Wireless networks are a trade-off between security and convenience. The obvious benefits of a wireless network connection—fast and easy access to the network from a portable computer or an isolated location—come at a cost. For most users, the convenience of wireless operation outweighs the possible security threats. But just as you lock the doors of your car when you park it on the street, you should take similar steps to protect your network and your data.
The simple truth is that someone who wants to devote enough time and effort to monitoring Wi-Fi signals can probably find a way to intercept and read the data they carry. If you send confidential information through a wireless link, an eavesdropper can copy it unless the website or other host is using an end-to-end encryption scheme such as SSL. Credit card numbers, account passwords, and other personal information are all vulnerable.
Encryption and other security methods can make data a little more difficult to steal, but they don't provide complete protection against a really dedicated snoop. An entire catalog of tools for cracking Wi-Fi encryption is easy to find on the Internet. As any police officer will tell you, locks are great for keeping out honest people, but serious thieves know how to get past them.
There are two different kinds of security threats to a wireless network. The first is the danger of an outsider connecting to your network without your knowledge or permission; the second is the possibility that a dedicated eavesdropper can steal or modify data as you send and receive it. Each represents a different potential problem, and each requires a different approach to prevention and protection. Although none of the encryption tools currently available can provide complete protection, they can make life more difficult for most casual intruders. And as long as the tools are out there, you might as well use them.
A few techniques can discourage intruders and crackers. First, you can accept the fact that wireless networks are not completely secure and use the built-in network security features to slow down would-be intruders; second, you can supplement your wireless router's built-in tools with a hardware or software firewall (or both) to isolate the wireless network (but remember that a cracker who can grab and decode encrypted network passwords can often grab firewall passwords too); and third, you can use additional encryption such as a VPN (virtual private network) to make the network more secure.
The security features of the early Wi-Fi protocols (WEP encryption) were not adequate to protect data. The WEP protocol was flawed in several ways. WEP should be treated more as a "Do Not Disturb" sign than as a real means of protection. The WPA (Wi-Fi Protected Access) and WPA2 standards attempt to fix the shortcomings of WEP, but they work only when all of the users of your network have modern cards and drivers.
Here are some specific security methods:
Don't use your access point's default SSID. Those defaults are well known to network crackers.
Change the SSID to something that doesn't identify your business or your location. An intruder who detects something called BigCorpNet and looks around to see BigCorp headquarters across the street will target that network. The same thing goes for a home network: Don't use your family name or the street address or anything else that makes it easy to figure out where the signal is coming from.
Don't use an SSID that makes your network sound as though it contains some kind of fascinating or valuable content—use a boring name like, say, network5, or even a string of gibberish, such as W24rnQ. If a would-be cracker sees a list of nearby networks, yours should appear to be the least interesting of the lot.
Change your access point's password. The factory default passwords for most access point configuration tools are easy to find (and they're often the same from one manufacturer to another—hint: don't use admin), so they're not even good enough to keep out your own users, let alone unknown intruders who want to use your network for their own benefit. An unauthorized person (who could be one of your own children) who gets into the access point's software could lock you out of your own network by changing the password and the encryption key.
If possible, place your indoor access point in the middle of the building rather than close to a window. This will reduce the distance that your network signals will extend beyond your own walls.
Use WPA encryption rather than WEP. WPA encryption is a lot more difficult to break, especially if it uses a complex encryption key.
Change your encryption keys often. It takes time to sniff encryption keys out of a data stream; every time the keys change, the miscreants trying to steal your data are forced to start again from scratch. Once or twice every month is not too often to change keys in a home network. An office LAN should change keys at least once a week.
Don't store your encryption keys in plain text on the network where they are used. This seems self-evident, but in a widespread network, it might be tempting to distribute the keys on a private web page or in a text file. Don't do it.
Don't use email to distribute encryption keys. Even if you're not sending emails in plain text, an intruder who has stolen account names and passwords will receive the messages with your new codes before your legitimate users get them.
If it's practical to do so on your network, turn on the access control feature in your access point. Access control restricts network connections to network clients with specified MAC addresses. The access point will refuse to associate with any network device whose address is not on the list. This might not be practical if you want to allow visitors to use your network, but it's a useful tool in a home or small business network where you know all of your potential users. MAC address filtering will not prevent a determined attacker from copying and spoofing the address of an authenticated user, but it could provide an additional layer of protection.
Turn on the security features, but treat the network as if it's completely open to public access. Make sure everybody using the network understands that they're using a nonsecure system.
Limit file shares to the files that you really want to share; don't share entire drives. Use password protection on every share.
Use the same firewall and other security tools that you would use on a wired network. At best, the wireless portion of your LAN is no more secure than the wired part, so you should take all the same precautions.
Consider using a virtual private network (VPN) for added security.
Use a firewall program on every computer connected to the network, including both wired and wireless nodes.
It's important to take wireless network security seriously, but don't let the security issues discourage you from using Wi-Fi in your home or office unless you're moving very sensitive information through your network. If you protect your network with encryption and other security tools, you will probably keep all but the most determined hackers and crackers on the outside.
On the other hand, if your small business handles customer billing information, credit card data, sensitive client or patient records, personnel data (such as Social Security numbers), or any similar information that should remain confidential, adding Wi-Fi to your LAN creates an extremely attractive target. If you must add Wi-Fi access to your small business network, use the strongest firewall you can find between the Wi-Fi access point and the other computers on the network.