Secure Wi-Fi best practices
Wireless networks are popular targets for cybersecurity attacks because they're more accessible and often less secure than a wired LAN. This guide shows you how a wireless network's settings affect its security, ways a threat actor can attack a wireless network, and what you can do to prevent these attacks.
SSID basic settings
A Service Set Identifier (SSID) is a unique identifier for a wireless network. Because access points broadcast SSIDs over a wide area, they're vulnerable to interception, duplication, and attack. When configuring SSIDs for your wireless network, each setting introduces another layer of security.
SSID
Before creating a wireless network, we recommend performing a site survey. This survey provides you with information about all of the neighboring SSIDs. You want to choose an SSID unique to your environment that won't be easily mistaken for a neighboring SSID. This reduces the risk of unauthorized users trying to connect to your network. We also recommend periodically performing port-deployment surveys to look for rogue access points trying to impersonate your SSID to capture user credentials.
Potential attack
Karma attack (Evil twin)
Threat
Wireless devices will attempt to connect to any known access points, so long as the wireless adapter is turned on and not connected to another network. This behavior causes the device to constantly broadcast an unencrypted list of known networks. Monitoring these broadcasts can indicate when users use unencrypted wireless access points in their homes and while traveling. A threat actor may be able to set up an access point that replicates one or more of these networks. If a wireless device connects to the threat actor's access point, the threat actor may be able to perform man-in-the-middle attacks against the device. The threat actor may also be able to attack the device directly.
Remediation
Use site surveys to identify possible rogue devices. See the following pages:
Use features such as MAC-based port security and 802.1X port-based Network Access Controls (NAC) to prevent the introduction of rogue devices onto the network. To reduce the risk of a threat actor creating a rogue access point, users must use encryption in their homes and only connect to trusted networks. Best practices for users include clearing the list of associated access points from wireless devices and making sure that the wireless device doesn't automatically connect to configured networks, especially when those networks don't use strong encryption services.
Encryption mode
The encryption mode protects the network and its data from unauthorized access. It makes sure that data on the network is unreadable if a threat actor intercepts network traffic. Always use the strongest encryption mode supported by the devices in your environment. If certain devices on the network don't support strong encryption, such as WPA3, you can create a separate network for these devices to minimize the number of devices using weaker encryption.
Potential attacks
Network uses Wired Equivalent Privacy (WEP) encryption
Threat
WEP is a legacy wireless network security function. Well-known attacks against WEP exploit how it uses RC4 ciphers and initialization vectors. This results in a passive attack that can recover the RC4 key quickly. Depending on the amount of network traffic and the number of packets available for inspection, a successful key recovery can take as little as a few minutes. This recovered key allows the attacker to authenticate to the wireless network and attack other connected systems and networks.
Remediation
Turn off WEP on all wireless networks. Use WPA2 or WPA3 with strong, rotating keys or enterprise encryption with RADIUS authentication. See the following pages:
WPA2 Enterprise EAP-PEAP MSCHAPv2
Threat
If you configure wireless clients to use WPA2 Enterprise and EAP-PEAP MSCHAPv2 user authentication and don't configure them to validate the identity server or allow the user to trust the identity of the authentication server, a threat actor in range of a wireless device may be able to impersonate a trusted authentication service and capture the user's credentials. The threat actor can use captured credentials to connect directly to the wireless infrastructure or access the organization's resources by other means, such as remote access VPN technologies.
Remediation
Configure all wireless devices of WPA2 Enterprise networks to validate the server certificate. Connect to only preconfigured authentication servers. Don't allow users to authorize new authentication servers or trusted certificate authorities. Consider upgrading to EAP-TLS.
WPA2 Enterprise PEAP/EAP-TLS certificate validation
Threat
Wireless clients use WPA2 Enterprise and PEAP/EAP-TLS user authentication, but they aren't configured to validate the identity server or allow the user to trust the authentication server's identity. This configuration could allow a threat actor in range of the wireless device to impersonate a trusted authentication service to capture authentication credentials. The threat actor can use captured credentials to connect directly to the wireless infrastructure or access the organization's resources by other means, such as remote access VPN technologies.
Remediation
Configure all wireless devices of WPA2 Enterprise networks to validate the server certificate. Connect to only preconfigured authentication servers. Don't allow users to authorize new authentication servers or trusted certificate authorities. Consider not using WPA2 Enterprise on wireless networks where you can't manage device configuration.
