How To Secure Your Wireless Network
The age of wireless computing has brought unprecedented freedom and mobility for computer systems users in a variety of circumstances. Even in the home setting, a wireless network at home enables each family member to access the internet and be productive without the constraints of one room set aside for the computer or competition for access to the line. The kids can do their homework, mom and dad their web surfing, email or work and all with complete freedom of movement due to the wireless LAN infrastructure set up in the home setting.
However, going totally wireless at home brings with it some possible problems as any new technology will do. Not the least of those concerns is security.
Going wireless means by definition that access to your computing resources and the internet is occurring without wires, through the air. And just as every computer in the house can access those digital signals, so can those outside the house and those who might not wish to use those signals properly.
Therefore when planning your wireless network at home, some precautions and preventative measures should be observed so assure that your network at home is just as secure in a wireless mode as it was when you used cables and physical connections.
This purpose of this article is to help you understand the terminology of wireless security in the home setting as well as to develop a check list for key security oriented steps you should take when setting up and using your network.
Some New Terminology
The wireless world has its own language and set of acronyms. So it’s appropriate before beginning our discussion of security to define some of the terms we need to understand to be effective at securing your home wireless network.
SSID (Service Set Identifier) – This is the name of your network. All devices on the wireless network must use the same SSID to communicate with each other.
WEP (Wired Equivalent Privacy) – A discipline that was integrated into the very earliest wireless standardization efforts that were put into place for the development of wireless technology. This protocol provides base level security standardization for all WI-FI vendors and systems that benefit from the OSI standardization effort. This standard, also called 802.11 is a default security level that is mandatory for all wireless products. WEP is either turned “on” or “off”. WEP was designed around the same security paradigms that were used in the wired network development time frame.
WPA (Wi-Fi Protected Access) – A security protocol for the wireless technology industry that was developed to improve on the limitations of WEP.
TKIP (Temporal Key Integrity Protocol) – TKIP is a more secure version of WEP which is required to utilize WPA for network security. TKIP encryption is stronger and more resilient than the WEP algorithm.
MAC Addressing (Media Access Control) – Similar to and of as great of importance as an IP Address, the MAC address is a 12 digit hexadecimal number that is associated with the network adapter directly. Also known as the hardware or physical address of the adapter.
DHCP (Dynamic Host Configuration Protocol) – Otherwise known as dynamic IP addressing DHCP allows a network to join the internet without a preset IP address.
DHCP is a utility that assigns the IP address to devices as they enter the network in an ad hoc or dynamic basis then releases that IP address for reuse once the device departs active network participation. In this way, the logged on unit never has a “static” IP address. Similarly home wireless network routers support DHCP to make development and utilization of the home wireless network more convenient and less complicated.
Assessing the Threat
There are a couple of ways a hacker or someone who is looking to steal or otherwise misuse your home wireless network can infiltrate your system. The first one is through “eavesdropping” and other is what is called a DOS attack.
Eavesdropping as the name implies involves utilizing tools and listening software utilities that have been easy to find since before wireless came along to capture the traffic that is passing through the air in your home wireless network. If the data contained in those packets is not encrypted a wealth of information about you can be captured about you. This includes login names, passwords and credit card information.
Encryption and use of the built in security measures described in this paper are excellent defenses against eavesdropping.
The second most prevalent attack is called a Denial of Service or DOS attack. In a DOS attack the hacker introduces noise or interference into the wireless network from without which artificially causes devices within the network to fail or issues a Denial of Service response to contact from other devices in the network.
Attackers can use these DOS signals to gather SSID and other important network addressing data that can be used to mount a more intrusive attack down the road.
You and Your SSID
In a wireless network implementation there are three ways to set the SSID for network communications. (1) The SSID can be set manually, (2) the SSID can be left the default that your network hardware provider set it to when your equipment was shipped or (3) The SSID can be generated automatically.
Wireless components such as routers and other access point devices provide a methodology for changing the SSID for network access.
The devices will usually come with a default SSID that is easy to figure out such as the company name or “default”. So the first step in securing your network is to change the default SSID that came with your wireless access point device.
Now when deciding upon an SSID name for your network, remember to make it something difficult to figure out. Do not use your last name, a name of your pet or your favorite Star Wars character.
In that this name will be something used exclusively for internal recognition of your network to itself, make it something obscure and difficult to figure out.
Encryption – WEP and WPA
As we discussed under definitions, WEP encryption is a standard security option that is the default encryption for all OSI compliant network products. However encryption is not automatically turned on. If you leave the defaults so encryption is not used, critical information is moving through the air between your wireless devices including user names, passwords, credit card information or other sensitive information about your home is not secure.
