Article ID: 5035
5 Tips to Fortify your Wireless Network
Objective
Although Wi-Fi networks are convenient for you and your employees, there may be
unwanted clients using up the bandwidth you pay for. In addition, security risks have
been an increasing concern for small business wireless networks. In order to protect
your small business wireless network from intruders, it is recommended that you:
1. Change all default user names and passwords 2. Turn on data encryption 3. Enable user authentication 4. Turn on built-in firewalls 5. Hide your Wi-Fi broadcast
The objective of this document is to show you how to configure the above tips in
order to improve your WLAN security on Cisco Small Business devices.
Note: The information in this document was gathered from Cisco Blogs. The original
post can be found here.
Applicable Devices
Cisco RV Series Wireless Routers Cisco Wireless Access Points Cisco Unified Communications
Note: Every device has a slightly different interface. The appearance of your web
configuration utility and other windows may vary. However, all applicable devices
here have similar tools and navigation.
1. Change all default user names and passwords
Change the name of your wireless network—also called the Service Set Identifier
(SSID)—on the router and each access point. The default SSID is often the name of
the device vendor, such as “ciscosb,” and the preset password is typically “password”
or no password at all. This information is common knowledge to hackers and leaves
your network highly vulnerable to attack. Besides changing the default SSID, make
sure to change preset passwords on guest or administrative accounts for all devices.
While having a default SSID isn’t necessarily a security risk, it does act as a beacon to
intruders, pointing the way to a WLAN with weak security. It is recommended to
change the SSID, account names, and passwords to obscure and random
combinations of 10 or more letters and numbers that aren’t tied to the name of your
company.
How to change the device’s SSID and password
Step 1. Log in to the web configuration utility of your device.
Step 2. Find the Wireless Settings section. Each device will be slightly different. It is
commonly labeled Wireless. If you don’t see this label or something similar, try
Networks or Port Settings and look for a Wireless subsection.
Step 3. Find the subsection that displays a table or list of SSIDs. As previously stated,
each device will be slightly different. Common labels for the subsection are Basic
Settings or Networks. Common labels for the table or list are Wireless Table or
Virtual Access Points (SSIDs).
Step 4. Edit the desired entry in the table or list of SSIDs to change the SSID Name.
Some devices may require you to check the checkbox next to an entry and click Edit
in order to enable editing.
Step 5. Edit the Security of an SSID entry to change or enable the Password. A
Security Mode, such as WEP, WPA or WPA2 must be enabled in order to use a
password. Some devices may require you to check the checkbox next to an entry and
click Edit Security Mode in order to select a mode and set the password. Other
devices may require you to select the mode from a drop-down list labeled Security
or Security Mode in order to set the password.
Note: The Password may be referred to as the Shared Secret, the Key, or the
Passphrase.
How to change the administrator account password
Step 1. Log in to the web configuration utility of your device.
Step 2. Find the Administration section. Each device will be slightly different. It is
commonly labeled Administration or System Management.
Step 3. Find the subsection that displays the User Accounts. As previously stated,
each device will be slightly different. Common labels for the subsection are Users,
User Accounts, User Management or Administrator. If you don’t see this label or
something similar, try Management Interface and look for the Users subsection.
Step 4. Find the area or entry for the Administrator account and configure a new
password for the account.
Note: Some devices may not explicitly define a user as the Administrator and instead
label the Administrator as a user with Read/Write Access.
2. Turn on data encryption
All WLAN gear supports some form of encryption, such as the weak Wired Equivalent
Privacy (WEP) and the stronger Wi-Fi Protected Access (WPA) and WPA2 security
protocols. Whenever possible, use WPA or WPA2 as they use the Advanced
Encryption Standard (AES) that is intended to provide greater encryption. (If your
device gives you AES as an encryption option, always choose that.) Although WEP is
included in most WLAN networking devices, it is easily decrypted by hackers and
should not be relied on for securing your small business network. Note that each
WLAN networking device must be set to the same encryption protocol, so older
devices that aren’t compatible with WPA or WPA2 should be upgraded to support the
stronger protocols.
How to turn on data encryption
Step 1. Log in to the web configuration utility of your device.
Step 2. Find the Wireless Settings section. Each device will be slightly different. It is
commonly labeled Wireless. If you don’t see this label or something similar, try
Networks or Port Settings and look for a Wireless subsection.
Step 3. Find the subsection that displays a table or list of SSIDs. As previously stated,
each device will be slightly different. Common labels for the subsection are Basic
Settings or Networks. Common labels for the table or list are Wireless Table or
Virtual Access Points (SSIDs).
Step 4. Edit the Security of an SSID entry to select a Security Mode such as WEP, WPA
or WPA2, which enables a form of encryption. Some devices may require you to check
the checkbox next to an entry and click Edit Security Mode in order to select a mode.
Other devices may require you to select the mode from a drop-down list labeled
Security or Security Mode.
3. Enable user authentication
With user authentication, your WLAN will only allow access to users who have been
approved to connect to the network. You can enable user authentication in different
ways, depending on the features of your wireless router and access points. If your
wireless networking devices support WPA2, you can provide user authentication
through 802.1X/EAP (Extensible Authentication Protocol). And if your wireless
equipment supports access control lists (ACLs), you can configure the ACLs to filter
the traffic that flows in and out of your wireless router and access points so that only
certain computers on the network are allowed access to the WLAN.
