Securing Wireless Networks

I was a few minutes early picking up my daughter, so I parked my car on the street in the residential neighborhood and pulled out the eeePC. There were four wireless access points in range, only one of which was secure. It would have been easy to connect to the unsecured networks. If file sharing were enabled on any of the computers in the house, it probably wouldn’t have been difficult to access data on those computers. I could certainly anonymously download anything I wanted from the Internet, because any kind of tracking or logging would point back to the house with the open wireless network.

Thanks to Jem on FlickrThere’s actually a debate about whether you should secure your wireless network. Securty expert Bruce Schneier runs an open wireless network at his house. He contends that it’s just common courtesy for guests to his home. He also lets them use his heat, water, and electricity. Most people disagree, citing these points:

  • An open wireless network allows anyone to use your Internet connection without your approval or supervision. So people can use it to pirate music and videos, send spam, or access child porn. When the feds come, guess who they’re going to want to talk to?
  • An open wireless network opens your computers up to potential attack. If you’re using your wifi network to share files between computers in your house, people using your wireless network may be able to access those files. Plus, passwords that you send over the wireless network could be intercepted if there’s no security.
  • An open wireless network violates your Internet provider’s terms of service. If your neighbor had a high speed Internet connection, and you could connect to it for free from your house, why would you sign up for your own connection? While enforcement is rare, the ISP could terminate your service and pursue legal action against you.

Regardless of where you fall in this debate, the one thing you shouldn’t do is leave your wireless network open simply because you don’t know any better. That’s what this post is about.

How do you make your wireless network secure? The first thing you need to do is log in to your wireless router. In most cases, you can do this through a web browser by typing in the IP address. My router’s address is 192.168.1.1, so I’d just type “http://192.168.1.1” in the address bar of by browser, and it connects to my router. If you don’t know your router’s address, you can check this list to find out what the default should be. Your router should request a username and password. If you have never changed it, check the same list to find the default and use it to log in.

I can’t give you step-by-step instructions here, because all routers are different. This is all menu driven software though, and if you poke around a little you should be able to find everything.  I can tell you what to look for, though:

Router Password
The first thing you want to do is change the password for your router. If you leave it as the default, anybody can just find a list of passwords on the Internet and log in to your router. You definitely don’t want people doing that.

Encryption
You want to encrypt the data that is moving between your wireless router and your wireless computers. Remember, these things are sent over radio waves. Anyone can “listen” to them and intercept the data. You want to make sure that the data is encoded in a way that only allows the right device to understand them. Your options here will probably be WEP or WPA. IF possible, you want to use WPA, because it’s the most secure. A network protected by WEP can now be hacked in less than sixty seconds, and a network without either doesn’t need to be hacked, because the traffic is already accessible.

WPA works like this: you define a “key” that is used to encrypt the data. The same key must be installed on the wireless router and all devices that are going to connect to your wireless network. The password on my network is a random string of characters from Steve Gibson’s Perfect Passswords page. We keep in in a text file on a thumb drive, and copy and paste it whenever we need to configure a new computer to use the network.

Basically, you need to put the same key in the configurations on both the wireless router and the computer. Don’t forget that once you change the configuration on the router, you won’t be able to connect to it until you set up the computer. So make sure you do it in the right order 🙂 On the computer, you want to find the settings for your wireless network connection. The location of this control panel is going to be different depending on your operating system and version.

SSID
Your SSID (Service Set IDentifier) is the “name” of your router. This name is broadcast by the router, which is basically saying, “Hey, my name is Linksys and I’m over here. Come connect to me!” When your computer searches for wireless networks, it’s the SSID that shows up identifying your network. Changing the name makes it harder for people to identify what kind of router you have. You can also hide the SSID, which means you’ll have to type it in on the computer to connect to your network. Most experts agree that this offers little protection, though, because there are other ways to find your SSID.

Universal Plug & Play
One of the benefits of having a router is that it protects your computers from the Internet. Because it uses network address translation (NAT), computers scanning the Internet for security vulnerabilities can only see your router, not the computers that are connected to it.

In some cases, you may want people on the Internet to be able to traverse your router and access some resource on your internal network. In my house, for example, I run a web server. So my router is configured to forward web traffic to that server. I deliberately set up this configuration to allow people access to that resource.

Universal Plug and Play makes it easier to set up these kinds of connections by opening ports on your router as needed by applications running on your network. While UP&P may have some uses on an internal network if there aren’t any security holes in its implementation, you probably don’t want it automatically setting up connections between computers on your internal network and other devices out on the Internet. Find the setting on your router, and disable it.

MAC Address Filtering
Another thing you can to to protect your wireless network is to use MAC address filtering. A MAC address is unique identifier built into your network card. Theoretically, every network device has its own MAC address. Your router probably has a configuration setting that allows you to restrict which MAC addresses can connect to your network. You could enter the addresses from your wireless devices, and then those would be the only devices your router will talk to.

While this is a good idea in theory, it’s actually trivial to change the MAC address for a network card. So all an attacker would need to do is to capture some traffic, find the MAC address of an allowed device, and then configure his computer to use that address. While MAC address filtering would add another layer of security, the minimal protection provided probably isn’t worth the trouble of setting it up.

Remember to restart your router after setting all of these things, to ensure that the changes take effect. You will probably need to reconnect to your network after that. Then, you can rest easy knowing that those people sitting in the car across the street are using your neighbor’s wireless network.

Advertisements

Author: John Schinker

What else do you want to know?