Through “eavesdropping” a network hacker or spy can access volumes of information about your family from your network. Therefore make it a priority to turn on WEP encryption as soon as you set up your wireless network.
WEP encryption, while the standardized “plain vanilla” security encryption available, is not flawless. A clever hacker can find ways to break WEP encryption. A number of improved encryption protocols are available that were built upon the WEP model but provide much more sophisticated encryption algorithms and correspondingly, much better security.
WPA and TKIP are upgrades to WEP encryption that more securely protect your wireless network. It is worth your time to research how to go about implementing these improved security protocols.
MAC Addressing and Filtering
As we discussed under definitions, the MAC address is a hexadecimal number that represents the physical address of your network adapter, similar to an IP address.
Just as with SSID broadcasting, this is a key security code that allows the devices on your wireless network to talk with your network adapter. By keeping the MAC address secure, you can dramatically limit the ability of unauthorized persons to access your network.
Do not allow the MAC address to be broadcast. The method for filtering your MAC address is to manually enter the MAC address of your network card into your network access point devices. As before, it requires a little more work but make this part of your network development check list and you will have an increased confidence that your network security precautions were thorough.
Usually the MAC address of your network card is located on the device itself.
Dump the Defaults
So far we have seen that in all cases, the default broadcast permissions and addresses and passwords that come with a network device are a point of security concern. Default broadcasts of security codes are provided to make it easy for you to set up and take care of your network. Resist the instinct to “do it the easy way”. Put the extra effort into changing all defaults that might provide access to secure address or codes and to change preset passwords and user names in the devices you purchase to set your network initially or expand your network later.
Each time you add a net network access device, make the following two steps as important as opening the box and taking the shrink wrap off.
Take out your wireless network security with the checklist located at the end of this article.
Change the default user name and password for your new wireless network security access point.
Another often overlooked default to change when setting up your wireless network is your default IP router subnet. Routers are preprogrammed with a default IP address of 192.168.1.0. Just as that is easy for you to know, it is easy for those who would hack your network to know that. Therefore put into place an IP network id that you will use that is not the default and not easily decoded by an intruder.
DHCP is one more method that network designers implemented to make your entry into the wireless world worry free and to reduce the “work” of setting up and maintaining your network. Through DHCP the IP address used internally for access of your wireless network is generated each time an access point enters the internet. This is a critical function for a large network because the use of a “static” IP address (that is one that does not change) can cause difficulties accessing the internet due to IP address conflicts etc.
If the number of access points to your home wireless network is small turn off DHCP so the network does not generate dynamic IP addresses. Implement static IP addressing and in that way, there is no need to broadcast your IP data to the wireless world. By keeping your IP address secure and out of the hands of sniffers and hackers, you introduce one more frustration to those who might look to break into your network and do it harm.
The firewall is a critical part of desktop security, corporate network and the “wired” network environment. However, there is a place for the firewall in the wireless setting. That place is between the wireless network and other external networks and/or between the wireless network and the internet. Our discussion of security in this paper has focused on attackers who might attempt to hijack or eavesdrop on the network directly “through the air”. However, as each node on your network accesses the internet, that interaction continues to be a high traffic security concern. Each desktop should have all of the standard security protections including a quality firewall, spyware and virus detection etc. These are for the health of the node.
However, as the “network administrator”, research the best resource for a network firewall that stands between the internet and all of the access points on your wireless network. Such precautions will be worth the upfront effort and research. Is it overkill to have a firewall there as well as on the access points? No, when it comes to security, as long as the presence of the protection does not impact productivity, no precaution is over kill.
To assist you with ongoing maintenance and review of your security concerns, we have provided a check list at the end of this article that you can use to take out and use every time your network is changed or expanded.
If you do not experience routine changes to your network, set a regular time, perhaps once every three months to take out this check list and review how your network security is doing.
Such check ups not only give you a chance to see if your security has been tampered with but it helps you have that peace of mind that you have done all you can to make your network secure.
Here’s the check list:
- Change the default SSID for each wireless network access point device.
- Disable automatic SSID broadcast.
- Turn on WEP encryption.
- Research upgrading your wireless network encryption to WPA/TKIP.
- Filter the MAC address of your network card.
- Change all default user names and passwords for new network access devices.
- Change the default IP subnet that your wireless router is preset to (192.168.1.0).
- Disable DHCP IP address generation.
- Implement firewall protection between the wireless network and other networks and between the wireless network and the internet.
Jerry Malcolm is an I.T. professional with 30 years of experience at all levels of IT project development, design, management and documentation. Since 2003 Mr. Malcolm has been the owner/principle of Malcolm Systems Services, an IT services consulting firm specializing in project management consultation, technical writing, development of technical white papers and web page content and I.T. project problem resolutions.