Network security

15 Ways to Secure Your Business Wi-Fi

Nick Congleton
September 29, 2018 by
Nick Congleton

Top 15 Business Wi-Fi Tips

1. Change the SSID

This one might not sound like a big deal, but it can make it a lot harder for a would-be attacker to gain access to your network. The default SSID that comes with your router gives away what type of router you're using. A hacker can use that information to try specific exploits that target your router.

Change the name of your network to something that doesn't specifically identify your business or your router.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

2. Change the Admin Username and Password

Again, you need to distance yourself from the defaults. They make it too easy for an attacker to know what they're working with and carry out an attack. Change both the admin username and the admin password.

"Admin" is probably one of the most common usernames that hackers test passwords against because too many people don't change defaults. As always, be sure to use a secure passphrase when you do make the change.

3. Use WPA2 Enterprise With AES

WPA2 Enterprise provides the best possible Wi-Fi security, and AES is the strongest Wi-Fi encryption standard. They're both available on most routers. WPA2 Enterprise makes use of a RADIUS server for authentication. The RADIUS server stores user credentials, allowing each user has their own login and making it more difficult for the network to be compromised. Enterprise uses unique keys as well that can be revoked at any time.

If you think it's not worth setting up an enterprise configuration, WPA2 Personal can work too. In any case, you need to be using WPA2 with AES encryption. Do not use TKIP or a mix of TKIP with AES.

4. Secure Your Clients

If you opted for WPA2 Enterprise, you can go a step further in securing your network. “Evil twin” attacks are one of the only types of attacks that are effective against WPA2. They replicate your actual network in an attempt to get client computers to sign in and give away login information. With 802.1X on your client devices, you can have them verify that the network they're connecting to is in fact your real network before sending any information.

5. Better Passphrase Management

Whether you're using WPA2 Personal or Enterprise, you need to employ best practices with your passphrases. Passphrases should be at least 15 characters in length and should be made up of several words, including less commonly-used ones. Always add in numbers and special characters. Force your users to follow those guidelines or assign passphrases to them.

It's always a good idea to set an expiration date on passphrases too. Expiration dates automatically protect against the chance that a passphrase gets compromised.

6. Use a Firewall

Firewalls are important. They're so important that you should probably have two of them! First, enable the firewall that comes standard on your router. Many routers have the firewall enabled by default but check anyway. It's the first line of defense for your network.

Next, unless your router has a more advanced firewall, you should have a second firewall within your network that explicitly restricts access to certain ports and forwards to others. You can also use this firewall to restrict and manage access within your network.

7. Use a VPN

VPNs encrypt everything. That's a big advantage for a lot of reasons. Using a VPN for the traffic leaving your business will obscure the fact that the traffic is yours, which will make it harder for a potential attacker to track you or your employees. It will also encrypt all traffic coming from your business, hiding activity and data exchanged with sites that don't use SSL.

It's also a good idea to use a VPN within your business network. It will allow employees to securely access the network remotely and make it possible for multiple branches in different locations to share the same network.

8. Disable WPS

If your router uses WPS (Wi-Fi Protected Setup), disable it now. WPS was supposed to make Wi-Fi more secure and easier to connect to, but it's a gigantic failure. There are multiple vulnerabilities and plenty of exploits in the wild that can break WPS fast. Don't use it, ever.

9. Disable All Unnecessary Services

Routers tend to come with a multitude of services and features running. While some of them can be legitimately useful, others can be a major security risk. Some go as far as to have SSH, NFS, Samba or even Telnet enabled by default. Don't take any chances: Disable anything that you don't need.

10. Move Your Router to a Secure Location

People often forget that physical access to any computer is easily one of the biggest threats to security. Routers are no different. It's very easy for someone to do any number of things to your router when they can get their hands on it. That includes resetting it and erasing all of your security settings.

Keep your router out of reach. It might be a good idea to keep it in a locked room or office. You can even find locking cabinets, as long as they don't obstruct the signal.

11. Disable DHCP

This one isn't strictly necessary. It can be a real pain to run a network without DHCP but keeping static IP addresses makes things easier to manage. With static IPs, you know exactly which computer is at each IP address, making it easier to see if there's something strange. Without DHCP, it also makes it a bit harder for an intruder to get set up on our network.

12. Shut Down Rogue APs

All your work in securing our network means nothing if an employee spins up their own access point that's terribly insecure. There's no way to ensure that people on your network are configuring APs properly, so it's best to monitor your network for rogue APs and shut them down immediately.

13. Disable Admin Access Over Wi-Fi

It's really convenient to be able to manage your router wirelessly over your network. Unfortunately, that also opens you up to unauthorized access. If anyone within Wi-Fi range can potentially sign in to your router's admin interface, you're allowing a lot more people an opportunity to try to gain access than necessary.

Disable access to the admin interface over Wi-Fi, and only people connected with a wired connection to your router can access it and make changes.

14. Keep Your Firmware Updated

More often than not, people look at routers as appliances. They set them up and never maintain them. That doesn't really work, though: Routers are servers, and like any server, they require maintenance and regular updates. Router firmware updates contain critical security fixes. Make sure to check for updates regularly because it'd be awful to get hit with an exploit that's already been patched for your router.

15. Create a Separate Guest AP With Tighter Security

Not all businesses need to allow guests or customers to access their networks, but some do. If your business falls into this category, create a separate guest AP that you can wall off from the rest of your network.

You can create a second AP on your router and use a firewall to restrict access from that AP to select services that you want your guests to be able to reach.

Closing Thoughts

No security method is perfect but following these 15 steps can greatly improve your business’s Wi-Fi security and prevent a whole host of attacks. The idea here is to make it difficult for a would-be attacker to find out information about your network and eventually get in. Most don't want to go through the trouble and will move on to the next potential target when they see a well secured network.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Always remember that security is ever-evolving, and some of these points may change. Keep yourself informed from reputable sources on the latest trends in network security to find out about new exploits or better security methods as they arise.

Nick Congleton
Nick Congleton

Nick is a freelance tech blogger who specializes in topics of security and open source software. He has a passion for technology and looks to make tech more accessible for everyone.