<< BACK TO SUMMARY

Wireless Security

It’s no secret that wireless networking is becoming more popular in homes and small offices. The convenience of connecting two or more systems without stringing cables, the relatively low cost and easy installation of a small wireless router or gateway, and the fact that the new 802.11g standard with its 54 Mbps throughput is backwards compatible with the widespread 11Mbps WiFi, have all led to an explosion in SOHO (Small Office – Home Office) wireless networks.

This in turn has led to an explosion in the activity known as war driving. War driving involves cruising the streets with a wireless laptop equipped with a directional antenna and network sniffer software, looking for exposed wireless networks that can be hacked into for free Internet access or for more sinister purposes. Once a vulnerable network is found, its location may be marked in chalk with symbols to inform other hackers. This practice of marking the ‘sweet spots’ is called war chalking, and for several reasons you definitely do not want your home or office to get chalked.

Part of the problem is that far too many wireless installations are installed right out of the box, using the manufacturer’s default security values. Because the vast majority of SOHO networking equipment comes from just a couple of manufacturers, these default values are well known in the hacker community. The truth is wireless will never be as secure as a cabled network with comparable security measures, but there are things you can do that will greatly improve the odds. Following is a list of ten tips to improve the security of your wireless network.

1. Change Admin Password – As simple and obvious as this might seem, it’s surprising how many users forget. Almost all manufacturers use a default of ADMIN for both the user name and the password. If you are still using the defaults, change them today.

2. Disable or modify your SSID – The SSID, or Service Set Identifier, is a code that a wireless device sends out to identify itself to other devices, and the default is normally the manufacturer of the device. The problem is if you are broadcasting the type of wireless access point you are using, it gives a hacker an edge to get into your system. You can change the SSID to something else, but don’t use your name or other pattern that could identify you to war drivers. The SSID is actually only needed when devices are first coordinating with each other, so your best bet is to disable the SSID broadcast once your network connection is established.

3. Use 128-bit WEP –Wireless Equivalent Privacy (WEP) is the security standard provided with any new 802.11 routers. WEP offers the option of either 64 or 128 bit encryption. It also includes something called the Initialization Vector (IV), which is a series of random bits added in front of a message before it is encrypted. If every packet starts with the same data, such as a header, this makes it easier to crack the encryption key. The IV makes it harder, but only if you turn on WEP encryption in the first place. This is in your Security settings and you can set it to either assign an encryption key automatically or use a “passphrase” to generate the key for you. This is the same key you would need to configure all your wireless network stations. According to sources at the May 2003 Wireless Security Conference, in 2002 slightly over 70% of all wireless networks had not enabled WEP. In 2003, the number was up to 82.7%. Simply amazing. Having a wireless network without WEP enabled is roughly equivalent to running a network cable out to the sidewalk and inviting all passersby to plug in!

4. Plan your broadcast area – The signal strength of a wireless transmitter is somewhat attenuated by walls and also falls off sharply as distance increases. If you can, avoid setting up your access point near a front window where it will provide the maximum signal out to the street. An interior room is best, and second would be one at the rear away from the street. In practice, the position of the access point is often dictated by where our DSL or cable modem is located. To determine if you have a potential problem, use the software that came with your wireless laptop or PDA and roam around the property to see where the broadcast is strong or weak.

5. Limit the number of wireless users – The DHCP software that dynamically assigns IP addresses can be easily configured to supply only as many addresses as the number of devices that will be using your access point. If they are all in use, a hacker can’t get in. And if you yourself can’t log in because a hacker beat you to it, at least you will have an obvious indicator that something is wrong.

6. Enable MAC address filtering – The MAC address is a unique identifier for every NIC card. It is usually printed on the PCI or PCMCIA wireless card and can also be found by running IPCONFIG /ALL. Enable MAC filtering to accept only the MAC addresses of your own equipment.

7. Control Access rights – This is a further refinement of #6. Quite often not every system will have a wireless connection. Once you have determined which machines are going to need wireless access, only allow these authorized MAC addresses to pass.

8. Update your firmware – Wireless manufacturers are continually updating their security features, including strengthening the IV algorithms. Older ‘weak IVs’ reduce the time it takes to crack your WEP, and the newer ones are much stronger. However, the equipment you buy off the shelf might be a year old or even more. Check the manufacturer’s website for updated firmware that you can download, which will have the latest fixes and corrections to any weak IVs.

9. Authenticate Users – Install a firewall that supports VPN (Virtual Private Networking) and configure it so that wireless users are required to log in as if they were dialling in remotely to their ISP. Allow only those basic permissions that the wireless users will actually need.

10. Monitor your network - There are numerous freeware or shareware programs you can find to watch your network traffic. These are also known as intrusion detection software. I have found a free download program called “AirSnare” that can be downloaded from http://home.comcast.net/~jay.deboer/airsnare/. This monitors wired as well as wireless traffic, reporting both the MAC address and where your users are surfing. You can also send a message directly to your authorized users that they are being monitored, or a nasty note to those unwelcome freeloaders before you kick them out.

Disclaimer - The Micro 2000 Tech Tip is a free service providing information only. While we use reasonable care to see that this information is correct, we do not guarantee it for accuracy, completeness or fitness for a particular purpose. Micro 2000, Inc. shall not be liable for damages of any kind in connection with the use or misuse of this information.