How secure is your WiFi?

Do you have a shared password to the WiFi network? When was it last changed? Hasn’t anyone left the company since?

At first WiFi networks were unsecured. However, radio waves penetrate through walls, so eavesdropping is very simple even from a distance – encryption was required. The first method was Wired Equivalent Privacy or WEP. WEP was weak from the first day on, but yet the breaking of WEP caught the industry pants down. A new method was needed fast – WPA or Wi-Fi Protected Access was created, also known as TKIP. WPA was improved upon and today WPA2 is the preferred choice. WPA2 is fast and presently a trusted method for securing WiFi traffic.

There are two flavors of WPA2: Personal and Enterprise. In Personal there is one, shared password for the whole network. Anyone who knows the password can join the network and listen on the traffic. WPA2 Personal is good for personal and home use, why not for a small office as well. In business use people come and go, though, and the password should be changed every time anyone leaves the company. Nobody should have access to the company network after leaving or being laid off. Still, WPA2 Personal is the most common way of securing WiFi networks.

WPA2¬†Enterprise requires that every user has a username and a password. This is the case in Windows Active Directory (AD). You can install Network Policy Server role (NPS) to a Windows Server to provide RADIUS service to the access points (AP). The APs will verify each user’s name and password with the RADIUS server (e.g. NPS) before allowing the user to access the network. By removing or disabling a user account in the AD you can deny access to the WiFi network as well. There is no need for additional equipment or software. In practice all APs support WPA2 Enterprise and the NPS role can be installed on AD Domain Controllers (DC).

Read more:

WiFi – from a nice-to-have to a requirement

When was your WiFi network deployed? How many users did it have? How many users are there today?

Not so long ago wireless networks were advanced technology, a gimmick. It was deemed high tech to set up an access point for the sales guy, who had the only laptop in company. Today everyone has a laptop and people are expected to wander around the office and work here and there, but always with equal efficiency. Back then it was sufficient to access email and occasionally browse web pages. Today video conferencing and learning videos have bandwidth requirements in a completely different scale. Designing the wireless network has become important. Parts of the design process are the same as in wired networks, but the radio path does bring its own challenges.

Design

Capacity planning is familiar from wired networks. How many users? What kind of applications? What kind of latencies can be tolerated? How much bandwidth? User mobility does bring some uncertainty to these calcaulations. One day they all sit with their laptops in the same room, where there is only a single access point – and no one is happy. Still, all the access points have to be connected to the network and these connections must provide enough bandwidth and preferably have redundant paths. In many offices a single hardware failure can stop all work.

The same security principles can be applied from wired to wireless networks. You can create a few wireless networks (different names a.k.a. SSIDs) and connect these to different VLANs on the wired side. This way you can separate sales, management and R&D to their own virtual networks. Technically slightly more challenging way is to use a single network, authenticate users and forward their data to the proper VLAN on a per user basis. WPA2 Enterprise provides for user based authentication and personalized settings using 802.1X.

The most difficult aspect of WiFi design is the radio path, because you can't see it. How many access points do we need and where? What kind on antennas? Do we have full coverage or are there holes? Is the capacity sufficient?

Hardware

In the early days access points were expensive, so usually only one was bought and placed in the middle of the office. This worked fine when there were just a few users with no specific requirements for bandwidth or latencies. Today user count is not the right metric, because every user has multiple devices: a laptop, a smartphone and often a tablet. Smartphone battery capacity is very limited, so is their transmit power. You need to have an access point near every phone, so you need to have multiple access points. Multiple access points will interfere with each other unless you turn down their transmit power, typically on par with the lowest powered smartphone (10-15mW). Do not leave all access points on full power, which is usually the factory default.

Managing multiple access points becomes a burden. Consumer grade access points are managed individually, typically through a web interface. Keeping just five access points in synch regarding setting and updates is a chore. Look for some kind of centralized management solution when choosing access points. With a centralized controller you can update settings and apply updates to all access points with a single action.