Published Apr 25, 2013 by Alex Doolittle
If you have a wireless network, you may have asked yourself, “Is a wireless network secure enough for data sensitive work, like banking?” This is an excellent question to ask, and the answer is conditionally: “yes, if you’ve adequately secured your connection.” What, then, is adequately secured?
Without enabling any of the security features on your wireless access point, any traffic between your devices and the network is sent without modification. Anyone within range of your wireless network can listen to, or “sniff”, the signal that you’re using and record the data. Everything that you transmit is out in the open, and while some institutions such as banks protect the information you send, it is still undesirable to have this information accessible to anyone within receiving range. Additionally, there is nothing stopping an outsider from connecting to your network and having access to your connected technology resources such as printers and network file shares. Given the right set of tools and time, anything you transfer could be available to those with malicious intent. As a business, it may not only be your information that is vulnerable. Customer payment methods, contact information, and proprietary company data are just a few of the pieces of information that you want protected.
What is encryption?
Encryption is the process of taking some type of information such as text or computer data, and converting it into a different, unreadable form. The data is known as “plain text” until it changes form, and it becomes known as “ciphertext.” This ciphertext is not readable on its own, but requires conversion back to its original form. Conversion of the information is done with the use of a “key”, which is a special type of data that specifies how the information is to be transformed. As long as this key is only known to people who you want to have access to the information, it can be considered secure. Encrypting information makes it unreadable in transit, and helps to ensure only the intended recipient has access to it.
What are my wireless encryption options?
One of the early methods of encryption for wireless networks was known as Wired Equivalent Privacy, or WEP. The problem with WEP was that it didn’t live up to the name. There was a weakness in the way the encryption was implemented, and it wasn’t long before anyone with Google and a little techie know-how could connect to your network. Initially this process could take a long time, but through certain techniques this process has been reduced to minutes, making WEP ineffective at protecting wireless transmissions for the last decade.
Due to the weakness inherent in WEP, the trade association responsible for certifying WiFi products came up with a new standard known as Wireless Protected Access, or WPA. WPA was intended as an intermediate measure to secure wireless networks until the more secure WPA2 was finalized in 2004. While much more secure than WEP, WPA and WPA2 still suffer from vulnerability to “brute-force” attacks which rely on repeatedly guessing different passwords until a match is found. WPA/WPA2 do not have the weakness that existed with WEP, and as of today are still considered secure as long as certain best-practices are followed when implementing networks to mitigate the vulnerability to brute-force attacks.
With WPA/WPA2, there are two options for implementation. The first is known as “personal” mode, where all devices on the network share the exact same key. This would be like having a regular door lock to your office, with a single key and lots of copies for all your employees. The problem here is that if one key is stolen, you have to re-key the lock and give out new keys. This is okay as long as you only have a handful of the same key to replace, but if you have more devices it can become a hassle to change your entire network this way. The second method of implementation is known as “enterprise” mode, and requires an additional piece of equipment that stores credentials. Every device on the network is given its own key to connect instead of sharing a single key. This would be like having a keypad lock on your office, and each employee having their own combination. If one combination is compromised or an employee leaves the company, it is a much easier task to simply invalidate the combination and give the user a new one.
Our recommendation is to implement WPA2, and if you do not have a large quantity of wireless devices, to use it in “personal” mode. This represents a high level of security with lower cost than enterprise mode. If you find yourself having to reconfigure your network regularly due to theft of devices or employee turnover, however, then enterprise mode may be appropriate for you in order to simplify management of the network. In addition, using a strong 13 character or longer value for the key will ensure that brute-force attacks are unlikely, and reading your data would take thousands of man-years.
Remember that regardless of the encryption methods in place, given enough time and resources, your data can eventually be compromised. The intent of encryption, however, is to make the time and resources required unreasonably large. This is what was meant by “adequate” security. Does your attacker really have thousands of man-years to spend trying to crack open your encrypted data?