Wireless networks are vulnerable to several high-impact cyber-attacks, including eavesdropping on confidential data, unauthorized network access, and denial of service. Enforcing best practices for wireless access point security minimizes these risks and helps ensure compliance with industry regulations.
Securing a wireless network occurs at multiple network layers and on different network nodes. This blog focuses on best practices for securing the wireless Access Point to which all wireless devices connect in the enterprise environment.
Access points control how wireless devices connect to the network and send data over the air, acting as a bridge between the wireless and wired network. Devices that combine Access Points with router functionality are called wireless routers, where the router routes data packets over the wired network. When implementing security measures, it is essential to distinguish between Access Points and routers.
This tech tip is focused on best practices for access point security.
Table of Contents
- Exploring the security benefits of autonomous and centrally controlled Access Points
- Enhancing security by minimizing Access Point misconfigurations
- Safeguarding security when supporting legacy equipment
- Maximizing Access Point security by leveraging diverse security types3 for access control
- Maintaining Access Point security by scanning for nefarious behavior
- Optimizing Access Point security by reviewing default configuration settings
- What action you should take next?
Exploring the security benefits of autonomous and centrally controlled Access Points
The Access Point and router functions are typically combined in the same physical appliance. Other functions can also run on the same physical hardware as the Access Point, including:
- RADIUS AAA services.
- Configuration and management functions.
- Wireless intrusion detection and prevention capabilities.
- Firewall and data filtering.
Access Points that have these additional functions enabled are called autonomous, intelligent, or fat Access Points. Homes and small businesses typically deploy autonomous Access Points.
Access Points deployed without this additional functionality are thin, lightweight, or controlled Access Points.
- Best Practice for Wireless Access Point Security
Deploy lightweight Access Points with a central Wireless LAN Controller (WLC)1. It is easier to enforce wireless Access Point security policies and procedures consistently across a wireless LAN from a central location.
Enhancing security by minimizing Access Point misconfigurations
An Access Point can be configured directly by connecting a cable to a physical console, Ethernet port, or USB physical port. Alternatively, it can be configured via the network, where a Wireless LAN Controller (WLC) pushes the operational and security configuration to the Access Point.
Managing Access Point configurations with a central WLC simplifies deployment and minimizes the risk of configuration errors. It also allows any attempt by a hacker to change the configuration by directly connecting a cable to the Access Point to be detected and thwarted.
- Best Practice for Wireless Access Point Security
Push down Access Point configurations from a central controller. Network misconfigurations represent a significant security risk that sometimes goes undetected for years, leaving the network vulnerable to attack. - Best practice for Wireless Access Point Security
Disable any unused physical ports on the Access Point. Hackers could connect to the Access Point via an open port and downgrade the security settings, allowing the hacker access to the wireless network.
Safeguarding security when supporting legacy equipment
Wi-Fi networks are designed to support legacy versions, such as 802.11a, b, g, and n. This backward compatibility allows organizations to deploy the latest Wi-Fi technology and advanced features while allowing older user devices to connect. Legacy equipment may not support the latest security mechanisms; for example, client devices might not support Protected Management Frames (PMF), which protect against client deauthentication and disassociation attacks.
Upgrading all legacy client devices may be cost-prohibitive. However, supporting the connectivity of legacy devices leaves the wireless network vulnerable to attack.
- Best practice for Wireless Access Point Security
New equipment purchases should support the latest Wi-Fi Alliance Wireless Protected Access (WPA3) standard. WPA3 includes several essential security enhancements, including mandating MPF and replacing Pre-Shared Key (PSK) authentication with the more secure Simultaneous Authentication of Equals (SAE)2. - Best practice for Wireless Access Point Security
Identify legacy equipment and the risks it represents. Once the risk is understood, take steps to mitigate any vulnerabilities. Mitigation steps may include mapping legacy device traffic to separate VLANs and restricting legacy devices from connecting to specific wireless networks (SSIDs).
Maximizing Access Point security by leveraging diverse security types3 for access control
Administrators configure security policies for different types of users. For example, employees connecting to the employee wireless network must use 802.1X authentication, and visitors joining the guest wireless network must use password-based authentication.
- Best practice for Wireless Access Point Security
Use 802.1X port-based authentication when feasible. 802.1X authentication offers the most robust security protection for protecting network access. When using 802.1X for authentication, AAA and user directory services, such as RADIUS and Active Directory, are typically used to manage user accounts and passwords.
Many organizations provide free Wi-Fi access to the public. Managing guest passwords can be burdensome, so these organizations typically provide network access without requiring authentication.
- Best practice for Wireless Access Point Security
When using open authentication, redirect the user to a web server where they must accept the terms and conditions before using the network. This redirect protects the organization from liability should the user use the network for illegal activities. - Best practice for Wireless Access Point Security
Turn on Opportunistic Wireless Encryption (OWE) in public Wi-Fi networks. OWE establishes an encryption key between the client and the Access Point to protect user traffic.
Maintaining Access Point security by scanning for nefarious behavior
Wi-Fi networks operate in licensed-exempt frequency bands, which means they are not protected from other devices transmitting close by. Interference from these transmitters can be highly disruptive to an organization’s wireless network.
Although not common, a hacker could execute a denial-of-service attack by intentionally introducing interference using a device such as a jammer. Directional antennae and high-power transmitters allow the hacker to perform this attack without being near the wireless network.
- Best practice for Wireless Access Point Security
Configure some Access Points to scan the unlicensed frequency bands and identify transmitting devices. If the wireless network becomes unavailable, it is important to be able to determine if it is under attack.
A more serious security concern is rogue Access Points. Rogue Access Points are connected to the enterprise’s wired network without permission. Although a hacker may connect rogue Access Points to the enterprise network, it is more common for employees to unknowingly connect their personal Access Points to the network without realizing the security implications. These Access Points can provide a hacker with a backdoor entrance to the enterprise network and access to the security credentials of clients that connect to these rogue Access Points.
Most enterprise Access Points can be configured to scan the radio frequency (RF) and identify unknown Access Points. Access Points can be configured to scan continually or periodically. Access Points that scan periodically perform normal Access Point operations between scans. Continuous scanning requires dedicated Access Points, which may be cost-prohibitive. Alternatively, a device like CyberScope® can conduct monthly or quarterly scans. How often a rogue Access Point scan is performed is based on the organization’s perceived security risk.
- Best practice for Wireless Access Point Security
Scan for unidentified Access Points and disconnect all rogue Access Points. Not all unidentified Access Points are rogue Access Points. For example, neighboring Access Points not connected to your network are not rogue. Rules should be configured to identify rogue Access Points and trigger the appropriate alarms.
Optimizing Access Point security by reviewing default configuration settings
Wireless network design determines critical settings such as frequency bands, channel bandwidth, and power levels. Network administrators configure each logical network (SSID) and the associated security parameters. Many organizations leave less critical settings, such as QoS, SSID beacon broadcast, and legacy 802.11 support, with their default values.
- Best practice for Wireless Access Point Security
Disable Access Point features that are not being used. This minimizes the number of vulnerabilities that a hacker could exploit. - Best practice for Wireless Access Point Security
Configure the SSID to be visible in the Beacon. Hiding the SSID does not offer a security advantage. Hackers can discover the SSID by listening to other messages, such as Probe Requests, that contain the SSID in clear text.
What action you should take next?
While best practices are industry-recognized methods, there are instances when they are not suitable for an organization. For example, a particular need of business or financial limitation may make a best practice irrelevant or impractical.
After reading this blog, you should:
- Create a checklist of wireless Access Point security best practices that should be implemented in your network.
- Expand the checklist to include general security best practices, such as using long, complex passwords and implementing security updates as soon as possible.
- Use your wireless Access Point security checklist as a benchmark to evaluate the protection effectiveness of your enterprise wireless network.
[1] Wireless LAN Controllers (WLCs) may be deployed as a physical appliance, a network card, or virtually in the cloud.
[2] For an explanation of the different Wi-Fi authentication methods, check out the blog “What is Wi-Fi security, wireless network, and security,”
[3] For a description of the different wireless security types, check out the blog “What wireless security types are there. CyberScope explains.“