Previous post:

Next post:

Wireless network security basics

January 1, 2010

in All Articles,Wi-Fi

This intro to wireless networking setup and security is written with the assumption that the reader has a basic understanding of wired networks, because in terms of protocol, wireless works almost the same way. The difference is in the wireless component and associated hardware configuration.

Equipment
To create a home network, you need a single access point (WAP). You’ll also need a wireless adapter for every PC you want to participate on the wireless network. The PC adapters will connect to the WAP, and the WAP will connect to the Internet.

I personally prefer Linksys products, and these can be found in your local computer store or online. Because technology is always changing, I don’t want to recommend a specific model, but here are links to wireless access points and wireless adapters.

Protocol
Wireless hardware comes in different “languages”. Stick to 802.11g, also called “Wireless G”. Note that this might interfere with cordless phones in the 2.4GHz band. The easy way to identify this problem is that your PC’s Internet connection will die every time someone makes a phone call. If you have a cordless phone at home and are experiencing connection drops with your wireless equipment, try changing the wireless “channel” on your WAP. Hopefully you can find a channel for your computers that your phone isn’t using. If you can’t, and your computer drops connections no matter what channel your WAP uses, then there are two other solutions:

1) Purchase a new phone, one that doesn’t use the 2.4GHz band.

2) Instead of 802.11g equipment, use 802.11a equipment. 802.11a uses a 5GHz band.) For more detail on the different types of wireless protocols, go here.

Wireless Security Setup
After you install your hardware and have all PCs operating happily on the network (the hardware manuals provide good instructions for doing this, though most equipment will work with no configuration – just plug everything in and things will hopefully work immediately), secure it by making these changes.

1) Change your WAP password. By default, all WAPs or the same model have the same password, and these passwords are widely known. Change your default password to prevent unauthorized people from changing your WAP configuration.

2) Enable WPA2 encryption (also called 802.11i). Available in the WAP, you can turn on WPA2 “Pre-Shared Key” encryption. Create a long, difficult (thus secure) password within the WAP. For each PC that wants to connect to the WAP, they will have to enter that password once to be authorized on the network. Use WPA2 for the authentication type and AES for the encryption method. (The WPA2 and AES combo will give you the best protection.)

If you have problems setting up WPA2, be aware that older hardware and operating systems require updates before they’ll work. If WPA2 is giving you problems or isn’t available in Windows XP, try this before you set up WPA and WPA2:

a) Install the latest Windows Service Pack. WPA encryption functionality is included as of Windows XP Service Pack 2. In addition, if setting up WPA2, your Windows PCs may need the patch at this link. It enables the WPA2 standard on Windows.

b) Apply the latest firmware drivers for your WAP.

c) Apply the latest drivers for your wireless adapters. If you have older adapters, they may not even support WAP. If this is the case (the website support section of the adapter’s manufactorer should state this), upgrade to a model that does.

Yes, there have been times where I needed to do all three of these things in order to get WPA working properly. If you still have no luck, verify your hardware (wireless access point and PC wireless adapter) supports WPA. Some older hardware does not. The hardware manufacturer’s website should clarify this.

3) Change SSID. Your WAP has a identifier name called the SSID, and is set to a default name by the hardware manufacturer. Change this name to something else. This will lot actually improve security. Do this is to indicate to others that your network was set up by someone who knows more than to take the defaults, and therefore may not be worth attempting to hack.

4) Firewall. If your WAP also routes your Internet traffic, and has a built-in firewall, make sure it’s turned on. If you have an option for “Block anonymous internet requests”, enable it.

5) Appliance timers. If you’re really paranoid, get an appliance timer and hook it up to your WAP. Set it to turn the device off when you know you’re not using it (like overnight, while you’re at work, etc.) Sometimes the most effective security is to use the OFF switch!

You may have heard other recommendations for setting up security on a wireless network, things like disabling SSID broadcasting, using WEP encryption, turning off DHCP, MAC address filtering, restricting the transmitter power or placing the WAP in certain locations in the house. Do not do any of these. Here’s why:

Don’t disable SSID broadcast: This attempts to hide the existence of your network. It doesn’t. If a computer is talking to an access point, that traffic is visible, regardless of SSID settings.

Don’t use WEP encryption: It was nice while it lasted, but WEP encryption has been broken. With the proper (free) tools, your WEP-protected network can be hacked in minutes.

Don’t disable DHCP: All computers on a network must have a unique address. DHCP allocates this address automatically. Turing off DHCP will do nothing to stop anyone slightly familiar with networking, since the address can also be created manually.

Don’t use MAC address filtering: Like a computer’s fingerprint, all networked computers have a unique identifier called a MAC address. But unlike fingerprints, a MAC address can be manually changed. It’s not difficult for someone using sniffer software to 1) figure out what MACs are allowed on your network and 2) change their PC’s MAC address to an allowed value.

Don’t try to restrict the wireless signal: Radio waves travel farther than you might realize, and are almost impossible to limit or restrict. Don’t restrict the signal – it’s more effective and easier to have the signal be as powerful as possible, but encrypt the data on it. If I can walk outside your house and detect your wireless signal, no big deal: I’m still prevented from using it if you’ve enabled the encryption methods specified above.

After you think you’ve gotten all PCs connected, reboot them and make sure they reconnect automatically. Verify you can still connect to the network and/or Internet. This will ensure that all changes are applied correctly and that those security changes will “stick”.



Previous post:

Next post: