Your small business’s Wi-Fi security is crucial. When you leave your wireless router or access points (APs) completely unprotected, anyone within range of the signal can connect to your wireless Internet, capture your traffic, and possibly access your computers and other network resources. And if you’re using an older network security standard, the security could possibly be hacked, bypassed, and otherwise not provide adequate protection.
You may have been told not to use WEP security as it can be quickly cracked, and that you should instead use Wi-Fi Protected Access: the first version, WPA, or the latest, WPA2. However, you should also understand there are two very different modes, both of which can be used with WPA and WPA2.
1. Personal Mode or Pre-shared Key (PSK)
Personal mode is easiest to setup and requires that you create a simple password on your wireless router or APs then enter it into computers and wireless devices when connecting to the Wi-Fi. Though WPA2 provides strong encryption and security and is potentially uncrackable by hackers if you use a long and strong password, the Personal Mode doesn’t provide adequate protection for businesses with more than a couple of Wi-Fi users.
Since the Wi-Fi password is saved into the computers and devices, if they’re lost, stolen, or an employee leaves the company, anyone can come back to your business and connect to your Wi-Fi. To prevent this you would have to change the Wi-Fi password on all your wireless routers/APs and on each Wi-Fi computer and device.
Additionally, your Wi-Fi network could be susceptible to other vulnerabilities when using this mode, like network users eavesdropping on each other’s traffic and the Wi-Fi Protected Setup (WPS) PIN security hole.
2. Enterprise Mode, or 802.1X or RADIUS Mode
Enterprise mode provides adequate protection for businesses, however it is more complicated to setup, and it requires an external server called a RADIUS or AAA server. Instead of creating a global password on the Wi-Fi routers or APs, each user can receive unique login credentials. You can assign users their own username and password and/or a file (digital certificate) that they install on their computer or device.
Even though users can save these to their computers or devices, if the device is lost or stolen — or the employee leaves the company — you can easily revoke access or change the login credentials on your RADIUS server. Using this mode also prevents other types of attacks, like users eavesdropping on each other’s traffic and the Wi-Fi Protected Setup (WPS) PIN security hole.
Keep in mind that 802.1X authentication can also be implemented on the wired side of your network as well, so users plugging in via Ethernet must also provide login credentials before being granted access. However, wired 802.1X isn’t supported on consumer-level and even some small business-level routers. If you want to use 802.1X on the wired side, your switches must support it.
