Sometimes the only way to make progress is to leave something behind.
Securing a wireless network isn’t rocket science, yet organizations continue to make fundamental mistakes that jeopardize their security. There are a few simple steps that IT managers should follow to ensure that users are being provided a secure wireless experience. By deploying encryption, security policies and guest access management, a district can build a secure, reliable wireless network.
The single most important way to secure a wireless network is to protect it with strong encryption. Encryption technology basically scrambles network traffic using mathematical algorithms that prevents eavesdroppers from understanding the content. Encryption is fairly straightforward to set up, but there are two important choices that must be made when using encryption to properly secure a network.
First, choose a good encryption method. Refrain from using the Wired Equivalent Privacy (WEP) encryption algorithm. This technology is outdated, and there are many known vulnerabilities that essentially render it useless. An attacker with a little knowledge and some free tools can defeat WEP encryption in a matter of seconds. Instead, choose Wi-Fi Protected Access (WPA or WPA2) encryption. Both versions employ strong encryption algorithms to protect traffic sent over a wireless network.
Second, choose whether to use a pre-shared encryption key or enterprise authentication technology. In a pre-shared key approach, a network has a single shared password that all users must key in to access the network. This is the approach commonly used on home networks, but it is only appropriate for the smallest school networks. It’s simply too difficult to control knowledge of the shared key without changing it every time someone leaves a district or a guest is given access to the key.
If using pre-shared key authentication, there are some potential vulnerabilities that might allow an attacker to crack a district’s encryption key if the district uses a common service set identifier (SSID) for its wireless network. Be sure to check the 1000 Most Common SSIDs from the Wireless Geographic Logging Engine and choose something that’s not on the list.
The alternative, enterprise encryption, leverages an existing authentication infrastructure to allow users to join the wireless network using the same username and password they provide to access their computers, e-mail and other enterprise resources. Using enterprise encryption makes dealing with employee terminations a breeze. When an enterprise account is deactivated, a user simultaneously loses access to the wireless network. No key changes are required.
Network administrators have always grappled with the challenges posed by those who want to bring outside devices onto district networks. In the past, the quick response to those requests was “No, the network is limited to district-owned devices.” Over the past few years, however, two emerging trends have rendered this position indefensible in many environments. First, many districts are instituting a “bring your own device” (BYOD) strategy that allows administrators, teachers, staff and even students to bring smartphones, tablets and notebook computers from home to campus, where they expect to have access to the district network.
At the same time, school guests are starting to have the same expectations for ubiquitous network access. While these guests certainly don’t need access to district data, guest network access has become a standard expectation, especially in facilities where cell phone signals might not penetrate to interior conference rooms. Districts need to develop clear policies around who may join external devices to the network, what access is afforded to those devices, and who may approve such requests.
One increasingly common approach to this problem is to create an open, unsecured wireless network that allows access to the Internet and nothing else. Visitors can then connect their personal devices to this network without affecting the security of district systems or data. It essentially recreates the coffee shop wireless experience within the facility while isolating the guest network from a district’s secure systems. Anyone on the guest network who attempts to access district resources would have the same experience as if they were working at home: They’d have to secure their connection using a VPN or other security technology.
Once a district builds a secure wireless network, there’s still one big issue to worry about — rogue wireless access points. It’s far too easy for a staff member, frustrated with security controls or coverage issues, to drop $60 on a wireless AP and connect it to a wired network. This creates a small “private” wireless network that may not be appropriately secured and limits IT staff’s visibility into the devices that connect to it.
In order to reduce this risk, conduct periodic scans for rogue APs. This may be as simple as having a technician walk around the building with a notebook running a tool such as NetStumbler to discover wireless networks. Another option is to invest in an automated wireless intrusion prevention system that continuously monitors an environment and automatically alerts IT staff to the presence of rogue wireless networks. These systems fingerprint the unique electronic characteristics of wireless devices to identify APs not on the approved list.
Wireless networking is changing the way staff interact with district resources. It’s increasingly common for staff to go days or weeks without ever connecting to a traditional wired network. It’s essential for the administrators running these networks to understand user behavior and develop secure, flexible options that balance security concerns with operational requirements. Developing solid wireless policies and backing them up with strong encryption technology and rogue AP detection capabilities can go a long way toward creating a secure wireless environment.