Another way to enable user authentication is through MAC address filtering. Each
wireless device, including laptops, has a unique MAC address, which is tracked by
your router and access points. With MAC address filtering, your WLAN gear will only
allow chosen MAC addresses to access your wireless network. Note, though, that
hackers can easily “spoof” a MAC address to gain access to your network. MAC
address spoofing can’t be entirely prevented, so you shouldn’t rely on MAC address
filtering alone for security.
Also, consider turning off Dynamic Host Configuration Protocol (DHCP) on your
router and access points and use fixed IP addresses instead of dynamic IP addresses.
A range of private IP addresses associated with your WLAN will help prevent
intruders from using IP addresses in your DHCP pool to connect to your network.
How to authenticate users with Access Control Lists
Step 1. Log in to the web configuration utility of your device.
Step 2. Find the section that contains an Access Rules subsection. For Routers, go to
the section labeled Firewall. If you don’t see this label or something similar, try
Security. For Wireless Access Point (WAP) devices, go to the section labeled Client
QoS. These sections should have an Access Rules subsection.
Step 3. Find the Access Rules subsection. Each device will be slightly different.
Common labels for the subsection are Access Rules, Access Control or ACL.
Step 4. Add an Access Rule. Common labels for the button are Add Rule, Add Row,
or Add ACL.
Step 5. Configure/Edit the Access Rule to permit or deny traffic from specified IP
addresses so that only certain computers on the network are allowed access to the
WLAN. In the Source IP address field, enter the IP address that you wish to permit or
deny access.
Note: If your device lets you choose the direction for the access rule, select Inbound,
which applies for traffic that comes from the public internet and goes into your local
network. Specify a Source IP address that you want to permit or deny into your
network.
Note: For WAPs, you can assign your ACL direction in the Client QoS Association
subsection. From the ACL Name Up drop-down list, choose the ACL that applies to
traffic entering the WAP in the inbound direction.
How to authenticate users through MAC address filtering
Step 1. Log in to the web configuration utility of your device.
Step 2. Find the Wireless Settings section. It is commonly labeled Wireless.
Step 3. Find the subsection with the MAC Filtering page. For Routers, go to the
subsection labeled Basic Settings, which displays a table of SSIDs. Then check the
checkbox next to an SSID entry and click Edit MAC Filtering. For Wireless Access
Point (WAP) devices, go to the subsection labeled MAC Filtering to open the page.
Step 4. Choose whether you want to Block (Prevent) or Allow (Permit) the PCs listed
in the table or list of MAC addresses. By default, the table or list is empty. However,
you can add PCs (MAC addresses) to the table or list.
Step 5. Add the desired MAC Addresses to the table or list. The PCs with these MAC
addresses will either be prevented from accessing the network or permitted to access
the network, depending on your selection in Step 4.
Step 5. Save your changes.
4. Turn on built-in firewalls
Many wireless routers, such as the Cisco RV130W Wireless-N VPN Firewall Router
have built-in firewalls. These should always be enabled to stop malicious and
dangerous traffic from infiltrating your network.
Note: Wireless Access Points (WAPs) do not have firewall functions.
How to enable the Router’s Firewall
Step 1. Log in to the web configuration utility of your device.
Step 2. Find the Firewall section. It is commonly labeled Firewall. If you don’t see this
label or something similar, try Security and look for a Firewall subsection.
Step 3. Find the subsection that allows you to enable the Firewall or the Firewall’s
functions. Each device will be slightly different. Common labels for the subsection are
Basic Settings, Attack Prevention or Content Filtering.
Step 4. If your device has an option labeled Firewall, ensure the Enable check box
next to it is checked.
Note: Only some Routers (RV110, RV215 and RV315) allow you to disable and enable
the Firewall option. Others Routers don’t include this option, and instead let you
configure the specific Firewall functions you want to enable such as DoS Protection, IP
Address Spoofing Protection, Respond to Ping on WAN(Internet), etc.
Step 5. Save your changes.
5. Hide your Wi-Fi broadcast
If you turn off the “broadcast” function of the SSID on your router and access points,
you make your WLAN more difficult for the general public to locate. WLAN
networking gear by default will regularly broadcast the SSID of your wireless
network over the air, which is helpful for users trying to log on to a free public
hotspot but not necessary for a private company WLAN.
If you don’t want to turn off the broadcast function, you can still make your WLAN
harder to find. Hide your access point devices so a casual observer can’t see them and
set the radio power of each network device to be just strong enough to cover your
facility so the wireless signal can’t be easily picked up outside your building.
How to disable your SSID Broadcast
Step 1. Log in to the web configuration utility of your device.
Step 2. Find the Wireless Settings section. Each device will be slightly different. It is
commonly labeled Wireless. If you don’t see this label or something similar, try
Networks or Port Settings and look for a Wireless subsection.
Step 3. Find the subsection that displays a table or list of SSIDs. As previously stated,
each device will be slightly different. Common labels for the subsection are Basic
Settings or Networks. Common labels for the table or list are Wireless Table or
Virtual Access Points (SSIDs).
Step 4. Edit the desired entry in the table or list of SSIDs to disable the SSID
Broadcast. Some devices may require you to check the checkbox next to an entry and
click Edit in order to enable editing. Uncheck the checkbox in the SSID Broadcast
field to hide your Wi-Fi broadcast.
Step 5. Save your changes.
© 2015 Cisco Systems, Inc. All rights reserved