Every AP ships with certain defaults already set. These should always be changed. Every manufacturer includes some guidance on what to configure on its APs. This advice should always be followed and mixed with a healthy dose of experience in what is best. Not changing the defaults on an AP can be a big detriment to security because the defaults are generally posted on the manufacturer’s website (and available to attackers at large).

Careless placement of a wireless AP can pose a potential security vulnerability. An AP should be placed to cover the areas it needs to and to cover as little additional area as possible. For example, an AP should not be located near a window if the people who will be connecting to it are deeper inside the building. Positioning an AP near a window gives the signal more distance to broadcast outside the building.

Of course, other issues with placement need to be addressed, in particular the issue of interference. Placement of APs near sources of electromagnetic interference (EMI) can lead to unusable or unavailable APs. EMI can lead to APs being available to clients, but with such poor performance that it makes the technology more difficult to use within the organization.

Not much can be done about emanations in a wireless network, but there is something that can be done to control their scope and range. In some cases, wireless directional antennas can be used to concentrate or focus the signal tightly into a certain area instead of letting it go everywhere. One type of antenna is the Yagi antenna, which can focus a signal into a narrow beam, making it difficult to pick up by others outside the select area.

Rogue APs are somewhat tough to stop, but they can be detected and deterred. The first action to address with rogue APs is the installation of unauthorized ones by employees. In this case, education is the first line of defense. Let employees know that installation of rogue APs is not allowed and why. Additionally, perform site surveys using tools such as NetStumbler, inSSIDer, Kismet, or any number of commercial wireless site survey packages to detect rogue APs.

The second issue to deal with is individuals connecting to the wrong or to unauthorized APs. In these cases, education is the first line of defense. Let employees know the names of company-controlled APs, and make them aware of the dangers of connecting to unknown APs.

By its very nature, wireless data is transmitted so that anyone who wants to listen in can do so. To protect wireless networks, an appropriate authentication technology should be used. The three that are currently in use are:

• Wired Equivalent Privacy (WEP)—Not much used anymore because it is weak and only marginally better than no protection at all. WEP was available on all first-generation wireless networks but was replaced later with stronger technologies, such as WPA.

  In theory, WEP was supposed to provide protection—but in practice, poor implementation resulted in the use of weak keys. It was found that with enough weak keys, simple cryptanalysis could be performed. Now, a WEP passphrase can be broken in a few minutes (sometimes 30 seconds).

• Wi-Fi Protected Access (WPA)—More robust than WEP, WPA was designed to replace WEP in new networks. WPA introduces stronger encryption and better key management that makes for a stronger system.

  WPA is supported on most wireless APs manufactured after 2003, and some WPAs manufactured prior to this can have their firmware upgraded. WPA should be used if the AP offers the ability to use WEP or WPA.

• Wi-Fi Protected Access version 2 (WPA2)—WPA2 is an upgrade to WPA that introduces stronger encryption and eliminates a few of the remaining weaknesses in WPA.

Using the appropriate protection for a wireless network is important because doing so can protect the network from eavesdropping and other attacks in which an attacker can see network traffic. Of course, just having a good protection scheme does not make for a safe environment by itself. In the case of WPA and WPA2, the keys in use make a major difference for how effective the technology is. Using poorly chosen or short passwords (or keys) can weaken the protection and make it breakable by a knowledgeable attacker. When you choose a key, it should be random and a sufficient length, and it should adhere to the rules for complex passwords.

And as of October 2017, relying on strong passwords alone cannot ensure WPA2 protects your connection. WPA2 was proven breakable by a method called “key reinstallation attack” (KRACK). The mitigating control to ensure a secure connection is to use a VPN while on a WPA2 encrypted wireless network.

Media Access Control (MAC) address filtering is a way to enforce access control on a wireless network by registering the MAC addresses of wireless clients with the AP. Because the MAC address is supposed to be unique, clients are limited to those systems that have their MAC preregistered. To set up MAC filtering, you need to record the MAC addresses of each client that will use your AP and register those clients on the AP.