How to Secure your Wireless Network

Posted by Martin in Security  Tags: , ,

14

Dec



A friend of mine moved to a new house and had to change his internet provider as well. The room with the computer and the one with the phone line were not close to each other and he decided to buy a wireless lan router and use it to connect to the internet.

We had to do a scan of the surroundings of course and found lots of unsecured wireless lan networks. I don´t know why people keep these unsecured, maybe its laziness, maybe they simply don´t know the risks involved. Its like leaving your doors open when you leave your house. Lots of things can happen..

Others could use your internet connection to surf the web, to spam, download copyrighted files or hack other servers, and do even worse stuff. All using your connection. Guess on whose door the police will be knocking ?

Router / Access Point

This is your main configuration unit. If someone gets access to it he will be able to change lots of preferences like passwords, encryption and mac address. Most routers have default passwords and SSID´s which have to be changed by their owner to make the entire system more secure.

1. Default Login

Your first task is to change the default user login to something else. Routers normally have default usernames and passwords like admin / 0000 or similar. You normally configure your wlan router using a web browser and the routers ip. Those are the username and password you enter when you want to change the configuration.

2. Updates

Visit the manufactures website and look for updates for your router / access point. Often those updates include security updates as well, recommended to to every once in a while.

3. Infrastructure / Ad-Hoc

With infrastructure mode enabled all deviced connected to the wireless lan communicate through the access point / router while the Ad-Hoc mode allows for direct communication. Disable Ad-Hoc mode if available.

4. SSID

The SSID, Service Set Identifier, identifies your router. Companies use default ones like wireless or wlan which are easy to guess. Choose a more secure password, best is a combination of letters and numbers.

Disable the SSID Broadcasting, which transmits its name to everyone in range.Wireless stations searching for a network connection can ‘discover’ it automatically, not needed if you know the SSID and configure your computers the way. It does not make sense to change the name but leave broadcasting on.

Note its still possible to sniff the SSID, its still send in clear text when a client associates with the router / access point.

5. Pings

Turn of Broadcast pings on the access point / router this makes it invisible to 802.11b analysis tools.

6. Mac Address Filtering

Every network device has in theory a unique MAC address. You can configure your access point / router the way that it only accepts connections from the mac address(es) you specify. Its possible to sniff your mac addresses and fake them, don´t rely on this alone.

On windows open the command prompt and enter ipconfig /all

The Physical Address is your MAC address, make sure you selected the right device, a wlan pci card for example.

If you are not using windows go to this website, it explains how you find it on your operating system.

7. Remote Management

Disable if not needed.

8. WPA, WPA2 or WEP

If your access point offers WPA2 encryption use it. WPA2 uses AES encryption. If you have an older access point use WPA and as last resort use WEP. Make sure you chose passwords that are more or less immune against dictionary attacks and chose the highest available encryption option (232 ->104 -> 40)

9. Wlan Coverage

It does not make sense most of the time to provide wlan coverage for a wider area than your own appartment. You can experiment with lowering the transmit level and the use of directional antennas to reduce the area your wlan covers.

Its a good idea to change the encryption keys and the SSID every now and then. The best protection is of course to turn your wireless network off if you don´t need it.

[tags]wifi, wlan, wireless lan, secure, network, wireless network, ssid, broadcast, wep, wpa, wpa2, router, access point[/tags]


Like such posts? Get updates via RSS NEWS FEED. Love Ghacks? Find out how you can help!

6 Users Commented In This Post

Subscribe To This Post Comment Rss Or TrackBack URL
brad.clarkston says:

Nice post.

I work at a small rural ISP that provides wireless broadband coverage using AirSpan WiMax and 99% of those customers have installed a Linksys WiFi router (that’s what we push) as well so I know the pain of having 200+ unsecured wireless customers in a 50 miles radius.

At least I always have a connection around my area .

Otto says:

Few things:

>It does not make sense to change the name but leave broadcasting on.

Yes, it does. The SSID identifies the network, and leaving broadcasting on lets it show up on a list of networks, like in the XP wireless network list. This makes it easy for people to connect to your network. Since you’re using WEP/WPA, they still need the password.

>Note its still possible to sniff the SSID, its still send in clear text when a client associates with the router / access point.

The SSID is not sent in just the association packets. The SSID is sent in the clear in *ALL* packets. So it’s not just possible to sniff the SSID, it’s trivial.

Disabling SSID broadcast adds no security to your network. None. Zero. At best, it will keep the little old lady next door from seeing it in the list of networks on her computer.

>Its possible to sniff your mac addresses and fake them, don´t rely on this alone.

It’s not just possible, it’s trivial. It’s *one command* on a Linux box. A slight bit trickier on a Windows box, I grant you. MAC filtering adds no real security either.

And the worst thing about both of these is that they make your wireless network *much* harder to administer, for no real security benefit. With SSID Broadcast on and MAC filtering off, you can walk up and hand somebody the password for the network, and they’ll be able to connect. No issues. You don’t have to touch a computer. But if you enable both of these, then suddenly you have to log into the router from another machine and get the guy’s MAC address and add it and tell him the SSID as well as the password.. It’s a lot more complex.

Simplify. All you need for wireless security is encryption turned on. WPA is enough. If you’re using encryption, then they have to break it to get into the network. That takes real time. Bypassing SSID and MAC Filtering takes mere seconds, and makes the network more difficult to work with. In other words, don’t bother disabling SSID braodcast, don’t bother with MAC Filtering. These are *not* security measures and should not be treated as such.

Creation Robot » How to Secure your Wireless Network says:

[...] How to Secure your Wireless Network [...]

teknokool.net » links for 2005-12-15 says:

[...] gHacks » How to Secure your Wireless Network (tags: wireless networking wifi security) [...]

otro blog más » Unos cuantos de seguridad says:

[...] Sobre todo, la cosa va de WiFi, con un ‘proof of concept’ de cracking WPA, este Essential Wireless Hacking Tools, una guía para asegurar una red inalámbrica y el artículo Cracking WPA (y su segunda parte). [...]

pinanti is pinanti » Blog Archive » links for 2005-12-16 says:

[...] gHacks » How to Secure your Wireless Network (tags: wireless sysadmin security howto wifi network) [...]

Leave Your Comments Below
Hello, please leave your thought below

Please Note: Each comment will be manually approved by an admin. There is no guarantee that a comment will be posted. Please do not submit the comment multiple times.