|November 23, 2003
Wireless networking via
802.11 b, g, or a has become extremely popular over the past few years.
Chances are if you have a laptop, you probably have an add-in wireless
card or even a mini-PCI wireless card built right in. While wireless
computing is extremely convenient, there are many security issues.
In order to make wireless networking as simple as possible, most wireless
routers and access points are setup by default to work out of the box.
In order to do this, most, if not all of the security features disabled.
There is a trade off between security and ease of use. As you become
more familiar with your wireless network and have all your wireless computers
working correctly, then you can slowly increase the security of your wireless
Wireless network security
is especially important if the wireless link is connected to your home
network. If somebody manages to connect to your wireless network,
they could potentially access all the computers on your network, including
your webserver or file server. In a home network, the wireless segment
is the most vulnerable connection and you must pay special attention to
secure it as best you can.
While wireless security is
not foolproof, it will put up a substantial barrier for the casual hacker
or war driver (somebody who drives around with a laptop looking for a free
wireless connection). Below I point out several security measures
that are built into most wireless routers and access points. While
your hardware may not support all of these features or your network situation
may preclude certain configurations, you should enable as many of these
features as you can. Some of the items may make using your network
less convenient, but once again, it is a trade off between ease of use
and security. Pick the balance that makes you happy.
the username and password of the configuration page of the wireless access
Each wireless router
or access point has a built-in configuration page, usually in the form
of an internal webpage accessed from your web browser. Typically,
the password is either blank or "admin". You definitely have to change
the username and password immediately. You might be surprised that
most people do not change either one! You don't want somebody else
configuring your access point or router so make sure this info is changed.
the default SSID of your wireless router or access point.
Your wireless access
point or router comes from the manufacturer with a default SSID that typically
is something like "linksys", "netgear", or "dlink". Change the SSID
to something that does not describe the manufacturer or model of the unit.
Specific units may have known weaknesses or configuration loopholes so
don't give the hacker a hint on which unit you have. An additional
reason to change the SSID is that if a neighbor has the same model as you,
and both models are set at their default configurations, the two units
might interfere with each other.
broadcasting of your SSID.
Most wireless access
points and routers broadcast their SSID to everyone. This makes it
easy to connect to the network, however, it announces the SSID to everyone
saying "A wireless network is here, come find me". If possible, disable
the broadcasting of the SSID. This makes your wireless access point
or router invisible to most people. You'll have to manually input
the SSID into your wireless client computer since it won't show up automatically
as an available wireless network. This isn't much of a problem if
your client connection software allows you to create a profile that saves
the wireless connection settings. If people don't know you are using
wireless, the more secure you are.
the channel number from default.
Pick any channel
number that is different from the default channel number. This prevents
people from simply going with the default channel and also prevents interference
if other people own the same model as you do.
the default IP number of the wireless access point or router.
Most wireless routers
and access points are configured by pointing a web browser to the IP address
of the unit and then using an internal web page to set the configuration.
Change the default IP number to something different so hackers cannot easily
find the configuration menu.
wireless configuration of the wireless access point or router.
menu for most wireless routers and access points can be accessed by either
a wired or wireless connection. If your unit can has the option to
do so, disable wireless configuration of the access point or router.
This makes it so that you can configure the unit if you are physically
attached to the network (wired) but not if you're connected wirelessly.
It is not likely that someone is going to physically splice into your wired
MAC address filtering.
MAC address filtering
only allows computers with MAC addresses you specify to connect to the
wireless network. You manually input the MAC address of each wireless
network card into the configuration of your wireless access point or router,
and then only these MAC address are allowed to connect. The rest
are not. This is a great security feature and should definitely be
enabled if possible. For the most part, this feature is not very
intrusive. All you have to do is the update the permitted MAC address
list each time you add a new wireless computer to the network. For
home use, this probably isn't that often. With MAC address filtering,
the content of the data being sent wirelessly is not encrypted and still
can be intercepted using various snooping tools, but it is an effective
way to prevent people from connecting to your wireless network.
WEP or WPA encryption.
With WEP or WPA
enabled, a user has to have a correct encryption key to connect to the
wireless network. Also, once they connect to the wireless network,
data sent wirelessly is encrypted so that if somebody is snooping wirelessly,
the information cannot be deciphered. WEP comes with different encryption
levels such as 64 or 128 bit encryption. The higher the level, the
more difficult it is to break the encryption code. Even though that
data may be encrypted, it is not 100% secure, but it is fairly safe against
all but the most determined wireless network snooper/hacker. Some
wireless access point/routers/network cards runs slower with the encryption
enabled. The drop in transmission speed can be up to 40%. However,
most new wireless hardware do not suffer a speed loss when encryption is
enabled. Another thing to be wary of is that some manufacturers use
encryption keys in hexadecimal and some use binary and others use a passphrase.
If you mix hardware from different manufacturers, make sure to find out
if they use the same type of keys. You may have to convert a hexadecimal
key to a binary key or vice versa. I found this out the hard way
when I initially couldn't get encryption to work between hardware from
DHCP dynamic IP assignment.
Most home wireless
routers have a DHCP server that automatically assigns each computer a dynamic
IP address. This is very convenient for you but also very convenient
for an uninvited guest to get an IP address if they manage to connect to
your wireless network. Assuming that somebody manages to connect
to your wireless network, they still don't have full access to your network
if they don't know the correct IP address and network information.
You can prevent them from getting this information by turning off the DHCP
server on the wireless router. With the DHCP server turned off, you
will have to manually enter static IP numbers, subnet, gateway, and DNS
information for each of your wireless clients. If your home network
doesn't change much, this isn't really that much of a hassle.
signal bleeding outside your facilities.
Try to place your
wireless router or access point close to the center of your home or office.
This is a good practice for two reasons. 1. The signal will be strong
throughout most of the desired area. 2. Less wireless signal will
be outside your facility to attract attention. If you put the wireless
device close to the wall or window of your house/office, then the other
side of the building won't get as strong signal strength and you'll waste
a lot of the wireless signal outside your facilities. The more wireless
signal outside of your facilities, the more inviting it is for people to
try to hack into your wireless network.
your wireless router or access point from the rest of your network.
If you use your
wireless network to surf the Internet and really don't need it to connect
to other computers on your home network, consider isolating the wireless
access point by putting it on a different segment of the network which
isn't able to connect to your main wired network. You can do this
by daisy chaining 2 routers together so that your home wired network is
behind a firewall relative to the wireless access point or router.
The wired segment of your network would be safe from the wireless segment.
However, other wireless computers connected to the same wireless network
would still be vulnerable so other security measures should still be implemented
to lock down your wireless network.
your home network.
Your home network
should be secured whether or not you have a wireless network, but especially
if you do have one. This includes disabling all guest accounts on
the network, using strong passwords to access shared network folders, printers,
and drives. By default, most home network share data using the TCP/IP
network protocol. Hackers know this. You can change this so
that your network uses some other protocol such as NetBEUI or IPX for the
local network and use TCP/IP for Internet only.
Each of these suggestions helps
make a wireless network more secure. You will probably not use all of the
items, but the more you use, the safer you and your data will be.