Encryption algorithm
The access point uses the encryption algorithm to scramble the data it transmits. The stronger the algorithm, the more difficult the data is to unscramble and read. Use the strongest encryption algorithm possible. AP6 access points only support AES-256.
Passphrase
A passphrase protects your wireless network from unauthorized use by making sure that only users with the correct credentials can access the network. Avoid dictionary-based words and commonly-used passwords to reduce the chances of a brute-force or dictionary attack compromising your network. Sophos access points support passphrases from eight to 63 ASCII characters. Longer, more complex passphrases offer exponentially more security than shorter, easier-to-remember ones.
The following table shows how increasing password length and complexity makes it more difficult for a computer generating a billion guesses per second to guess a password.
| Password | Characters | Complexity | Time to guess |
|---|---|---|---|
| sophos | 6 | Lowercase only | less than a second |
| sophoswifi | 10 | Lowercase only | 58 minutes |
| $0ph0$AP | 8 | Upper and lowercase, numbers, and special characters | 8 hours |
| $0ph0$AP6 | 9 | Upper and lowercase, numbers, and special characters | 3 weeks |
| S0ph0SWiFi | 10 | Uppercase, lowercase, and numbers | 7 months |
| $0ph0$W!F! | 10 | Upper and lowercase, numbers, and special characters | 5 years |
| sophossecurewifi | 16 | Lowercase only | 34,000 years |
| SophoSSecureWiFi | 16 | Upper and lowercase | 2 billion years |
| S0ph0SS3cur3W1F1 | 16 | Uppercase, lowercase, and numbers | 7 billion years |
| $0ph0$S3cur3W!F! | 16 | Upper and lowercase, numbers, and special characters | 1 trillion years |
Potential attacks
Weak Pre-Shared Key (PSK)
Threat
The wireless network uses a weak PSK for authentication.
Remediation
Configure all wireless networks to use a PSK that doesn't use dictionary words or words contained in publicly available password lists. Use long strings that contain a mix of letters, numbers, and special characters. Consider using a randomly generated PSK value and changing it regularly. See the following pages:
Predictable credentials
Threat
A threat actor can gather user credentials by performing a password spraying attack using the most common passwords. These credentials can allow access to sensitive systems from the internet, including access to the internal network.
Remediation
Make use of technical controls to enforce the use of strong passwords. At a minimum, best practices for passwords are as follows:
- Must contain at least ten alphanumeric characters.
- Must not contain the user's name or ID.
- Must be different from the last four passwords created by the user.
Educate users to create strong passwords as part of an ongoing security awareness program. Consider checking password choices against a blocklist of known weak passwords. See List of the most common passwords.
Frequency band
The frequency bands an SSID broadcasts on aren't often considered a security feature, but they can help reduce access to a network. Lower frequency bands have larger coverage areas, sometimes making your wireless network available outside the intended area. For example, if the 5 GHz frequency band covers your environment completely, there's no need to use the 2.4 GHz frequency band because its larger coverage would extend beyond your intended area. If you have devices that require the 2.4 GHz frequency band, you can reduce the transmit power of that band, limit its broadcast to access points that aren't on the perimeter of your environment, or use directional antennas to ensure it's only available within the intended coverage area.
Certain frequency bands are more secure because they require stronger encryption. In addition to having a much shorter range than the 2.4 and 5 GHz frequency bands, the 6 GHz frequency band requires WPA3 encryption. If you have access points capable of broadcasting this band and devices capable of connecting, it can improve your wireless network's performance and security.
SSID advanced settings
SSID advanced settings let you fine-tune your network's security settings. These settings give you granular control over your wireless network's security, with features such as hiding your network, isolating wireless devices from each other, and filtering the devices that are allowed to access the network.
Hidden SSID
Hiding the SSID prevents it from being seen on network scans. While this can make it more difficult for unauthorized users to access it, it can negatively impact the user experience because authorized users must enter the SSID name to connect. This setting only makes it more difficult to access the network. It doesn't provide any security. You must still configure security settings such as encryption mode and algorithm to secure your network.
Client isolation
Clients connected to the same SSID can communicate with each other, which can be a security risk on public networks, such as guest networks and hotspots. Turning on device isolation prevents wireless devices from communicating with each other and only allows them access to the network or internet resources you specify.
