How to Secure your Wireless Network
A friend of mine moved to a new house and had to change his internet provider as well. The room with the computer and the one with the phone line were not close to each other and he decided to buy a wireless lan router and use it to connect to the internet instead of using a cable connection.
We had to do a scan of the surroundings of course and discovered many insecure wireless lan networks. I don't know why people keep these insecure, maybe its laziness, maybe they simply don't know the risks involved. Its like leaving your doors open when you leave your house. Lots of things can happen.
Others could use your internet connection to surf the web, to spam, download copyrighted files or hack other servers, and do even worse stuff. All using your connection. Guess on whose door the police will be knocking ?
Router / Access Point
This is your main configuration unit. If someone gets access to it they will be able to change lots of preferences like passwords, encryption and mac address. Most routers have default passwords and SSIDs which have to be changed by their owner to make the entire system more secure. Changing the SSID is not really helping in terms of security but I still prefer to do it if only for better recognition of your own router/modem.
1. Default Login
Your first task is to change the default user login to something else. Routers normally have default usernames and passwords like admin / 0000 or similar. You normally configure your wlan router using a web browser and the routers ip. Those are the username and password you enter when you want to change the configuration. The IP and user account is often displayed on the back of the router or in the manual.
2. Updates
Visit the manufactures website and look for updates for your router / access point. Often those updates include security updates as well, recommended to to every once in a while to be on the safe side of things.
3. Infrastructure / Ad-Hoc
With infrastructure mode enabled all devices connected to the wireless lan communicate through the access point / router while the Ad-Hoc mode allows for direct communication. Disable Ad-Hoc mode if available.
4. SSID
The SSID, Service Set Identifier, identifies your router. Companies use default ones like wireless or wlan which are easy to guess. Choose a more secure SSID, best is a combination of letters and numbers.
Disable the SSID Broadcasting, which transmits its name to everyone in range.Wireless stations searching for a network connection can 'discover' it automatically, not needed if you know the SSID and configure your computers the way. It does not make sense to change the name but leave broadcasting on. Note its still possible to sniff the SSID, its still send in clear text when a client associates with the router / access point.
5. Pings
Turn of Broadcast pings on the access point / router this makes it invisible to 802.11b analysis tools.
6. Mac Address Filtering
Every network device has in theory a unique MAC address. You can configure your access point / router the way that it only accepts connections from the mac address(es) you specify. Its possible to sniff your mac addresses and fake them, don´t rely on this alone.
On windows open the command prompt and enter ipconfig /all
The Physical Address is your MAC address, make sure you selected the right device, a wlan pci card for example.
If you are not using windows go to, it explains how you find it on your operating system. [Update: the website is no longer available]
7. Remote Management
Disable if not needed.
8. WPA, WPA2 or WEP
If your access point offers WPA2 encryption use it. WPA2 uses AES encryption. If you have an older access point use WPA and as last resort use WEP. Make sure you chose passwords that are more or less immune against dictionary attacks and chose the highest available encryption option (232 ->104 -> 40)
Note that both WEP and WPA protections can be easily hacked, if your router does not support those try a firmware upgrade, and if that does not add it, get a new router. Yes, it is that important.
9. Wlan Coverage
It does not make sense most of the time to provide wlan coverage for a wider area than your own apartment. You can experiment with lowering the transmit level and the use of directional antennas to reduce the area your wlan covers.
Its a good idea to change the encryption keys and the SSID every now and then. The best protection is of course to turn your wireless network off if you don´t need it.
Advertisement
Networking macs is a hassle i wish i read this article before i set up my mac network.
Does my mac adresse change if I upgrade my computer with some other hardware? For example change the graphic card?
It’s always good to find like-minded people. Thanx and I’m going to add you to my RSS feed.
im struggling to secure my network and i am looking for help? anyone think they might be able to?
Few things:
>It does not make sense to change the name but leave broadcasting on.
Yes, it does. The SSID identifies the network, and leaving broadcasting on lets it show up on a list of networks, like in the XP wireless network list. This makes it easy for people to connect to your network. Since you’re using WEP/WPA, they still need the password.
>Note its still possible to sniff the SSID, its still send in clear text when a client associates with the router / access point.
The SSID is not sent in just the association packets. The SSID is sent in the clear in *ALL* packets. So it’s not just possible to sniff the SSID, it’s trivial.
Disabling SSID broadcast adds no security to your network. None. Zero. At best, it will keep the little old lady next door from seeing it in the list of networks on her computer.
>Its possible to sniff your mac addresses and fake them, don´t rely on this alone.
It’s not just possible, it’s trivial. It’s *one command* on a Linux box. A slight bit trickier on a Windows box, I grant you. MAC filtering adds no real security either.
And the worst thing about both of these is that they make your wireless network *much* harder to administer, for no real security benefit. With SSID Broadcast on and MAC filtering off, you can walk up and hand somebody the password for the network, and they’ll be able to connect. No issues. You don’t have to touch a computer. But if you enable both of these, then suddenly you have to log into the router from another machine and get the guy’s MAC address and add it and tell him the SSID as well as the password.. It’s a lot more complex.
Simplify. All you need for wireless security is encryption turned on. WPA is enough. If you’re using encryption, then they have to break it to get into the network. That takes real time. Bypassing SSID and MAC Filtering takes mere seconds, and makes the network more difficult to work with. In other words, don’t bother disabling SSID braodcast, don’t bother with MAC Filtering. These are *not* security measures and should not be treated as such.
Nice post.
I work at a small rural ISP that provides wireless broadband coverage using AirSpan WiMax and 99% of those customers have installed a Linksys WiFi router (that’s what we push) as well so I know the pain of having 200+ unsecured wireless customers in a 50 miles radius.
At least I always have a connection around my area .