How to secure a WiFi network?

  • I take it when you say WPA2 you mean WPA2-Personal. It is good enough in most cases at the moment as long as its combined with a really good password. https://www.grc.com/passwords.htm is a good generator for them.
  • Disable Wi-Fi Protected Setup (WPS). Otherwise, an attacker only needs to break an 8 digit PIN -- and that is perfectly doable.
  • Cloak your SSID. It won't stop a determined attacker but will stop some of the script kiddie like attackers.
  • Only allowing specific MAC addresses can be a good step to manage user access. But once again won't really slow down a determined attacker, as they can just see what MAC addresses are currently connected to wireless in plain text anyway.
  • If possible a good tactic to reduce the chance of your WiFi being attacked is to position your wireless access point well so that the minimum amount of signal is broadcast outside of your building. That way the attacker needs to be closer to start the attack unless they have improved wireless antennas to grab from miles away.

Yes people can broadcast a stronger signal to try and get you to connect to them instead of your actual desired access point using tools like Karma. I don't know any specific ways to protect against this except not to allow any automatic associations instead each time you wish to connect to wireless, you should do it manually and verify you are connecting to the correct access point.


It depends on the network/environment. For SOHO wireless networks WPA 2 Personal with a strong pass-phrase used for the PSK should be sufficient.

For Enterprise networks or networks that deal with sensitive information the following controls should be used:

  • WPA 2 Enterprise tied to IEEE 802.1X/EAP
  • Wireless network segregated from internal network
  • WIPS and log monitoring in place to detect/prevent local attacks
  • Wireless clients that need internal access should have to connect via VPN
  • Limit coverage to what is absolutely necessary through physical controls and/or manipulation of signal strength

I agree with all the points mentioned so far, and as both Mark Davidson and sdanelson have mentioned radio coverage I just wanted to slightly expand on this as there are a couple of areas:

Signal strength - generally you want to use the minimum signal strength possible in a particular area, so an attacker outside your side can't gain access, but this can leave you open to an Evil Twin attack if a malicious access point copies your SSID and uses a much higher signal strength.

A solution is to think of your propagation paths - locating your access points around the outside of your site with antennae configured to be directional into your site will help a lot as you can increase the access point signal strength (so looking stronger to the clients) without propagating your signal so far outside the side.

A simpler, but more effective solution I have seen (which may be overkill for you - I have seen it used in a very sensitive establishment) is metal clad walls and ceiling with mesh in the windows - a wireless site survey of this site picked up zero RF leakage!

Security through Obscurity - in this case hiding SSID beacons - gives you a false sense of security. Your Access Point will still broadcast SSID, just not in the beacon frames. Many ordinary users will still be able to connect as drivers for many platforms will still identify the SSID, and all attackers will be able to find you as they normally would - try any of the tools on the Russix LiveCD and they will work quite happily with SSID broadcast disabled.