Potential attack
Non-segmented guest wireless network
Threat
Clients connected to a guest wireless network can freely communicate with each other. This scenario allows various attack vectors, such as direct attacks on other systems and man-in-the-middle attacks like ARP or DNS Spoofing.
Remediation
Block intra-device communications by turning on Client isolation. See the following pages:
MAC filtering
MAC filtering lets you limit network access to specific devices based on their MAC address. You can do this by allowing only specified devices and blocking all others, or allowing all devices and blocking specific ones. This setting provides minimal security and isn't as convenient as other security methods. The lists require constant maintenance to stay up to date, and MAC addresses are easily spoofed. However, it can be useful for securing smaller networks or SSIDs dedicated to a limited number of persistent devices, such as wireless sensors.
If your wireless network is intended for mobile phones, you may be unable to use MAC filtering. Many phones support MAC address randomization to enhance user privacy. This feature randomizes a device's MAC address every time it connects to a network, making it impossible to allow these devices with MAC filtering.
Potential attack
Wireless network MAC address filtering bypass
Threat
A threat actor can attach a rogue device to an internal network and view internal resources when Network Access Controls (NAC) aren't used to prevent unauthorized devices from accessing the network.
Remediation
Use MAC filtering to block all devices from accessing the wireless network. See the following pages:
Use NAC to prevent rogue devices from accessing the network. If possible, use multiple controls, such as MAC-based port security and 802.1X port-based NAC, to prevent the introduction of rogue devices onto the network.
Client connection
When you have multiple networks or a need to separate network traffic, you can set the SSID's client connection to VLAN. This setting assigns all traffic on the SSID to a specific VLAN, separating it from traffic on the internal network. An advantage of VLANs is that you can control traffic between them and the internal network and select which resources are available and which devices can communicate with each other. We recommend using VLANs for guest networks to add a layer of separation between guest traffic and the internal network. See How to configure VLANs across Sophos Firewall, Switch, and AP6 access points.
Guest network
Use a guest network to provide a wireless network for users outside your organization. A guest network is a way to keep devices isolated from your internal network while allowing them internet access. Wireless devices connected to the guest network only have access to the gateway, internet, and DNS resources. They're also isolated from each other. A guest network lets you allow internet access to devices while keeping your internal resources secure. Never allow unauthorized devices to connect to your internal network.
Potential attack
Insecure guest network authentication
Threat
If a guest network uses open network authentication and a captive portal that authenticates against Active Directory, a threat actor can create a rogue access point with the same SSID and redirect users to a cloned captive portal. If users enter their credentials, the threat actor can capture them in plaintext and use them to attack your networks and resources.
Remediation
Implement wireless encryption for guest networks with a Pre-Shared Key (PSK) or stronger authentication. If encryption isn't an option, don't use Active Directory authentication for the guest network. See the following pages:
Captive Portal
A captive portal, or hotspot, forces users to authenticate before allowing internet access. Like guest networks, a hotspot isolates wireless devices from each other and only allows access to specific resources.
Potential attack
Captive portal authentication bypass
Threat
Captive portals can use insecure authentication types, such as vouchers. A voucher could be misplaced or acquired through social engineering. With this information, a threat actor may be able to access the network as an authenticated user.
Remediation
Implement stronger authentication types to prevent unauthorized users from accessing the wireless network. See the following pages:
Fast roaming
Fast roaming reduces the time wireless devices spend authenticating when roaming between access points. It allows wireless devices to pre-authenticate with access points within the network. This pre-authentication creates a security risk because the devices and access points cache network access credentials, and a threat actor can obtain them. While this can reduce the time a wireless device takes to authenticate, the time saving is negligible in a properly configured, modern network. Not all wireless devices support fast roaming, so we recommend only using it when your access points are in a secure area and all your wireless devices support it.
Potential attack
Pairwise Master Key (PMK) caching
Threat
Leveraging PMK caching, a threat actor can obtain a network's pre-shared key hash when Fast roaming is turned on. This attack makes it easier, and often faster, to capture PSKs than the slower method of waiting for a device to authenticate to an access point.
Remediation
Turn off Fast roaming on WPA2 networks or use WPA2 Enterprise authentication instead. Use strong passphrases for PSK networks. See the following pages: