[TalRW]

Types of Security:

There are 2 main types of security covered in this guide. Each will be defined here.
Encryption:Encryption basically scrambles the data so that it can not be read by outside sources.
Authentication:Authentication is a security measure that is employed to make sure that only accepted users are "allowed" to use or see the network so that outsiders can not gain access.

Quote:

The most that basic WEP and SSID hiding tell to an intruder is 'back off, we like our privacy'. They do little more to a determined intruder other than establishing a clear legal line in the sand, as breaking WEP and SSID hiding clearly constitutes attempted breaking and entering.

Change your router's default settings (Authentication)
(More information on changing default SSIDs)

• What it does: Routers come with default settings that they are all shipped with. The two main settings we are concerned with are the default password and the router's SSID. Generally wireless routers come with a default SSID (Name of the wireless network) but the problem with this is the default SSID for many router's is the manufacturers name. This means depending on your brand of router your SSID will most likely be something like "Linksys" "Netgear" or whatever brand you happen to own. The other default concern is changing the default password that you use to login to your router.
• Why change it: Firstly you want to change the default SSID from "Linksys" or whatever it is because having a default SSID is a big sign to people who want to get into your network that you are a easy target because more than likely you have a less secure network than someone who has changed it. The other thing you REALLY want to change is your default password. Router's all come with default passwords that are very easy to look up and find. This means if someone is able to get onto your wireless network and you haven't changed your router's password they can get onto your router and essentially lock you out of your own network thereby taking over.

Service Set Identifier Hiding (SSID Hiding) (Authentication)
(More information on SSIDs)

• What it does: A SSID is essentially the name of the wireless network. To communicate on a wireless network all devices must share a SSID. A wireless AP or Router will broadcast it's SSID by default and allow users with wireless devices to connect to it. By hiding your SSID your network will not be visible to things such as the windows wireless networking wizard. By doing this you must manually enter the network ID into each device that you want to connect to your network. This feature is also known sometimes as disabling SSID broadcast
• Why use it: While a weak form of security it is useful for preventing casual misuse. It will not keep out a determined attacker but will keep out the casual leecher. For example my cousin owns a laptop but knows little about computers but simply catches Internet off a nearby open wireless connection. If the owner of the connection were to enable SSID hiding the network would no longer be visible to my cousin.
• Weaknesses: Various free programs downloadable from the Internet can overcome this and is able to locate all access points in a area. These programs are able to overcome SSID hiding and display the SSID of the network to the user wishing to gain access.

Media Access Control Address Filtering (MAC Address Filtering) (Authentication)
(More information on MAC addresses)

• What it does: A MAC address is a physical address that is a 48 bit address assigned to each network interface card. MAC address filtering is a authentication method used by a AP/Router contains a list of approved MAC addresses. If your MAC address is not listed on the AP you should not (theoretically) be able to connect to the network.
• Why use it: Similar to the SSID hiding it protects against casual leechers such as the neighbor next door who accidentally connects to your AP because it has a stronger signal. This can and should be used but not as the only level of security, it should also be combined with WPA.
• Weaknesses: A MAC address is contained in any data packet. A packet sniffer can capture packets going over the air and then spoof this legitimate MAC address to gain access to the network.

Wired Equivalent Privacy (WEP) (Encryption)
(More information on WEP)

• What it does: WEP is a outdated form of encryption that uses a preset password (often times in hex format). It is a weak form of encryption that has been cracked before.
• Why use it: While crackable and considered "weak" users may want to use this if they own outdated hardware that does not support more advanced forms of encryption such as WPA (although many pieces of hardware can have their firmware updated to support WPA). Furthermore WEP can deter casual leechers and is better than no security as all.
• Weaknesses: Easily crackable. Many programs are available for free on the internet that are able to crack WEP encryption.

Wi-Fi Protected Access Preshared Key (WPA-PSK) (Encryption)
(More information on WPA )

• What it does: Wi-Fi Protected Access Preshared Key (WPA-PSK) was created in response to the weakness found in WEP encryption. It is a more advanced form of encryption that when created was created with the help of many security experts. WPA-PSK involves a user entering a password or pass phrase on the wireless router/access point. After this the same password will have to be entered on all devices that want to connect to it.
• Why use it: WPA-PSK is the most secure form of data encryption available to most home users and can safely protect data and outsiders from accessing your network.
• Weaknesses: While the encryption itself is virtually uncrackable the pass key a user selects can be prone to dictionary attacks. Attackers could possibly capture packets with a packet sniffer and use brute force and dictionary attacks. To overcome use "strong" passwords consisting of random letters, numbers, and characters as well as long as possible (63 charchters maximum). Use cut and paste to put passwords into devices. Do not use phrases as this is easier to crack through brute force than random characters.

