Wireless Network Security
From OCAU Wiki
- The Wired Equivalent Privacy protocol is the orginal and most widely-used security protocol for wireless devices.
- Wi-Fi Protected Access addresses most of the short-comings of WEP, and includes rapid key updates, stronger encryption algorithms, and stronger authentication.
- WPA with a "pre-shared key". Every user is given the same passphrase. Found mostly in entry level WAP's.
- A VPN can be used to "tunnel" data through a secure encrypted tunnel.
- An intrusion detection system monitors and analyses traffic, and can be used to monitor for rogue connections, as well as monitoring for known attacks and identifying abnormal patterns in network traffic.
- MAC filtering can be used to restrict access only to specified MAC addresses.
Wireless Security Best Practices
The following is a list of steps you should undertake to secure your home wireless network. These tips are suitable for home networks only, as enterprise deployments have their own, considerably more complex, methods. (These steps have been taken from this forum thread.)
Enable WPA or WPA2
WPA (Wi-Fi Protected Access) greatly increases WLAN security. It introduces several new enhancements, including TKIP (Temporal Key Integrity Protocol) that mitigates against so-called AirSnort or Wardriving attacks, and MIC (Message Integrity Check) that protects against Man in the Middle attacks. It also increases the WEP Initialization Vector from 24bits to 48bits, which is a huge improvement, as this makes the statistical likelihood of a weak IV being captured much lower. Finally, WPA introduces a dynamic key management feature, which allows for regular and automatic regeneration of WEP keys.
WPA for most home wireless kit will run in WPA-PSK mode. The PSK stands for Pre Shared Key. This is effectively a password that you enter in your Access Point and your client that is used to independently generate new WEP keys on a regular basis. Ensure your passphrase is at least 20 characters long!
Not all Access Points support WPA. This is unfortunate, but is not the end of the world. However...
"What happens if my Access Point doesn't support WPA?!"
Well, you can still follow the steps below. And you should manually setup a WEP key on your Access Point and your client devices. This is a pain, but ABSOLUTELY NECESSARY. You should also change this regularly; at least once every few months.
Change Default SSID
SSID (Service Set Identifier) can be considered analogous to a network name. All Access Points come "out of the box" with a default SSID. Every hacker worth his salt will know the most common SSIDs. Common examples are "Linksys" (for Linksys units), "Netgear" (for Netgear units), "Tsunami" (for Cisco units) etc.
Change the SSID to something more appropriate to you. Your name, favourite band, pet... whatever. Just don't use the default.
None. There is no reason this should not be done.
Disable SSID Broadcast
SSID (Service Set Identifier) can be considered analogous to a network name. Most Access Points "broadcast" this by default. That is, they advertise the SSID to any listening client devices. This is fine for enterprise networks or "hotspots", but there is no reason to advertise your network to your neighbours. You will know the SSID anyway (see above), so you don't need to broadcast it.
Different for all manufacturers, but it should be pretty obvious. Just look for something like "SSID broadcast" and disable it.
This should not be considered a security improvement, as it's still possible to ascertain the SSID of a network that is not broadcasting, but it IS best practice. Just do it.
Change the Default Admin Password
All Access Points come with an admin account and password. You would be surprised at how many people leave these as the default ("Admin" and "Admin" for Linksys units, for example). You should change the password to something only you know as soon as you can.
There shouldn't be any problem doing this. Just look for the Admin or Account Management section on your configuration page.
None - just make sure you note down what you change the Admin password to!
Enable MAC filtering
All Ethernet devices, including WLAN interfaces, have a MAC address. This is a 6-byte hexadecimal address that a manufacturer assigns to the Ethernet controller for a port. MAC addresses are "lower level" that IP addresses and are used on the Data layer. You can setup your Access Point to only allow certain MAC addresses (i.e., certain devices) to use your WLAN. In other words, you configure it to only allow your computer/s to associate to the WLAN. This will prevent unwanted visitors from hitching a free ride.
Search for MAC Filter in your Access Point config guide. You will have to go to each computer you will use on your WLAN and note down their MAC address. Make sure you note down the WIRELESS adaptor, and not the wired network card! It's a bit tedious (as a MAC address is a long string of hex), but it's worth it.
Not entirely foolproof, as experienced hackers can spoof MAC addresses, however it certainly adds greatly to security.
Change Default IP Address
Most access points come with the default RFC 1918 IP address of 192.168.1.1. Most hackers know this. Bad combination. Try changing the IP address to 192.168.x.1, where x is a random number between 2 and 254.
Different for every manufacturer. You should be able to do this from the Admin webpage for your Access Point quite easily.
Remember that when you change the IP address of the router, you will have to remember the new one when you access it again via a web-browser! Of course, that's the whole point, but just don't forget it (perhaps write it down somewhere, or bookmark/favorite it). Chances are, once you make the change, the current web session will no longer work and you'll have to start another session; after all, you just changed the address of the AP.
Turn down Transmit Power
Most Access Points can transmit at up to 100mW; some even more. Why bother covering more area that you need? There's no point is offering temptation to the people across the street, so you should turn down your transmit power to the lowest level that sufficiently covers your house or apartment.
Different for every manufacturer. Some wireless gear doesn't let you do this with the default firmware. Check your user guide to see if it is possible with the default firmware.
You may need some tweaking to get it right. If you do, then congratulations. You just carried out what is called a "Site Survey" in the industry. Soon, you'll be doing this for a living!
Change Signal Polarization
All electromagnetic waves are polarized to some degree or another. Polarization is the alignment of the wave and is always perpendicular to the direction it is travelling. An antenna will emit a signal that is polarized in a certain direction. You need an antenna that is polarized in the same direction to get the best reception.
This is the simple bit. All you need to do is change the polarity of your devices antennae. With most devices having omni-directional antennae this is as simple as changing the antenna from being vertical (pointing straight up or down) to being horizontal (parralel with the ground). This will change your signal from vertical to horizontal polarization and greatly reduce the signal that people will receive unless they have a similarly polarized antenna. Please note this must be done with ALL DEVICES on the network for it to work properly. In some situations this also may actually improve your reception
This is not possible with all devices. Laptops and PDA's being the two that immediately spring to mind. while they may still work they will most likely get a greatly reduced signal strength.
Reduce DHCP Pool Size
DHCP (Dynamic Host Configuration Protocol) is a system that dynamically provides your clients (i.e., computers) with an IP address every time they join a network. In simple terms, your computer gets an IP address from your access point, and you don't have to worry about messing around with esoteric network settings. IP addresses are assigned from a "pool" of available addresses. The AP has to ensure it doesn't give the same address to two computers, or there would be problems. This "pool" of addresses often has up to 254 addresses available. Most home networks have only a handful of computers. By reducing the number of addresses in the DHCP pool to exactly the number of computers you have, you reduce the likelihood of a hacker gaining access to your network. They simply won't get an IP address in the first place. 99.99% of "attacks" on WLANs are opportunistic in nature. If the attacker encounters some or all of these hardening steps, most of them will just pass by and concentrate on another WLAN which is wide open.
Again, this is different for every manufacturer. It is usually in a "Network" or "DHCP" section on your AP configuration webpage.
None really. Just make sure you have enough IP addresses left in your pool for your computers. Remember that reducing the pool to the exact number of computers you have means that your friends, as well as hackers and freeloaders, won't be automatically assigned an address on your network either. If you often have visitors that come to your home to use the network, this may not be suitable.
The above tips should greatly help most computer users. If playing around with networking equipment is your kind of thing, you can also consider using a firewall to restrict unauthorised traffic or installing a Virtual Private Network.