Thursday, May 24, 2007

Lock-Down Your Wireless Network

Well everyone, its been sometime since my last post here at DCTS. I've been racking my brains trying to come up with an interesting and useful post for everyone. Finally my girlfriend suggested writing about wireless network security.

Now the first thing to know is that no wireless router is impenetrable. Our main goal is to apply enough layers of challenge to logging on to your network that any potential attacker will move on to other targets.

Now make you get a router, not a hub or a switch. Routers have more advanced data flow control, giving everyone on the network faster access. Routers also have better security features.

Once you've purchased your router of choice, it is normally configured through your web browser. You type the IP address of the router where the web page would go and you surf to your router. Your router's manual will show you how to do this.

1) Change Your Default Router Password

One of the first things an intruder will do once on your network is to lock you out of your own router. All routers have known default passwords, the first thing you must do is change it to something that is not easy to guess and is at least 8 characters long or longer if possible.

2) Enable WPA or WPA2 Encryption

Always enable WPA or WPA2 encryption. WPA stands for Wi-Fi Protected Access, and it is an encryption mechanism so that if someone tries to snoop in on your data flow, they won't be able to tell what is going through. WPA2 is an advanced, more secure form of WPA at the expense of compatibility with older wireless devices. Enable WPA2 initially then downgrade to WPA if you can't connect. Never use WEP, an old encryption method that is no longer considered secure. Windows XP SP2, Vista, Mac OS X, and most current Linux distributions all support WPA and WPA2.

If the router does not support WPA encryption, don't buy it (or return it).

These options will usually appear as WPA-PSK or WPA2-PSK. PSK stands for Pre-Shared Key. Essentially you need a password to be given to you before you can log on to a WPA/WPA2 protected network. You can select passwords up to 64 characters. It is advisable to use all 64 characters.

I use this site for my passwords. The second set of characters entitled "63 random printable ASCII characters" is the most secure. Copy this to a text file and save it in a secure location. You may want to edit the password and remove any question marks, spaces, and O's and zeros, and L's and capital I's (
O's and zeros tend to look the same, as do lower case L's and capital I's).

Only wireless devices need the password to connect, computers using network cables do not.

3) Change and Hide Your SSID

Your SSID (Service Set Identifier) is essentially the name you want to call your network. Make it something unique, but nothing that can identify you directly, otherwise an intruder will be able to move closer to your house to get a stronger signal. "Frank's Pad" is a poor choice, while "Sticks and Stones" is a better choice.

You can also "Disable SSID Broadcast" so that if a wireless device is scanning for available networks, yours won't show up on the list. Note however, that there are devices that can see your network even if you turn off the SSID Broadcast, so this option alone will not help you.

I have found in the past that I have to turn on SSID Broadcast when connecting a wireless device for the first time. Afterwards, that same device will still be able to connect after the broadcasting has been disabled again.

4) Enable MAC Address Filtering

All network
devices have a MAC address, essentially this is the device's unique name, desktops only have one unless they have more than one Ethernet port. Laptops that have an ethernet and wireless connectivity will have two MAC addresses. To find out what yours is got to Start > All Programs > Accessories > Command Prompt
A black window will appear, type ipconfig /all and hit enter. The item listed as you Physical Address is your MAC address (I don't know why they changed the name).

Your router can be setup to only allow specific MAC addresses to connect to the network. This option will affect all devices connecting to your network, not just the wireless ones, but it is highly recommended.

5) Limit the IP Range

Every computer on your network is given and IP address, that is how the router directs data flowing to different devices. Most routers will let you limit how many IP addresses can be assigned at once. Determine how many computers need to be connected to your network at one time and set it at that. In my house it is not unusual for all 5 computers to connect to the network, so my system only has a range of 5.

This has two-fold benefits. First, an intruder won't be able to get on if all the IP addresses are in use. Secondly, if someone in your house can't connect to the network while everyone else can, it's a warning sign that someone is on your network who shouldn't be.

6) Static IP Addresses

In what may be considered overkill, I assigned each MAC address its own unique IP address, so that even if all other security layers worked around, they system won't assign it an IP address preventing it from communicating with the network. Not all routers offer this feature.

After all this work, remember to export your settings to a file. Save this file with the password from before. This way if your router gets reset by a power out or something, you won't have to spend the tedious time getting everything back to its iron-clad state. Believe me, nothing makes you question security like entering 10 MAC addresses in by hand 20 times! All you have to do is get the router to import the file you saved and BOOM, your router is back to secure.

Now yes, this will make it difficult to add new devices to your network, but that is the point. You don't want to make it easy for *ANYONE* to connect to the network. Convenience is sacrificed for security.

UPDATE (2007-06-11) - Regarding Magnum's question in the comments area in regards to whether the multiple layers of security will affect connection speeds. Excellent question. I do not believe that the security here will affect your connection speed. You see, the security is only invoked once you attempt to connect to the network. After evaluating your computer against all the security requirements, then you will be assigned an IP address. Once you get an IP address, your hand has been stamped, so to speak. Until you disconnect your connection should not be re-evaluated.

Remember, a secure network is like an onion, they both have layers. Now parfaits also have layers. Have you ever met a person, you say, "Let's get some parfait," they say, "Hell no, I don't like no parfait"? Parfaits are delicious. Sorry... slipped into the wrong movie.

So surf safe, and keep on having fun.

"bah weep graaagnah wheep ni ni bong"

3 comments:

EC said...

An excellent posting. So you know that the follow up posting SHOULD be how to crack someone's wi-fi access point for those of us that roll through neighbourhoods with laptops and wi-fi cards ready to use an open portal to the World Wide Web.

I'm waiting!

Anonymous said...

.....with their pants down.

Sal C. said...

Does wireless network traffic slow down as you add more layers of security to your connection?