Wi-Fi Protected Access Enterprise (WPA2) (Encryption)

• What it does: WPA2 is similar to WPA-PSK but is intended for corporate environments. WPA2 uses a server to authenticate each user so that each user has a individual WPA key.
• Why use it: Not needed for most home users. A business would want to use this for two main reasons. Firstly if a business was using WPA every end user would have the same password and key and could then spy on other users on the network. Secondly ex-employees who knew the key could gain access to the network with standard WPA-PSK. With WPA2 you can simply remove the ex-employee from the authentication server.

So what should I do?:
If you want good security that takes little work you should:

• Change your routers default password
• Enable WPA or WPA2 at the highest level of bit key encryption (128 bit, 256 bit, ect.) supported by your hardware with a strong password

If you want heavy security that takes a medium amount of work you should:

• Change your routers default password and SSID
• Turn off SSID broadcast or hide your SSID
• Enable WPA or WPA2 at the highest level of bit key encryption (128 bit, 256 bit, ect.) supported by your hardware with a strong password

If you want extremely heavy security that takes quite a bit of work you should:

• Change your routers default password and SSID
• Turn off SSID broadcast or hide your SSID
• Filter MAC addresses for all devices on your network
• Enable WPA or WPA2 at the highest level of bit key encryption (128 bit, 256 bit, ect.) supported by your hardware with a strong password
• Configure your router's signal strength to cover just enough area as your farthest wireless device to prevent it from reaching others
• Disable administration from wireless clients

Additional Non-Wireless Security:

• Disable remote administration
• Disable UPnP
• Disable DHCP Server and assign static IP addresses

How To Setup:

• Note This is a example of how to setup some of these features on a Linksys WRK54G Series Router. Different brands may very slightly on how you setup these security measures but the principle will be the same in each case.
• Changing the default password:
  
• Configure DHCP Server to only assign as many IP's as devices:
  
• Disable SSID Broadcast:
  
• Setting Up MAC Address Filtering:
  
• Enable WPA Encryption:
  
• Configuring PC's for Wireless:
  

Additional Information:

• A Beginner's Guide To Securing a Wireless Network: A guide written by our own macklin01 while slightly out of date (written Sept. 03) it contains many useful bits of information as well as many tips for actually implementing the security methods discussed in this guide
• Kilian's Guide for Wireless Network Security in Windows XP A great guide for secure wireless networking.
• Wi-Fi Security: A guide from http://www.wi-fi.org that covers many of the security tools discussed above.
• WPA Password Generator: A password generator from Steve Gibson at www.grc.com that creates WPA passwords that will be immune to dictionary and brute force attacks. Just copy and paste the random key into a text document and repaste it into all of your wireless devices.

Credits:
Much of this data was covered on Security Now a podcast with Leo Laporte and Steve Gibson. Episodes 11 and 13 were used for information in this guide.

I would also like to thank Kilian for giving me permission to use pictures from his Guide to Wireless Network Security in my guide as they are a great addition and learning tool

Other information for this guide was obtained at Wikipedia

[TalRW]

Introduction:
So you are sitting in a coffee shop and just checking your e-mail and checking your stock portfolio. Little do you know someone else in the shop is sitting there also with a laptop and watching everything you are doing. He can see everything including passwords and financial information. This guide is designed to help you stay safe when using a public access point.

Staying Safe:
Tip 1: Always “Air (pun intended) on the side of caution”
It is best in terms of security to always assume the worst. While more than likely everyone else at that coffee shop is just minding their own business it is always best from a security standpoint to assume that everyone is watching you. This is important because if you assume everyone is out to get you (and most likely they aren't) and someone is actually trying to steal your data you will always be safe. As Steve Gibson from “Security Now” puts it “if you are using an open access point you really need to think of it in terms of everyone in the coffee shop for example, is clustered around behind you looking at your screen.” For this very reason if you don't have to check your stock or bank information... don't! Any data that you wouldn't want anyone else seeing just simply don't look at because people can see that information and if you don't absolutely have to look at that information at that time it's much safer to not even access that data.

Tip 2: Use a software firewall
A software firewall is important on a public network because everyone is essentially on the same network as you. While on a standard home network with a device like a home router or smoothwall box these devices provide security from hackers on the Internet. The problem is, on a open wireless access point everyone is inside the same network as you and the attack will be coming from the same network therefore you need a local personal firewall on your own machine to protect yourself against attacks.

Tip 3: VPNs or Proxy Services
Virtual Private Networks (VPNs) are a way to extend a LAN over the Internet and makes it just like your computer is on your home/corporate network even though you are at a coffee shop or airport. VPN connections are very strong and encrypt the data sent to protect it. For those of you who do not have access to VPN connections there are other services available that will be posted in the links section that allow you to form secure tunnels onto the Internet by encrypting your connection. They do this by connecting with a proxy service on the Internet over a secure connection and encrypting the data between you and the proxy so that any information you look up is transferred over this secure connection.

Links:

• Proxy and VPN services:
  Anonymous Surfing
  Hotspot VPN
  Public VPN
  
• Free Personal Firewalls
  Zone Alarm
  Sygate Personal Firewall
  Kerio Personal Firewall (Note: Product is being discontinued on Dec. 31, 2005)

Credits:
Much of this data was covered on Security Now a podcast with Leo Laporte and Steve Gibson. Episode 10 was used for this guide.

