- Joined
- Mar 2, 2004
- Location
- Irvine, CA
Types of Security:
There are 2 main types of security covered in this guide. Each will be defined here.
Encryption:Encryption basically scrambles the data so that it can not be read by outside sources.
Authentication:Authentication is a security measure that is employed to make sure that only accepted users are "allowed" to use or see the network so that outsiders can not gain access.
Change your router's default settings (Authentication)
(More information on changing default SSIDs)
Service Set Identifier Hiding (SSID Hiding) (Authentication)
(More information on SSIDs)
Media Access Control Address Filtering (MAC Address Filtering) (Authentication)
(More information on MAC addresses)
Wired Equivalent Privacy (WEP) (Encryption)
(More information on WEP)
Wi-Fi Protected Access Preshared Key (WPA-PSK) (Encryption)
(More information on WPA )
Wi-Fi Protected Access Enterprise (WPA2) (Encryption)
So what should I do?:
If you want good security that takes little work you should:
Additional Non-Wireless Security:
How To Setup:
Additional Information:
Credits:
Much of this data was covered on Security Now a podcast with Leo Laporte and Steve Gibson. Episodes 11 and 13 were used for information in this guide.
I would also like to thank Kilian for giving me permission to use pictures from his Guide to Wireless Network Security in my guide as they are a great addition and learning tool
Other information for this guide was obtained at Wikipedia
There are 2 main types of security covered in this guide. Each will be defined here.
Encryption:Encryption basically scrambles the data so that it can not be read by outside sources.
Authentication:Authentication is a security measure that is employed to make sure that only accepted users are "allowed" to use or see the network so that outsiders can not gain access.
The most that basic WEP and SSID hiding tell to an intruder is 'back off, we like our privacy'. They do little more to a determined intruder other than establishing a clear legal line in the sand, as breaking WEP and SSID hiding clearly constitutes attempted breaking and entering.
Change your router's default settings (Authentication)
(More information on changing default SSIDs)
- What it does: Routers come with default settings that they are all shipped with. The two main settings we are concerned with are the default password and the router's SSID. Generally wireless routers come with a default SSID (Name of the wireless network) but the problem with this is the default SSID for many router's is the manufacturers name. This means depending on your brand of router your SSID will most likely be something like "Linksys" "Netgear" or whatever brand you happen to own. The other default concern is changing the default password that you use to login to your router.
- Why change it: Firstly you want to change the default SSID from "Linksys" or whatever it is because having a default SSID is a big sign to people who want to get into your network that you are a easy target because more than likely you have a less secure network than someone who has changed it. The other thing you REALLY want to change is your default password. Router's all come with default passwords that are very easy to look up and find. This means if someone is able to get onto your wireless network and you haven't changed your router's password they can get onto your router and essentially lock you out of your own network thereby taking over.
Service Set Identifier Hiding (SSID Hiding) (Authentication)
(More information on SSIDs)
- What it does: A SSID is essentially the name of the wireless network. To communicate on a wireless network all devices must share a SSID. A wireless AP or Router will broadcast it's SSID by default and allow users with wireless devices to connect to it. By hiding your SSID your network will not be visible to things such as the windows wireless networking wizard. By doing this you must manually enter the network ID into each device that you want to connect to your network. This feature is also known sometimes as disabling SSID broadcast
- Why use it: While a weak form of security it is useful for preventing casual misuse. It will not keep out a determined attacker but will keep out the casual leecher. For example my cousin owns a laptop but knows little about computers but simply catches Internet off a nearby open wireless connection. If the owner of the connection were to enable SSID hiding the network would no longer be visible to my cousin.
- Weaknesses: Various free programs downloadable from the Internet can overcome this and is able to locate all access points in a area. These programs are able to overcome SSID hiding and display the SSID of the network to the user wishing to gain access.
Media Access Control Address Filtering (MAC Address Filtering) (Authentication)
(More information on MAC addresses)
- What it does: A MAC address is a physical address that is a 48 bit address assigned to each network interface card. MAC address filtering is a authentication method used by a AP/Router contains a list of approved MAC addresses. If your MAC address is not listed on the AP you should not (theoretically) be able to connect to the network.
- Why use it: Similar to the SSID hiding it protects against casual leechers such as the neighbor next door who accidentally connects to your AP because it has a stronger signal. This can and should be used but not as the only level of security, it should also be combined with WPA.
- Weaknesses: A MAC address is contained in any data packet. A packet sniffer can capture packets going over the air and then spoof this legitimate MAC address to gain access to the network.
Wired Equivalent Privacy (WEP) (Encryption)
(More information on WEP)
- What it does: WEP is a outdated form of encryption that uses a preset password (often times in hex format). It is a weak form of encryption that has been cracked before.
- Why use it: While crackable and considered "weak" users may want to use this if they own outdated hardware that does not support more advanced forms of encryption such as WPA (although many pieces of hardware can have their firmware updated to support WPA). Furthermore WEP can deter casual leechers and is better than no security as all.
- Weaknesses: Easily crackable. Many programs are available for free on the internet that are able to crack WEP encryption.
Wi-Fi Protected Access Preshared Key (WPA-PSK) (Encryption)
(More information on WPA )
- What it does: Wi-Fi Protected Access Preshared Key (WPA-PSK) was created in response to the weakness found in WEP encryption. It is a more advanced form of encryption that when created was created with the help of many security experts. WPA-PSK involves a user entering a password or pass phrase on the wireless router/access point. After this the same password will have to be entered on all devices that want to connect to it.
- Why use it: WPA-PSK is the most secure form of data encryption available to most home users and can safely protect data and outsiders from accessing your network.
- Weaknesses: While the encryption itself is virtually uncrackable the pass key a user selects can be prone to dictionary attacks. Attackers could possibly capture packets with a packet sniffer and use brute force and dictionary attacks. To overcome use "strong" passwords consisting of random letters, numbers, and characters as well as long as possible (63 charchters maximum). Use cut and paste to put passwords into devices. Do not use phrases as this is easier to crack through brute force than random characters.
Wi-Fi Protected Access Enterprise (WPA2) (Encryption)
- What it does: WPA2 is similar to WPA-PSK but is intended for corporate environments. WPA2 uses a server to authenticate each user so that each user has a individual WPA key.
- Why use it: Not needed for most home users. A business would want to use this for two main reasons. Firstly if a business was using WPA every end user would have the same password and key and could then spy on other users on the network. Secondly ex-employees who knew the key could gain access to the network with standard WPA-PSK. With WPA2 you can simply remove the ex-employee from the authentication server.
So what should I do?:
If you want good security that takes little work you should:
- Change your routers default password
- Enable WPA or WPA2 at the highest level of bit key encryption (128 bit, 256 bit, ect.) supported by your hardware with a strong password
- Change your routers default password and SSID
- Turn off SSID broadcast or hide your SSID
- Enable WPA or WPA2 at the highest level of bit key encryption (128 bit, 256 bit, ect.) supported by your hardware with a strong password
- Change your routers default password and SSID
- Turn off SSID broadcast or hide your SSID
- Filter MAC addresses for all devices on your network
- Enable WPA or WPA2 at the highest level of bit key encryption (128 bit, 256 bit, ect.) supported by your hardware with a strong password
- Configure your router's signal strength to cover just enough area as your farthest wireless device to prevent it from reaching others
- Disable administration from wireless clients
Additional Non-Wireless Security:
- Disable remote administration
- Disable UPnP
- Disable DHCP Server and assign static IP addresses
How To Setup:
- Note This is a example of how to setup some of these features on a Linksys WRK54G Series Router. Different brands may very slightly on how you setup these security measures but the principle will be the same in each case.
- Changing the default password:
- Configure DHCP Server to only assign as many IP's as devices:
- Disable SSID Broadcast:
- Setting Up MAC Address Filtering:
- Enable WPA Encryption:
- Configuring PC's for Wireless:
Additional Information:
- A Beginner's Guide To Securing a Wireless Network: A guide written by our own macklin01 while slightly out of date (written Sept. 03) it contains many useful bits of information as well as many tips for actually implementing the security methods discussed in this guide
- Kilian's Guide for Wireless Network Security in Windows XP A great guide for secure wireless networking.
- Wi-Fi Security: A guide from http://www.wi-fi.org that covers many of the security tools discussed above.
- WPA Password Generator: A password generator from Steve Gibson at www.grc.com that creates WPA passwords that will be immune to dictionary and brute force attacks. Just copy and paste the random key into a text document and repaste it into all of your wireless devices.
Credits:
Much of this data was covered on Security Now a podcast with Leo Laporte and Steve Gibson. Episodes 11 and 13 were used for information in this guide.
I would also like to thank Kilian for giving me permission to use pictures from his Guide to Wireless Network Security in my guide as they are a great addition and learning tool
Other information for this guide was obtained at Wikipedia
Last edited: