[Geeks are Sexy] technology news





Thursday, January 12, 2006

Securing your Home Wireless Network : A simple security guide

A few years ago, home wireless access points were almost non-existent. Most people only had normal, wired broadband routers, so they didn't really have to care about getting their internet connection hijacked by malicious wardrivers (villains wandering the streets in search of an unsecured wireless signal). This is entirely another story in 2006. I'm living in a suburb, and 4 of my neighbors emit wireless signals, 2 of them which are completely unsecured. Just imagine how many of them you could pick up if you are living in a big city. People think that wireless connectivity is a dream come true, but most of them ignore the downside of the technology. The problem is that most AP come preconfigured with their security features turned off. A couple of steps have to be taken if you want to enable them. This simple security guide will show you how you can do it.

When we're talking about security, the more is the better. We'll be enabling as many security features as possible on that AP. We want to install the maximum number of locks in front of that attacker, so that if he tries to get in, he'll have to punch through all the doors before getting in. That is what we call the Layered security principle in the industry.

-Change the default administrator password.

Most routers or APs requires a default password to get in. Be sure to change it to something else, and it better not be your dog's name. Be warned that most APs default passwords are well known by villains, and can be easily found on the internet. Just try searching google for "linksys router default password", you'll see what I mean.

-Turn off remote management features

Some routers can give you the ability to administer them via a wireless connection. Turn that off! You do not your neighbors to be able to get in your AP's management console do you? The only downside to this is that you will have to have at least 1 wired computer in your environment.

-Turn off SSID broadcasting

First of all, what the heck is an SSID? The SSID (Service Set Identifier) is a sequence of up to 32 letters or numbers that represent the ID of your wireless network. the SSID is broadcasted from your AP to all wireless devices within range to let them know that he's available and ready to receive connections. If you shut off SSID broadcasting, the clients will have to know about the ID of the network if they want to be able to connect to it. Here is my opinion on SSID broadcasting, read it before proceeding with the rest of the article.


SSID_disable

-Enable MAC filtering

As you probably know, computers can be identified by many kinds of addresses. One of them, the MAC address, which is a unique ID tagged to your network card, can be specified in a list on the AP to prevent people that aren't on there from connecting to the network. MAC addresses can be spoofed, so this measure is not a guarantee of security, but it adds another door to your layered security architecture. To get your MAC address, just click on start->run, and type cmd. When you are at the DOS prompt, type: ipconfig /all, this will display the current configuration of you network card. The MAC address is what ipconfig displays as Physical Address. It consists of six pairs of numbers or letters, as in A6-33-F3-86-BE-04. When you are finished, type exit and you will get back to windows

-Turn on WEP, WPA, or WPA2 encryption


Depending on the age of your router, these encryption methods may or may not be all available to you. The weakest one, WEP, has been largely criticized recently about its easy to crack security. If WEP is the only method available to you, I would consider replacing your AP for a more recent model. You can get a brand new Linksys WRT54G at Amazonfor less then $50. That shouldn't break your budget! Sometimes, a firmware update can also add the missing functionalities. Please consult your manufacturer's website to verify if any upgrades are available.

For encryption to work, you will first need to enable it on the client's wireless NIC and on the AP. After this, a shared key (a password) must be specified on both sides. The key must be identical if you want your devices to communicate.

-Disable DHCP and assign your IP addresses manually.

DHCP (Dynamic Host Configuration Protocol) is a service that distributes IP addresses automatically to clients who request them. The problem with DHCP is that it will provide IP addresses to anyone who asks for them, even evildoers. While making your network easier to administer, it's also helping out the bad guys. If you have a small network, providing static IPs to your computers is an easy and quick job. Consult this link for instructions.


TCP

So, are you up to the work of securing your network now? You could be the next target of those wardrivers. Never think that these things always happen to others, who knows, someone might already be using YOUR network.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NoDerivs 2.5 License.

If you liked this article, you might also consider checking some of our other ones:



6 Comments:

  • whenever someone says wirless security everyone always thinks its just about not letting people share your internet connection which, for me anyway, isnt always the case. Its more a privacy issue a "wardriver" with a good wireless sniffer can see what your doing on most internet sites if your not using some sort of encryption.

    By Anonymous Anonymous, at 3:14 AM  

  • can you refine your subnet mask further to maybe 2 nodes?

    By Anonymous Anonymous, at 9:06 AM  

  • That is a VERY interesting solution also, by limiting the number of possible host on your wlan to the total number of host you have on your network, you actually force hostile hosts out of your lan.

    If you have a C class network of 192.168.1.0 and you use 255.255.255.254 (/31) as a subnet, your limiting you current subnet to 2 nodes.

    255.255.255.252 (/30) for 4 nodes. Unfortunatly, you cannot have one for 3 :(

    I don't think a wireless routers actually route the traffic between subnets automaticly.. never tried it myself.

    By Blogger Kiltak, at 11:47 AM  

  • With
    "255.255.255.252 (/30) for 4 nodes."
    you have 2 nodes (bits 01 and 10 for host bits) + network address (00 in the host bits) + broadcast address (11 in the host bits).
    So you need a network mask 255.255.255.248 (i.e. 29 bits for network address and 3 for host: 6 possible nodes, network (000) and broadcast)
    But it's your private network so you
    can choose this address and you can try 10.121.212.120, 192.168.99.136,... (or any other network address you get by computing ip & mask)
    Hope this helps :)

    By Anonymous Anonymous, at 5:01 AM  

  • Excellent! Thanks for posting this!

    By Blogger NV Mojo, at 1:14 AM  

  • i hv an wireless set up for 32 pc i hv vlan for each dept can i stil improve my security...

    By Blogger porty, at 6:39 AM  

Post a Comment

Links to this post:

Create a Link

<< Home