Restricting wi fi access

  • 1
  • Question
  • Updated 4 years ago
How can we restrict wi fi access from hackers?
Photo of Abu Aminah Conteh

Abu Aminah Conteh

  • 1 Post
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
The (probably useless) general answer is "use security". For most small organizations having everyone using a single common PreShared Key (PSK) is sufficient, until someone leaves the organization. When that happens, you should change the PSK and tell the remaining members of the organization about the new PSK. 

Aerohive has a feature we call Private PSK (PPSK) which gives each user their own PSK. When/if one user leaves, you don't have to bother everyone else about changing their wireless configuration, just retire the PPSK associated with that user who left and let everyone else continue to use their own PPSKs.

Does this make sense to you?
Photo of Travis Kaufman

Travis Kaufman, Champ

  • 113 Posts
  • 30 Reply Likes
PPSK / Radius  VLANs   Access-Lists and Firewall rules... A good place to start. 
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Off the top of my head:

  • Only use WPA2 Enterprise authentication when creating your SSIDs.  The only exception to this rule can be the guest SSID where you use the Aerohive access point's DHCP server with external DNS servers to protect the network.
  • Deploy a RADIUS server (or Aruba's ClearPass/Cisco's Identity Services Engine)
  • Utilise the EAP-TLS or PEAP-TLS EAP types - this requires client certificates.
  • Implement Microsoft Certificate Auto-enrolment to push the client certificates to the domain devices and users (or manually deploy the certificates).
  • Utilise group policy to push the wireless profile(s) to user's laptops/Desktop PCs and remove the user's ability to modify the wireless profile(s).  This stops users changing their settings, which can make them vulnerable to MITM attacks.
  • Implement VLANs to separate different security level data (corporate, guest, BYOD, etc.) from each other.
  • Utilise the layer seven firewalls in the Aerohive access points to restrict each user's access to only what they require.
  • Configure the WIPs system in the Aerohive access points to protect wireless users from spoofed access points.
  • Change the default passwords on the HiveManager and access points.

If you are looking to protect a residential wireless network I recommend the excellent Back 5 Wireless Penetration Testing by Vivek Ramachandran.  It covers how people are going to attack your residential wireless network.

If you don't understand the terminology above your first stop should be the
CWSP Certified Wireless Security Professional Official Study Guide by David Coleman.  This book is exceptional and should be compulsory reading for all wireless engineers.