“Can I connect to your Wi-Fi?” Some firms answer this question hundreds of times a week believing they have complete organisation-level Wi-Fi Security. That's not always the case. Can you say yes while keeping your network secure?
Wi-Fi is ubiquitous both at the office and at home, providing the freedom to work and play online any time, anywhere. Managing the conflicting requirements of maintaining Wi-Fi Security on your network whilst providing easy access to both employees and guests is something we often advise on.
By Emanuel Mandat, Sr.System NGneer®
May 17, 2017
If you have a guest at home, you normally wouldn’t give a second thought to Wi-Fi Security when handing over your Wi-Fi key. However, for a business, how you give guests and employees access to your wireless network needs more consideration to maintain Wi-Fi security.
The majority of office based workers will use wired connections whilst working at their desk, but as businesses move to activity based and agile working, the company Wi-Fi network has become ubiquitous. Laptops, BYOD tables and netbooks and employee mobile phones will all be connected to company Wi-Fi, and employees will expect the network to reach to wherever they need to work.
Guests at a company office frequently ask for Wi-Fi access to check their email, fetch information from their office via a VPN, or simply to update their Facebook status with their location!
Wi-Fi security is a real challenge for many clients. Many will already have two networks in place – a secured internal network for employees, and a restricted guest network that provides only Internet access. But is that safe enough?
The first generation of Wi-Fi networks were secured with a single network password. Anyone wanting to join the network would select the network name from the list of available networks, and then enter a single, shared password. This gives rise to a couple of questions:
So let’s start with the best way to secure your internal network. This is where a good wireless controller is useful. The first step is to get rid of the shared password, instead having each user authenticate with their own username and password. This lets you control who has access, and when. It lets you set time ranges when users can connect and what they can connect to. It also allows you to revoke the credentials (the username and password) of someone you no longer want to have access without disrupting everyone else’s access.
The next step is to add device authentication. By using security certificates or other mechanisms, you can ensure that only authorised devices can connect to the network, blocking unknown devices even if a valid username and password is supplied. This can be extended further, blocking devices that don’t have up-to-date security or anti-virus.
A secure internal network is only the first step and is only as good as the password policy that you have in place, and which should be followed by everyone to maintain safety and integrity of the company.
For guests, we recommend setting up a single wireless network that has no access to the internal system, and only grants internet access. As this is the network that will have a constantly changing set of people using it, it’s important that access can be granted for a limited period of time, and that access cannot be regained after the guest has left without re-authorisation.
A typical guest network has no network password (which could be easily remembered or shared) and instead operates as an open network with no password needed to connect. However, as soon as a device connects, it cannot access the Internet, and is instead re-directed to a portal page – a website where the guest needs to enter more information before they can continue.
The information needed varies, but typically is a passcode or voucher code that has a short life span, perhaps two or four hours, after which it becomes useless. This allows you to hand out network access codes secure in the knowledge they can’t be reused in the future. You can also identify the guests connecting and track what they do on your network, apply limits to how much of the network they can use, limit the speed of the network, or anything else appropriate.
Once you’ve implemented secure Wi-Fi access, remember there’s more to do to secure your company, documents and financial information from hackers, fraud and theft. We work with clients to determine what is appropriate but this includes a secure password policy that includes:
Security is an extremely important part of our IT strategy, second only to back-ups being secure and available. As NGneers®, we often begin work at new clients to find very little protection or security protocols in place. This leaves data vulnerable to hacking and even being held to ransom! Hackers are more sophisticated than ever: being several steps ahead with tough wi-fi security protocols will ensure your firm runs smoothly and safely.