How to Secure Your Wireless Home Network
This article describes a few tips a user can take to help secure his 802.11b/g home wireless network. At least enough to keep honest people honest.
Steps
Enable Encryption on your Access Point. Using 128-bit encryption or higher makes your Wireless Network more secure. WEP and WPA are entirely different encryption schemes. WEP has been proven insecure. Using WPA is recommended because it's more than trivially secure, but is sometimes a bit harder to setup right than WEP is. If you want your network to really be secure, WPA is the way to go.
Set the 'Administrator' password on the router. Anybody who gains access can use the 'default' password to lock you out, or grant themselves more privileges (i.e. disable MAC address filtering or add one more MAC address to the MAC address filtering list so they don't always need to 'clone' your MAC address to get in). If you forget it, most routers have a hardware reset that will restore all of the settings to factory defaults.
Don't use easily guessed Keys, such as "ABC123", "Password", or a string of numbers in order. Use something hard to guess that contains both letters and numbers. Special characters such as !@#$% are not supported by most routers. The longer the key, the better. Using the Passwords Page on GRC.com is recommended.
Change your SSID (Wireless Network Name)from the default to something unique. Don't use your phone number, address, or anything that may identify you. If you leave it 'linksys' (or whatever default) your Windows notebook will automatically connect to every other network it encounters with the same name, and not every wireless network is a good and secure thing to connect to.
Do not disable the 'SSID Broadcast' feature of your Access Point or Router. Although this may seem counterintuitive, and people casually browsing for open networks will be less likely to notice your network, anyone with any hacking experience can easily get that information with special "packet-sniffing" programs so disabling SSID Broadcast won't really improve security. Also, with SSID Broadcast disabled when your computer is trying to connect to your network it will be actively advertising the name of your network and a hacker can set their laptop to pretend to be your router and gain access to your computer. It's also just plain inconvenient to disable SSID Broadcast; connecting computers and wireless printers will become harder and certain connection-enhancing features will be unavailable.
Use MAC Address filtering on your Access Point or router. This registers the hardware address (MAC Address) of your networked devices, and prevents unknown devices from joining or accessing the network (unless they 'clone' or spoof one of your 'allowed' MAC addresses).
Tips
You need to set the same WPA Settings on your Wireless Computer and you may need to manually Add the settings on your Wireless Computer.
Use the 'Shared Key' method of encryption, so that all data passed between clients is encrypted properly.
Check your Access Point or Routers' documentation on how to enable or disable these features.
Disable remote admin, or set up a strong password for the router configuration page.
For more information on wireless encryption, visit, http://www.grc.com/securitynow
A good article on wireless security that also explains the reasons for the counterintuitive advice to not disable SSID Broadcast is http://blogs.techrepublic.com.com/wireless/?p=205
You may need to upgrade the Firmware of your Access Point or Router if it doesnt have any of these feature.
Warnings
A WEP network is easily cracked in a minute. See http://www.wi-fiplanet.com/news/article.php/3670601 for more info.
If you use a weak key then even WPA can be easily cracked within a day using a combination of special precomputed tables and 'dictionary attacks'. The best way to generate a secure key is to use an offline random number generator or write the entire alphabet in uppercase and lowercase and numbers 0-9 on separate pieces of paper, mix the paper up and randomly pick up pieces and return them, mixing them up again each time; each character you pull out becomes a character in your key.
Be sure to register all devices on your network, including computers, laptops, media players, and networked storage if you are using MAC filtering.
Windows doesn't have individual wireless settings for different wireless domains. This means that the settings that 'share' files at home with your LAN will 'share' files with anybody else's wireless network, even a wireless network masquerading as one you trust.
Disable 'File and Printer Sharing' in the wireless 'Connection Properties' for your portable computer. Only use the 'Client for Microsoft Networks' half of Microsoft's file sharing. This means that your portable must connect to a machine that shares file/folders in order to access things, and that OTHER computers can't ask to connect to your portable to access files on your machine. At least not through Microsoft's 'File Sharing'. Other running services and backdoors may exist.
A user with a 'cantenna' can access your wireless network from a very long way off. Just because your notebook doesn't get a signal on the porch doesn't mean someone else can't access or monitor your network from a mile away.
This article describes a few tips a user can take to help secure his 802.11b/g home wireless network. At least enough to keep honest people honest.
Steps
Enable Encryption on your Access Point. Using 128-bit encryption or higher makes your Wireless Network more secure. WEP and WPA are entirely different encryption schemes. WEP has been proven insecure. Using WPA is recommended because it's more than trivially secure, but is sometimes a bit harder to setup right than WEP is. If you want your network to really be secure, WPA is the way to go.
Set the 'Administrator' password on the router. Anybody who gains access can use the 'default' password to lock you out, or grant themselves more privileges (i.e. disable MAC address filtering or add one more MAC address to the MAC address filtering list so they don't always need to 'clone' your MAC address to get in). If you forget it, most routers have a hardware reset that will restore all of the settings to factory defaults.
Don't use easily guessed Keys, such as "ABC123", "Password", or a string of numbers in order. Use something hard to guess that contains both letters and numbers. Special characters such as !@#$% are not supported by most routers. The longer the key, the better. Using the Passwords Page on GRC.com is recommended.
Change your SSID (Wireless Network Name)from the default to something unique. Don't use your phone number, address, or anything that may identify you. If you leave it 'linksys' (or whatever default) your Windows notebook will automatically connect to every other network it encounters with the same name, and not every wireless network is a good and secure thing to connect to.
Do not disable the 'SSID Broadcast' feature of your Access Point or Router. Although this may seem counterintuitive, and people casually browsing for open networks will be less likely to notice your network, anyone with any hacking experience can easily get that information with special "packet-sniffing" programs so disabling SSID Broadcast won't really improve security. Also, with SSID Broadcast disabled when your computer is trying to connect to your network it will be actively advertising the name of your network and a hacker can set their laptop to pretend to be your router and gain access to your computer. It's also just plain inconvenient to disable SSID Broadcast; connecting computers and wireless printers will become harder and certain connection-enhancing features will be unavailable.
Use MAC Address filtering on your Access Point or router. This registers the hardware address (MAC Address) of your networked devices, and prevents unknown devices from joining or accessing the network (unless they 'clone' or spoof one of your 'allowed' MAC addresses).
Tips
You need to set the same WPA Settings on your Wireless Computer and you may need to manually Add the settings on your Wireless Computer.
Use the 'Shared Key' method of encryption, so that all data passed between clients is encrypted properly.
Check your Access Point or Routers' documentation on how to enable or disable these features.
Disable remote admin, or set up a strong password for the router configuration page.
For more information on wireless encryption, visit, http://www.grc.com/securitynow
A good article on wireless security that also explains the reasons for the counterintuitive advice to not disable SSID Broadcast is http://blogs.techrepublic.com.com/wireless/?p=205
You may need to upgrade the Firmware of your Access Point or Router if it doesnt have any of these feature.
Warnings
A WEP network is easily cracked in a minute. See http://www.wi-fiplanet.com/news/article.php/3670601 for more info.
If you use a weak key then even WPA can be easily cracked within a day using a combination of special precomputed tables and 'dictionary attacks'. The best way to generate a secure key is to use an offline random number generator or write the entire alphabet in uppercase and lowercase and numbers 0-9 on separate pieces of paper, mix the paper up and randomly pick up pieces and return them, mixing them up again each time; each character you pull out becomes a character in your key.
Be sure to register all devices on your network, including computers, laptops, media players, and networked storage if you are using MAC filtering.
Windows doesn't have individual wireless settings for different wireless domains. This means that the settings that 'share' files at home with your LAN will 'share' files with anybody else's wireless network, even a wireless network masquerading as one you trust.
Disable 'File and Printer Sharing' in the wireless 'Connection Properties' for your portable computer. Only use the 'Client for Microsoft Networks' half of Microsoft's file sharing. This means that your portable must connect to a machine that shares file/folders in order to access things, and that OTHER computers can't ask to connect to your portable to access files on your machine. At least not through Microsoft's 'File Sharing'. Other running services and backdoors may exist.
A user with a 'cantenna' can access your wireless network from a very long way off. Just because your notebook doesn't get a signal on the porch doesn't mean someone else can't access or monitor your network from a mile away.
No comments:
Post a Comment