7 practices for securing customer facing wi fi
-
Upload
chrisvarnomcom -
Category
Technology
-
view
12 -
download
1
Transcript of 7 practices for securing customer facing wi fi
http://chrisvarnom.com/safety-7-practices-for-securing-customer-facing-wi-fi/
Safety: 7 Practices for Securing Customer-Facing Wi-Fi Author - Chris Varnom at chrisvarnom.com
To be notified of my latest posts please subscribe to my newsletter and to receive free stuff
at http://chrisvarnom.com/newsletter/
Ok, so your boss has just decided that it’s time to hang a “Free Wi-Fi” sign
on the door and now it’s your job to make it happen. Now you’ll be thinking
that this might seem like a deceptively simple task. You can just buy a
business-class router, negotiate a contract with your Internet service
provider (ISP) for adequate bandwidth, and voila, job done. What could
possibly go wrong?
Well as you’re about to find out, from an IT security perspective, quite a lot.
The problems can begin right at the setup stage. The default settings of Wi-
Fi routers straight out of the box aren’t secure. Unless you encrypt your
network, anyone in the vicinity of the router can get onto your network. If
you’re lucky, they will just use your free wireless Internet access for
browsing and downloading. But even this innocent use of your Wi-Fi can
pose a problem, as it can eat up your bandwidth allowance and have an
effect on your ability to connect to applications and websites. Worse still,
people with bad intentions could access your PCs and your file servers,
hijacking any accounts that don’t use SSL encryption or capturing your
passwords. These include your Facebook and Twitter accounts and
popular Web email clients.
And unfortunately, even protecting your Wi-Fi network with the ever popular
Wi-Fi Protected Access (WPA) encryption, a former standard, and one still
in widespread use today, doesn’t help to keep out the people that intend
breaking into your network. WPA was broken into several years ago and
there are numerous automated programs you can get from Internet sites
that boast “hack any Wi-Fi network.”
Unfortunately, this isn’t just about you, it’s also about protecting your
customers. The 2013 Identity Fraud Report conducted in the US found that
the number of identity fraud victims shot up to 12.6 million consumers in
2013, that’s one out of every 20 U.S. consumers. Cybercriminals are
busily “sniffing” for sensitive data information over unsecured Wi-Fi
connections.
It can get even more complicated depending on the ISP you have. Some
big ISPs are automatically turning customers’ cable modems into public Wi-
Fi hotspots accessible to anyone with an account login from that ISP.
They’re not even asking permission. So if you see a hotspot appear in
range of your devices labeled “xfinityWi-Fi” or “attWi-Fi,” it might well be
originating from your own cable modem.
This is raising hackles as well as security concerns among customers. You
need to carefully evaluate whether instead of being an endpoint on a
network, you would be okay with being a node on a public network. You
will be, unless you opt out, so it’s important that you think about it, make an
informed decision, and, if necessary, take action to inform your carrier of
your decision.
Here are seven tips on how to extend Wi-Fi to customers while keeping
yourself - and them - secure:
Tip No. 1: Use Enterprise WPA2 encryption. IEEE 802.11i, also known
as WPA2, uses IEEE 802.1x for mutual authentication between the client
and the network and Advanced Encryption Standard (AES) for data
encryption. WPA2 is the stronger big brother of WPA, and provides the
best Wi-Fi protection to date. But to confuse matters, you can deploy
WPA2 in either Personal or Enterprise mode. Most wireless routers support
both modes.
Although the Personal mode is easier to set up, it has recently been
cracked. However, to deploy WPA2 Enterprise mode, you need a RADIUS
server, which requires time and expertise to set up. Another option is to use
a hosted service that deploys WPA2 in enterprise mode. And always create
a long and strong passphrase when setting up the encryption, using no
words or phrases that might be in a dictionary.
Tip No. 2: Create a separate private Wi-Fi network just for guests. You
might be tempted, because it’s much easier, to simply allow your
customers to log onto the Wi-Fi network your employees use. Don’t do it.
Once onto your internal network, cyber criminals can easily hack into
supposedly protected files or applications, and steal data from your
company.
To protect your business, create a separate private wireless network-
most business-class routers will let you do this and encrypt it, just as you
encrypted your internal Wi-Fi network. If your router has already been
configured to send out a second, public signal by your ISP, theoretically,
this shouldn’t interfere with your ability to set up a guest network yourself.
However, the jury appears to be out regarding whether it could adversely
impact your available bandwidth. Again, consider opting out if you are at all
concerned about this.
Tip No. 3: Create a “captive portal” for guests. You don’t want to make
it too difficult for your customers to get onto your network. But you should
have what’s called a “captive portal,” which requires Internet users to agree
to terms of service before proceeding to the Internet. Although the captive
portal’s primary purpose is authenticating users, it offers other benefits.
You can create a landing page tailored to your business, assign access
codes that collect information about users, and put into place traffic controls
to limit bandwidth.
Tip No. 4: Be aware of other hotspots that appear in the vicinity. “Evil
Twin” and “Ad Hoc” hotspots can try to mimic yours to trick your customers
into logging onto them. Once an Evil Twin gains access to a computer, it
can launch a “man in the middle” attack that can be devastating to an
individual or a business.
Again, your ISP might be complicating matters by using your router to
create a public hotspot for your area. Although, theoretically, this gives your
customers more Wi-Fi choices, it also increases the opportunity for
cybercriminals to confuse users with rogue networks. If this makes you at
all uncomfortable, you should opt out of your carrier being able to use your
router as a public hotspot. Again, if you don’t take any action, your
carrier will make you part of its plan to build a national network of
public hotspots.
Tip No. 5: Use MAC authentication for your employee network. MAC
authentication locks down your employee network even more securely by
restricting network access to pre-registered devices only. Yes, setup is a bit
of a hassle, as you have to assign MAC addresses to specific wireless
cards, but it will stop unauthorized devices from accessing your secured
network.
Tip No. 6: Don’t let your customers access illegal or offensive
sites. You should always block sites with illegal or objectionable content on
both your employee and customer Wi-Fi connections to prevent possibly
illegal or dubious situations from arising on your premises.
Tip No. 7: Never underestimate your bandwidth needs. Make sure that
your equipment (or service provider) allows you to scale up as your users
demand more bandwidth. After all, nothing is more frustrating than slow Wi-
Fi for either your employees or your customers. ISPs claim that
piggybacking on customers’ routers to create public hot spots will not
impact customers’ bandwidth, be on the lookout for degradations in service
levels and be prepared to contact your ISP to shout if you detect any.
By putting the right security measures in place, your business can reap all
the benefits of offering Wi-Fi to customers while protecting both your own
data and applications and those of customers.