5 Configuration Changes to Fortify Your WLAN Security

August 15, 2011 - 3 Comments

You can protect your small business wireless network from intruders with a few simple tweaks

A wireless network makes sense for small businesses.  It enables you to connect wired and wireless devices, allowing you to expand your network operations and keep employees productive.  Also, a wireless LAN (WLAN) is easier and less expensive to set up than a wired network, and gives employees and guest users quick, convenient access to the Internet from anywhere in your office.

Deploying a wireless network is easy in part because the networking equipment, including wireless routers and wireless access points, ships with important configuration settings preconfigured. However, these preset passwords, along with other improperly set configurations, can lead to catastrophic breaches in network security. To ensure your wireless network is secure, the devices must be configured to block intruders and protect users.

Here are five changes you can make to your WLAN configuration settings to lock down your wireless network and provide business-class security:

1. Change all default user names and passwords. This seems obvious but a surprising number of people forget to change the name of their wireless network—also called the Service Set Identifier (SSID)—on the router and each access point. The default SSID is often the name of the device vendor, such as ”Cisco,” and the preset password is typically ”password,” a fact every hacker knows. Besides changing the default SSID, make sure to change preset passwords on any device accounts such as the administrator account.

While default SSID isn’t necessarily a security risk, but it does act as a beacon to intruders, pointing the way to a WLAN with lax configurations. Security Experts recommend changing the SSID, account names and passwords to obscure, random combinations of 10 or more letters and numbers that aren’t tied to the name of your company.

2. Turn on data encryption. All WLAN gear supports some form of encryption, such as the weak Wired Equivalent Privacy (WEP) and the stronger Wi-Fi Protected Access (WPA) and WPA2 security protocols. Whenever possible, use WPA or WPA2 as they use the Advanced Encryption Standard (AES) that is intended to provide greater encryption. (If your device gives you AES as an encryption option, always choose that.) Although WEP is included in most WLAN networking devices, it’s easily hacked and should not be relied on for securing your small business network. Note that each WLAN networking device must be set to the same encryption protocol, so older devices that aren’t compatible with WPA or WPA2 should be upgraded to support the stronger protocols.

3. Enable user authentication. With user authentication, your WLAN will only allow access to users who have been approved to connect to the network. You can enable user authentication in different ways, depending on the features of your wireless router and access points. If your wireless networking devices support WPA2, you can provide user authentication through 802.1X/EAP (Extensible Authentication Protocol). And if your wireless equipment supports access control lists (ACLs), you can configure the ACLs to filter the traffic that flows in and out of your wireless router and access points so that only certain computers on the network are allowed access to the WLAN.

Another way to enable user authentication is through Media Access Control (MAC) address filtering. Each wireless device, including laptops, has a unique MAC address, which is tracked by your router and access points. With MAC address filtering, your WLAN gear will only allow those MAC addresses that you’ve keyed in to access your wireless network. Note, though, that hackers can easily ”spoof“ a MAC address to gain access to your network. MAC address spoofing can’t be entirely prevented, so you shouldn’t rely on MAC address filtering alone for security.

Also, consider turning off Dynamic Host Configuration Protocol (DHCP) on your router and access points and use fixed IP addresses instead of dynamic IP addresses. A range of private IP addresses associated with your WLAN will help prevent intruders from using IP addresses in your DHCP pool to connect to your network.

Ideally, you want WLAN networking devices that allow you to configure each of these methods of user authentication. The Cisco AP500 Series Wireless Access Points includes WPA2 encryption, ACLs, and MAC address filtering as well as rogue access point.

4. Turn on built-in firewalls. Many wireless routers, such as the Cisco RV220W Router and wireless access points, including the Cisco RV110W Wireless-N VPN Firewall have built-in firewalls. These should always be enabled to stop malicious and dangerous traffic from infiltrating your network.

5. Hide your Wi-Fi broadcast. If you turn off the ”broadcast“ function of the SSID on your router and access points, you make your WLAN more difficult for a hacker to find. WLAN networking gear regularly broadcasts the SSID of your wireless network over the air, which is helpful for users trying to log on to a free public hotspot but not necessary for your company’s private WLAN.

If you don’t want to turn off the broadcast function, you can still make your WLAN harder to find. Hide your access points so a casual observer can’t see them and set the radio power of each network device to be just strong enough to cover your facility so the wireless signal can’t be easily picked up outside your building.

Making these five configuration changes to your wireless router and access points is just the start of securing your wireless network. You might also consider installing additional security appliances, such as an intrusion prevention system (IPS), such as the Cisco SA 500 Series Security Appliances, as well as a VPN (virtual private network) for connecting remote employees. Of course, keeping your anti-virus software current and updating the WLAN hardware with security patches is always critical to the safety of your network. Vigilance, as ever, is the key.

How are you protecting your wireless LAN?

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Thnx, Nice Sharing

  2. I admire this blog. The information you have shared with us. I am looking for such information for a long time. Hope to hear more from you. Great Job!!!

  3. Informative. Thank you for the tips!