Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
169
Views
0
Helpful
0
Comments

5 Tips to Fortify your Wireless Network

Small Business Community Team
Community Member

on ‎07-07-2016 03:52 AM

Objective

Although Wi-Fi networks are convenient for you and your employees, there may be unwanted clients using up the bandwidth you pay for. In addition, security risks have been an increasing concern for small business wireless networks. In order to protect your small business wireless network from intruders, it is recommended that you:

1. Change all default user names and passwords

2. Turn on data encryption

3. Enable user authentication

4. Turn on built-in firewalls

5. Hide your Wi-Fi broadcast

The objective of this document is to show you how to configure the above tips in order to improve your WLAN security on Cisco Small Business devices.

Note: The information in this document was gathered from Cisco Blogs. The original post can be found here.

Applicable Devices

  • Cisco RV Series Wireless Routers
  • Cisco Wireless Access Points
  • Cisco Unified Communications

Note: Every device has a slightly different interface. The appearance of your web configuration utility and other windows may vary. However, all applicable devices here have similar tools and navigation.

1. Change all default user names and passwords

Change the name of your wireless network - also called the Service Set Identifier (SSID) - on the router and each access point. The default SSID is often the name of the device vendor, such as "ciscosb," and the preset password is typically &"password" or no password at all. This information is common knowledge to hackers and leaves your network highly vulnerable to attack. Besides changing the default SSID, make sure to change preset passwords on guest or administrative accounts for all devices.

While having a default SSID is not necessarily a security risk, it does act as a beacon to intruders, pointing the way to a WLAN with weak security. It is recommended to change the SSID, account names, and passwords to obscure and random combinations of 10 or more letters and numbers that are not tied to the name of your company.

How to change the device's SSID and password

Step 1. Log in to the web configuration utility of your device.

Step 2. Find the Wireless Settings section. Each device will be slightly different. It is commonly labeled Wireless. If you don't see this label or something similar, try Networks or Port Settings and look for a Wireless subsection.

Step 3. Find the subsection that displays a table or list of SSIDs. As previously stated, each device will be slightly different. Common labels for the subsection are Basic Settings or Networks. Common labels for the table or list are Wireless Table or Virtual Access Points (SSIDs).

Step 4. Edit the desired entry in the table or list of SSIDs to change the SSID Name. Some devices may require you to check the check box next to an entry and click Edit in order to enable editing.

Step 5. Edit the Security of an SSID entry to change or enable the Password. A Security Mode, such as WEP, WPA or WPA2 must be enabled in order to use a password. Some devices may require you to check the check box next to an entry and click Edit Security Mode in order to select a mode and set the password. Other devices may require you to select the mode from a drop-down list labeled Security or Security Mode in order to set the password.

Note: The Password may be referred to as the Shared Secret, the Key, or the Passphrase.

How to change the administrator account password

Step 1. Log in to the web configuration utility of your device.

Step 2. Find the Administration section. Each device will be slightly different. It is commonly labeled Administration or System Management.

Step 3. Find the subsection that displays the User Accounts. As previously stated, each device will be slightly different. Common labels for the subsection are Users, User Accounts, User Management or Administrator. If you don't see this label or something similar, try Management Interface and look for the Users subsection.

Step 4. Find the area or entry for the Administrator account and configure a new password for the account.

Note: Some devices may not explicitly define a user as the Administrator and instead label the Administrator as a user with Read/Write Access.

2. Turn on data encryption

All WLAN gear supports some form of encryption, such as the weak Wired Equivalent Privacy (WEP) and the stronger Wi-Fi Protected Access (WPA) and WPA2 security protocols. Whenever possible, use WPA or WPA2 as they use the Advanced Encryption Standard (AES) that is intended to provide greater encryption. (If your device gives you AES as an encryption option, always choose that.) Although WEP is included in most WLAN networking devices, it is easily decrypted by hackers and should not be relied on for securing your small business network. Note that each WLAN networking device must be set to the same encryption protocol, so older devices that are not compatible with WPA or WPA2 should be upgraded to support the stronger protocols.

How to turn on data encryption

Step 1. Log in to the web configuration utility of your device.

Step 2. Find the Wireless Settings section. Each device will be slightly different. It is commonly labeled Wireless. If you don't see this label or something similar, try Networks or Port Settings and look for a Wireless subsection.

Step 3. Find the subsection that displays a table or list of SSIDs. As previously stated, each device will be slightly different. Common labels for the subsection are Basic Settings or Networks. Common labels for the table or list are Wireless Table or Virtual Access Points (SSIDs).

Step 4. Edit the Security of an SSID entry to select a Security Mode such as WEP, WPA or WPA2, which enables a form of encryption. Some devices may require you to check the check box next to an entry and click Edit Security Mode in order to select a mode. Other devices may require you to select the mode from a drop-down list labeled Security or Security Mode.

3. Enable user authentication

With user authentication, your WLAN will only allow access to users who have been approved to connect to the network. You can enable user authentication in different ways, depending on the features of your wireless router and access points. If your wireless networking devices support WPA2, you can provide user authentication through 802.1X/EAP (Extensible Authentication Protocol). And if your wireless equipment supports access control lists (ACLs), you can configure the ACLs to filter the traffic that flows in and out of your wireless router and access points so that only certain computers on the network are allowed access to the WLAN.

Another way to enable user authentication is through MAC address filtering. Each wireless device, including laptops, has a unique MAC address, which is tracked by your router and access points. With MAC address filtering, your WLAN gear will only allow chosen MAC addresses to access your wireless network. Note, though, that hackers can easily &"spoof" a MAC address to gain access to your network. MAC address spoofing can't be entirely prevented, so you should not rely on MAC address filtering alone for security.

Also, consider turning off Dynamic Host Configuration Protocol (DHCP) on your router and access points and use fixed IP addresses instead of dynamic IP addresses. A range of private IP addresses associated with your WLAN will help prevent intruders from using IP addresses in your DHCP pool to connect to your network.

How to authenticate users with Access Control Lists

Step 1. Log in to the web configuration utility of your device.

Step 2. Find the section that contains an Access Rules subsection. For Routers, go to the section labeled Firewall. If you don't see this label or something similar, try Security. For Wireless Access Point (WAP) devices, go to the section labeled Client QoS. These sections should have an Access Rules subsection.

Step 3. Find the Access Rules subsection. Each device will be slightly different. Common labels for the subsection are Access Rules, Access Control or ACL.

Step 4. Add an Access Rule. Common labels for the button are Add Rule, Add Row, or Add ACL.

Step 5. Configure/Edit the Access Rule to permit or deny traffic from specified IP addresses so that only certain computers on the network are allowed access to the WLAN. In the Source IP field, enter the IP address that you wish to permit or deny access.

Note: If your device lets you choose the direction for the access rule, select Inbound, which applies for traffic that comes from the public internet and goes into your local network. Specify a Source IP address that you want to permit or deny into your network.

Note: For WAPs, you can assign your ACL direction in the Client QoS Association subsection. From the ACL Name Up drop-down list, choose the ACL that applies to traffic entering the WAP in the inbound direction.

How to authenticate users through MAC address filtering

Step 1. Log in to the web configuration utility of your device.

Step 2. Find the Wireless Settings section. It is commonly labeled Wireless.

Step 3. Find the subsection with the MAC Filtering page. For Routers, go to the subsection labeled Basic Settings, which displays a table of SSIDs. Then check the check box next to an SSID entry and click Edit MAC Filtering. For Wireless Access Point (WAP) devices, go to the subsection labeled MAC Filtering to open the page.

Step 4. Choose whether you want to Block (Prevent) or Allow (Permit) the PCs listed in the table or list of MAC addresses. By default, the table or list is empty. However, you can add PCs (MAC addresses) to the table or list.

Step 5. Add the desired MAC Addresses to the table or list. The PCs with these MAC addresses will either be prevented from accessing the network or permitted to access the network, depending on your selection in Step 4.

Step 6. Save your changes.

4. Turn on built-in firewalls

Many wireless routers, such as the Cisco RV130W Wireless-N VPN Firewall Router have built-in firewalls. These should always be enabled to stop malicious and dangerous traffic from infiltrating your network.

Note: Wireless Access Points (WAPs) do not have firewall functions.

How to enable the Firewall on a Router

Step 1. Log in to the web configuration utility of your device.

Step 2. Find the Firewall section. It is commonly labeled Firewall. If you don't see this label or something similar, try Security and look for a Firewall subsection.

Step 3. Find the subsection that allows you to enable the Firewall and its functions. Each device will be slightly different. Common labels for the subsection are Basic Settings, Attack Prevention or Content Filtering.

Step 4. If your device has an option labeled Firewall, ensure the Enable check box next to it is checked.

Note: Only some Routers (RV110, RV215 and RV315) allow you to disable and enable the Firewall option. Other Routers don't include this option, and instead let you configure the specific Firewall functions you want to enable such as DoS Protection, IP Address Spoofing Protection, Respond to Ping on WAN(Internet), etc.

Step 5. Save your changes.

5. Hide your Wi-Fi broadcast

If you turn off the "broadcast" function of the SSID on your router and access points, you make your WLAN more difficult for the general public to locate. WLAN networking gear by default will regularly broadcast the SSID of your wireless network over the air, which is helpful for users trying to log on to a free public hotspot but not necessary for a private company WLAN.

If you don't want to turn off the broadcast function, you can still make your WLAN harder to find. Hide your access point devices so a casual observer can't see them and set the radio power of each network device to be just strong enough to cover your facility so the wireless signal can't be easily picked up outside your building.

How to disable your SSID Broadcast

Step 1. Log in to the web configuration utility of your device.

Step 2. Find the Wireless Settings section. Each device will be slightly different. It is commonly labeled Wireless. If you don't see this label or something similar, try Networks or Port Settings and look for a Wireless subsection.

Step 3. Find the subsection that displays a table or list of SSIDs. As previously stated, each device will be slightly different. Common labels for the subsection are Basic Settings or Networks. Common labels for the table or list are Wireless Table or Virtual Access Points (SSIDs).

Step 4. Edit the desired entry in the table or list of SSIDs to disable the SSID Broadcast. Some devices may require you to check the check box next to an entry and click Edit in order to enable editing. Uncheck the check box in the SSID Broadcast field to hide your Wi-Fi broadcast.

Step 5. Save your changes.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents