You need to secure your home office or small business network so unauthorized people can’t connect and possibly access your files and/or spy on Internet traffic to capture or hijack your online accounts. These six tips can help you secure your small office network.
1. Encrypt Your Wi-Fi
Wireless routers and access points don’t come secured by default. If you don’t enable encryption, anyone can easily connect to your Wi-Fi network. To prevent this you need to use at least the Personal (Pre-shared Key or PSK) mode of WPA or WPA2 security–preferably WPA2 as it’s more secure.
This is the simplest method — you set an encryption password in the wireless router and/or access points and enter the same password on the computers or devices when connecting to the Wi-Fi. Use a strong encryption password: up to 63 characters, mixed upper and lower case, and add in special characters too.
If you have employees, you should use the Enterprise (EAP) mode of WPA or WPA2 security. This is so employees don’t see the encryption password, and so it’s not stored on the computers and devices in case they are lost/stolen.
Access to the Wi-Fi can be based upon usernames and passwords you create for each user, rather than the actual encryption password. Thus, if an employee leaves or a laptop or mobile device is lost or stolen, you can easily change or revoke access for that particular user instead of changing the encryption password on all the equipment.
The Enterprise mode uses 802.1X authentication, which requires a separate RADIUS authentication server. But some select access points include a built-in RADIUS server. There are also hosted services (such as AuthenticateMyWiFi) that make the whole process easy.
2. Physically Secure Equipment and Ports
Make sure all network equipment (routers, switches, access points, etc) are hidden and secured from the public or from visitors. If they’re accessible an intruder may, for example, be able to simply reset your wireless router or access point to remove the encryption and thus easily connect to your network via Wi-Fi.
Also make sure there aren’t any Ethernet wall ports accessible to the public or visitors. An intruder could just plug in and may be able to access your network. Wall ports should only be placed behind desks or in other locations that a visitor typically can’t access. Any unused ports or those open to the public should be disconnected from the network or removed.
3. Limit Access to Shared Folders
Any shared resources on the network (such as shared folders in Windows) should be secured by setting file and/or sharing permissions and defining exactly who has what type of access. For example, maybe the accountant manages the company’s books, but a secretary needs to lookup info for printing the paychecks.
You could give the accountant both Read and Change access and give the Secretary Read-only access so she can’t make any changes to files. You can give yourself Full Control so that no one else can change the File and/or Sharing Permissions.
4. Create a VLAN for Guests
Never let the public or guests onto your private network. Even if you secure shared resources with file and/or sharing permissions, they still may be able to eavesdrop on your Internet traffic to capture or hijack online accounts that you log into.
If you want to offer guest access, assign them to another virtual LAN and separate SSID if your network equipment supports VLANs and/or multiple SSIDs. Otherwise, you might even consider ordering a separate Internet connection and setting up a separate wireless router.
5. MAC Address Filtering
Though MAC address filtering can easily be circumvented by a hacker, it can help deter casual snoopers and make it a little more difficult and time-consuming for hackers to gain access. You determine the computers and devices you want to access the network, and you identify by their unique MAC address. Computers that are not listed won’t be allowed to access the network, but someone could possibly spoof their computer’s MAC address with one that’s on the list.
6. 802.1X Authentication for Wired and Wireless Networks
If you require a very secure network, you should consider using 802.1X authentication on both the wired and wireless portions of your network. As mentioned in the first tip, most businesses should be using the Enterprise mode of Wi-Fi security with 802.1X authentication, requiring a RADIUS server.
If your network switches support 802.1X authentication, you should also implement it on your wired network, too. This helps prevent unauthorized users from easily plugging into your network via an Ethernet wall port. They won’t be allowed onto the network until they enter a valid username and password that you’ve created.
Eric Geier is the founder of NoWiresSecurity, which helps businesses easily protect their Wi-Fi networks with the Enterprise mode of WPA/WPA2 security by offering a hosted RADIUS/802.1X service. He is also a freelance tech writer–become a Twitter follower or use the RSS Feed to keep up with his writings.