Enterprise-Grade Security for Your Home WLAN
December 09, 2009
We've been over the basics time and time again. Here's how to up your Wi-Fi security to some of the same standards the big companies aim for.
The basics of Wi-Fi security are well known: WEP's a menace, you should cloak your SSID to avoid random passers-by and you should always change default passwords and user names when possible. This article takes us beyond all that and digs into the kinds of security measures you normally see in the enterprise.
#1 Move to enterprise encryptionIf you created a WPA or WPA2 encryption key of any type and must enter it when connecting to the wireless network, you are only using the Personal or Pre-shared key (PSK) mode of Wi-Fi Protected Access (WPA). Business networks--no matter how small or big--should be protected with the Enterprise mode, which adds 802.1X/EAP authentication to the wireless connection process. Instead of entering the encryption key on all the computers, users would login with a username and password. The encryption keys are derived securely in the background and are unique for each user and session.
This method provides central management and overall better Wi-Fi security.
The special ingredient of the Enterprise mode is a RADIUS/AAA server. This communicates with the APs on the network and consults the user database. Consider using the the Internet Authentication Service (IAS) of Windows Server 2003 or the Network Policy Server (NPS) of Windows Sever 2008. If you want to go vendor-neutral, try the popular open source server, FreeRADIUS. If you find setting up an authentication server requires more money and/or expertise than you have, consider using an outsourced service.