Secure Your Network
If you use a wired network in your home, someone would have to break into your house, plug into your Ethernet switch, and then crouch there in the dark to capture data passing over your network.
Wireless networks have no such protection: anyone with an antenna sensitive enough to pick up your radio signals can eavesdrop on traffic passing over your network. This could be a neighbor, someone in a parked car, or a nearby business. Many free, easy-to-use programs make this a simple task for only slightly sophisticated snoopers.
However, you’re not powerless to prevent such behavior. Depending on what you want to protect and whom you’re protecting against, you can close security holes with tools that range from a few settings up to industrial-grade protection that requires separate servers elsewhere on the internet.
I also suggest using a guest network account when you want to provide access to your network without giving out the password or providing access to devices and peripherals on it.
Simple Tricks That Don’t Work
You may have read suggestions for setting up basic security that advise you to hide your network’s name, or “close” the network, and make it hard to connect to. In practice, this doesn’t work.
An open network appears by name in devices’ Wi-Fi menus and in other places in a device’s interface that show the names of networks to which you can connect. A closed network does not. However, this is less helpful from a security standpoint than it seems.
An access point set for a closed network stops broadcasting its name, but it still broadcasts other network details required by device’s that know the network’s name. Any device connecting has to be given the network’s name, and whenever those devices connect, they reveal that name openly.
An attacker can monitor the network for that connection, but they can also use free cracking tools to find an active connection between a device and the closed network and then force the name to be revealed. So you closing your network isn’t a reliable way to get real security.
Use Built-In Encryption
For a real defense, you must use password-protected encryption. Wi-Fi has always offered some form of built-in encryption to secure the connection between a client computer or device and the access point; this connection is the most vulnerable part of a wireless network.
Encryption always requires a key. With Wi-Fi encryption, you don’t enter the key directly, but instead enter a password that the system uses to generate or retrieve a key. Sharing the password reduces security by allowing others to see the same network traffic.
Since 802.11b started appearing in hardware in 1999, three different encryption methods have been offered, each superseding the previous one. The earliest two, WEP and WPA, are effectively dead, as explained in the following sidebar and the next section.
WPA, WPA2, and WPA3 Background
The Wi-Fi Alliance released WPA (Wi-Fi Protected Access) in 2003. It was an interim measure because work the IEEE’s work on the 802.11i security update for Wi-Fi was taking too long and it was known that WEP (see sidebar above) was insecure. WPA was considered to be quite strong and was designed to allow support from even the earliest Wi-Fi gear via firmware upgrades.
WPA2 was the final version of WPA security. It includes all the work done in the 802.11i committee. WPA2 replaces the weaker WEP key with a government-grade method of encryption favored by corporations. Any equipment released in 2003 or later can handle WPA2.
In 2018, the Wi-Fi Alliance announced the next flavor of security: WPA3. It upgrades the encryption algorithm to something even stronger and more modern. It also automatically creates an encrypted connection on an open network between each client and the gateway, preventing sniffing even if there’s no Wi-Fi network password! WPA3 is slowly making its way into gateways and clients, and it may be five years before it’s in wide use because of so many legacy devices in operation.
For the rest of this chapter, I’ll only talk about WPA2 and WPA3, as WPA is effectively no longer used on modern networks, because it carried over some of WEP’s weaknesses.
WPA2/WPA3 comes in two versions, typically referred to as Personal and Enterprise:
Personal: This version allows the use of passphrases or long sequences of text—minimum 8 characters, maximum 63 characters. Passphrases can include letters, numbers, spaces, and punctuation. These are converted into the source material for generating an encryption key.
The option to create a long phrase gives a WPA2/WPA3 passphrase the potential to be memorable, but adding more characters in the phrase also adds entropy. In other words, it becomes increasingly difficult for someone to predict the key. A passphrase could look like
myd000gshavelite_brite_hair!I kid you not.Enterprise: The Enterprise flavor of WPA2/WPA3 requires a central server that handles account information and logins, and presents to a user something that looks like a server or desktop login. Some Wi-Fi gateways include the settings necessary to use one of these. It’s unlikely you’d want to run such a server yourself, but there are companies, such as NoWiresSecurity and IronWiFi, that offer this as an internet-based service.
The advantage of using an Enterprise login is that you can provide unique logins to each user, each of which have automatically generated unique encryption keys. That prevents any users from sniffing the traffic of any other. You can also revoke access to individual users—such as contractors at the end of a project—without having to change a common passphrase everyone uses.
Turn on WPA2/WPA3 on Your Gateway
Most gateway interfaces have a section or tab titled Security, but this sometimes—as in TP-Link’s admin utility—refers to security protocols that can pass through it, especially for VPNs. If that’s the case for you, look in Wireless and Network settings until you find an option labeled WPA2 or WPA3.
Depending on the age of the gateway and other factors, you might be able to select WPA2, WPA2/WPA3, or WPA3. Until WPA3 is widespread, pick WPA2 or WPA2/WPA3.
Some gateways may require you to enter a passphrase separately for the 2.4 and 5 GHz networks that they create. If you’re naming your networks for both bands the same, set the passwords to be the same, too.
A passphrase for a Wi-Fi network should be easy to enter, remember, and hand off to someone else, but it shouldn’t be easy enough to guess. The best passphrase is two or three words. Even all in lowercase and with spaces or punctuation between them, that’s about 15 characters long.
You can hand this password out to other people who use the network, but there’s also a nifty way in Android and iOS to join a secured Wi-Fi network: using a QR Code. The site QRCode Monkey can generate a Wi-Fi QR Code that you print out or keep as an image on a device. Any recent Android phone or tablet, iPhone, or iPad can scan it and join (Figure 53).
Allow Guest Networking
If you want to preserve the security of your network while still allowing visitors and others to access it, you can take advantage of a feature available on many modern gateways: a guest network. This exceedingly nifty feature splits your Wi-Fi network into two separate networks (technically creating two virtual LANs) while using all the same actual hardware.
A guest network provides users with internet access, but doesn’t pass any traffic to or from the main network. People connecting to a guest network generally can’t access computers or devices on your main network, including printers, although some gateways offer a LAN access option that can be turned off and on. Some may let you set 2.4 and 5 GHz networks separately, while others only let you create setting that automatically work over both networks.
Another advantage of a guest network is that it has a different password from your main network password, which you may not want to share with guests, especially if you use that password in other places too. Or, if you don’t password-protect your guest network, guests can gain wireless internet access with no hassle, and you’ve not put other network resources at risk.
Depending on the gateway, you may also be able to:
Throttle inbound and outbound bandwidth usage.
Set a maximum amount of time a device can be connected.
Set day of week and time of time limitations.
These limitations let you ensure guests don’t overwhelm your main network, something useful more for small businesses and retail locations.