Security Step 3: Fortify Your Network

05/26/2016

Wi-Fi networks make it easy to connect the systems in your practice, both to each other and the outside world. However, they often make it easy for an intruder to gain access to those same systems, and the data therein. You can significantly reduce this risk by making a few important changes to your network configuration.

Secure Administrator Access
Start by setting a strong password for administrative access to your wireless router. Many networks are breached because the default password was never changed. You will need to log in to your router’s configuration website to reset this password and update the other security options discussed in this tip. For most wireless routers, you access this website by entering “192.168.1.1” or “192.168.0.1” into your browser address bar. (Make sure you are connected to your network first, either via an Ethernet cable or Wi-Fi).

securityseries3-routerlogin2

With administrator access locked down, you should now secure access to the network itself. Most wireless routers today support a primary Wi-Fi network, one or more guest networks, and wired, local network (LAN) ports to connect directly to the router. We recommend that you keep your office devices and staff on the primary Wi-Fi (your “private” Wi-Fi network) or LAN, and use a guest network for any clients or visitors who need internet access.

pullquote-securityblog3-3

Enforce Wi-Fi Authentication
Access to all of your Wi-Fi networks needs to be password protected. For small businesses, the predominant standard is referred to as WPA2-PSK or WPA2-Personal, or just WPA2 (WPA2-Enterprise can provide more flexible authentication options for larger practices with many users, but requires additional configuration which may require IT services). With WPA2-PSK, a shared password is used to access the network. Use your password manager to generate a different, strong password for both your private and guest Wi-Fi networks.

From your browser, you will need to find the wireless settings section of your router’s configuration. For each wireless network, you should:

greencheck-blog-20x20Set a network name, or SSID. This is what users will see when they choose from available wireless networks. Clearly differentiate your private and guest network names.
greencheck-blog-20x20Choose “WPA2-PSK” for the network authentication method and “AES” for the encryption method. Depending on your router, these may be grouped together or split into two separate options, and they may use different labels like “WPA2-Personal” or “WPA2”. Do not use “WEP”, “WPA” (without the “2”), or “TKIP” (without “AES” included) since these options are less secure and may be easily circumvented.
greencheck-blog-20x20Enter the password you generated for the network, also known as the pre-shared key.

securityseries3-wirelessrouter

Limit Guest Access
Your guest network is there to keep your clients and visitors separate from your private network — and out-of-reach of your confidential information. If you’re not careful, however, you may inadvertently allow your guests much greater access. When configuring your guest network, you may see an option to allow guests to access your LAN, local network, or intranet. Make sure you do not allow LAN access so that your guests cannot reach office systems that are wired directly to the router.

Physical Security
Keep in mind that wireless routers can typically be reset to their factory configuration with the push of a button or a straightened paperclip. And once reset, the default password is the only defense between an attacker and your network. If possible, keep your wireless router in a locked enclosure or cabinet with the reset mechanism inaccessible.

After completing these steps, you will have locked down access to your network configuration and created a secure way to connect your staff and clients to the network resources they need. Next week we will focus on steps you can take to secure the systems connected to this network.