa, those are sophisticated and costly network security programs, but they’re still dirt cheap if they can keep your network free of ransomware. Don’t believe me? Just ask UnitedHealth, whose ransomware costs are north of two billion dollars.
For most of us, simply practicing network security basics will be enough to keep us safe from the usual Wi-Fi network concerns. Let’s begin, shall we?
Basic Network Security
Use Strong Encryption: Enable WPA3 Personal encryption on your network. It’s the safest protocol currently available. If WPA3 isn’t an option, use WPA2-PSK (AES) as a fallback.
If you want the maximum security from WPA3, you’ll need to use WPA3 Enterprise, which employs 192-bit encryption. Since WPA3 Enterprise relies on the 802.1X authentication framework, this means you must have a RADIUS server to authenticate users and devices securely.
If your router doesn’t support those, but only older standards such as WEP and WPA, you must get a new router. Cracking either of those is trivial. Whatever you do, avoid running or using a network without encryption. If you do, all traffic is potentially open to eavesdropping.
Change Default Credentials: Immediately change your router’s default administrator username and password. It’s easy to look up their defaults. Why leave an obvious door open for a would-be attacker to get easy access to your network settings?
Use a Strong Wi-Fi Password: Create a unique, complex password for both your administrative account and your Wi-Fi network. I prefer to use a long passphrase with at least 16 characters. Don’t reuse this password elsewhere.
Want to let friends and neighbors use your network? Set up a guest network for them with a different passphrase.
Rename Your SSID: Change the default network name, Service Set Identifier (SSID), to a unique one that doesn’t reveal personal or business information or the router brand. Any of these will give a would-be hacker one more clue as to how to break into your network. You can, if you want, avoid using any SSID if your router supports this. However, this really doesn’t provide much additional security.
Wi-Fi cracking programs such as Aircrack-ng and Kismet make it simple to find even “unnamed” access points. Once such programs find such a crack in your network, they make it simple to break into your network unless you’ve got strong encryption and passphrases.
Keep Firmware Updated: Regularly check for and install firmware updates for your router to patch security vulnerabilities. I’m not fond of enabling automatic updates because some updates can go badly wrong. It’s rare, but I’ve seen routers bricked by bad firmware updates. Instead, I recommend setting your router to alert you when an upgrade is available and then wait to see how it went for other people before doing it myself. Let someone else be the guinea pig.
Enable your Router Firewall: Activate your router’s built-in firewall to block unwanted incoming traffic. If you’re concerned that this isn’t enough protection, consider using a separate firewall. Some entry-level firewalls to consider are the Fortinet FortiGate 40F, SonicWall TZ Series, and WatchGuard Firebox T20. If you’re an open-source fan, like I am, you can also run your own firewall software on a spare box with dual network cards. Here, I recommend pfSense, IPFire, and NG Firewall by Arista Networks.
Additionally, you should disable Universal Plug and Play (UPnP), and services like SSH can introduce security risks. Sure, I use SSH all the time, but then I’m using it to run my remote servers every day. Are you? No? If you’re not using a service, disable it and/or block it from the firewall.
Finally, you should also no longer enable the use of once popular network protocols such as ftp, Telnet, and SNMP 1.x. They’re hopelessly insecure and out-of-date.
Disable Remote Management: Unless you have a contract with a remote network administrator, turn off remote administration features that allow access to your router’s settings from outside your local network.
Use Media Access Control (MAC) Address Filtering: Restrict network access to devices with specific MAC addresses. Don’t assume this is enough security. It’s not. MAC addresses can be spoofed.
Implement Two-Factor Authentication (2FA): If your router supports it, enable 2FA for administrative access to make it even harder for attackers to take control.
If you’re going to use 2FA, however, as tempting as it is to just use texting on your phone for it, don’t. Texting, SMS messaging, hasn’t been safe for 2FA for some time now. Instead, you should use either a physical security key or an authenticator app such as Microsoft Authenticator or Google Authenticator. Either approach is much safer.
Deploy your own Virtual Private Network (VPN): If, like me, you’re out of your home/office a lot, you probably already use a VPN on your laptop and phone. But did you know many current routers support VPN hosting, so you can secretly network into your home network? They do.
Interested? Look for routers that support server mode VPN. Unless you’re a networking pro, consider getting one of the following routers, such as the Asus RT-AX58U, ExpressVPN Aircove, or Privacy Hero 2. These boast a straightforward setup and management through built-in web interfaces.
Personally, my favorite VPN is NordVPN. Several routers, such as the Privacy Hero 2 and InvizBox 2, come ready to work with NordVPN.
Advanced Network Security
Deploy a Zero Trust Architecture (ZTA): With a ZTA, the name of the game is to “Never trust, always verify.” In short, with zero trust, all traffic is deemed hostile.
In practice, that means authenticating and authorizing every device, user, and network flow regardless of location. To do this, you’ll need to set identity and access management (IAM) policies, which are then enforced by a policy engine. You must also set up network segmentation.
Set Up Network Segmentation: With network segmentation, you divide your network into isolated zones to reduce the attack surface, limit lateral movement, and simplify policy enforcement. First, you must decide which virtual Local Area Network (VLAN), also known as a segment, each of your critical servers, sensitive data, user workstations, IoT devices, and guest networks should belong to.
That done, you’ll assign similar assets, say user computers, into logical zones. To implement this, you can use managed switches to define VLANs via 802.1Q tagging. You should also use routers or Layer 3 switches to route between VLANs and apply Access Control Lists (ACLs) to limit inter-zone communication. Finally, you should deploy firewalls between zones that are set to “deny by default” all traffic except that which is explicitly required.
For advanced environments, such as large campus networks, you’ll want to use microsegmentation tools, such as Cisco Secure Workload (formerly Cisco Tetration) or VMware NSX, which take the VLAN concept to the workload level.
Implement AI-enabled Security Information and Event Management (SIEM): Using SIEM to keep an eye on what’s happening in your network was always a good idea. Now, with threats coming both from inside and outside your network, having a SIEM that can learn what’s charging at you is more important than ever. Examples of such next-generation SIEMS are IBM QRadar SIEM, Microsoft Sentinel, and Exabeam.
Follow this up with AI-smart Security Orchestration, Automation, and Response (SOAR): These programs automate, just like the name says, security alert response and enforcement. For instance, if a computer is infected by malware, it can isolate the compromised endpoint immediately. Some SOAR programs worth considering include Palo Alto Networks’ Cortex XSOAR, Splunk SOAR, and Fortinet FortiSOAR.
Do all these things, and you have a much better chance of securing your network. Good luck!