[Benvanz]

added to stickys

[four4875]

looks like a good breakdown ot start with, now how to set them up?

[TalRW]

Edit: Plan to add how to set these methods up this weekend when I get some free time

[Alchemy1]

Quote:

Originally Posted by four4875

looks like a good breakdown ot start with, now how to set them up?

I agree, but I think it is a great start to a sticky though.

[TalRW]

Ok I'll try to set up a guide on how to set it up sometime this weekend.

[Captain Newbie]

It's a good start but needs more beef

[Scott9027]

I think if you explain how to set everything up it would be sticky material.

[four4875]

unfortunately... exact methods on setup vary sooooo much by what hardware from what manufacturer you might have. example... my senao is a bit different than a linksys. sure, they're both web admin, but thats about it.

btw, did you mention changinf default username / passwords to the equipment? would be annoying if someone DID get in and changed your stuffs to keep you out.

[stasi_agent]

Quote:

Wi-Fi Protected Access Enterprise (WPA2) (Encryption)
What it does: WPA2 is similar to WPA-PSK but is intended for corporate environments. WPA2 uses a server to authenticate each user so that each user has a individual WPA key.
Why use it: Not needed for most home users. A business would want to use this for two main reasons. Firstly if a business was using WPA every end user would have the same password and key and could then spy on other users on the network. Secondly ex-employees who knew the key could gain access to the network with standard WPA-PSK. With WPA2 you can simply remove the ex-employee from the authentication server.

I am pretty sure that EAP was in the original WPA specs. The only thing that WPA2 added was the AES cipher that replaced TKIP.

[macklin01]

This is moving along nicely.

I agree that it would be too difficult to cover the broad assortment of hardware out there, as regards configuration.

I did notice a typo:
Tip 1: Always “Air on the side of caution” should read Tip 1: Always “Err on the side of caution”. (Although if intentional, it was a cute pun, since the data is going out over the airwaves. )

Also, you might add a few more tips, like "setting your admin password," and doing more regular spyware and virus scans if you commonly use your computer in the wild.

You might also consider giving links to some recommended firewalls, etc. (e.g., ZoneAlarm, which my current top pick).

I'd be curious if there are any connection management software packages (besides Windows XP's built-in Zero Config) that aren't tied to a specific wireless card or laptop brand. For instance, IBM has a fantastic utility (Access Connections) that manages both the wired and wireless connections and doesn't tend to lose the connection as often as WinXP's built-in utility. It would be interesting if there were such a utility available (perhaps even open source).

Lastly, I might recommend you add a final section to the first post. Call it "Current Recommend Setup," or something like that. Assuming fairly modern hardware, what would you recommend most home setups use? WPA/WPA2 with AES? MAC filtering on or off? SSID on or off? Remote router admin on or off? DHCP on or off? Router admin via wireless clients on or off? Any changes to antenna transmit power? How often should the wireless key be changed if you're using WPA-TKIP or WPA-AES? Basically, what's the "current best practice" configuration?

I'm continuing to keep my eye on this, because I think it's very well-written and is progressing nicely! -- Paul

[macklin01]

Quote:

Originally Posted by four4875

unfortunately... exact methods on setup vary sooooo much by what hardware from what manufacturer you might have. example... my senao is a bit different than a linksys. sure, they're both web admin, but thats about it.

btw, did you mention changinf default username / passwords to the equipment? would be annoying if someone DID get in and changed your stuffs to keep you out.

Definitely a good point. The very first thing that should be done is to change the default SSID, username, and admin password?

The easiest target among a list of SSID's is generally going to be "linksys" or "DLink", "netgear," etc. This article has some interesting points on that regard. -- Paul

[I.M.O.G.]

You could also round out the field a bit more... What about EAP?

I would also recommend leaving out the part about implementation... Interfaces vary and there are other sites out there, many including screenshots which show specific configuration. Best to consult manufacturer documentation on this often times.

[TalRW]

ok I made some updates this weekend, if anyone can think of something else to add I will, also I'm not too sure on EAP because I don't know much about what that is, I'll have to look it up. I also decided I'm not gonna provide guides for each router because there are so many brands and I simply don't have access to them all and going through how to set up the same thing on 7 different routers would be way beyond my access because I don' t know where I would even get these routers to get screen shots and what not with.

[SinsFeelNatural]

This is going in my bookmarks until it gets a sticky. Good work so far!
Maybe stick in links for the major router manufacturers if the user needs more specific information.

http://www.ivisit.com/help/reference/routers-urls.html

[macklin01]

I'm going to go ahead and make this sticky. In the future, we may roll this into an existing sticky, but I think it does a good job to explain some of the basic ideas of wireless security setup and what options should be done.

One recommendation: Show how to do these things on one piece of hardware. It may be enough to make this more concrete, and it may be enough of to give a hint of what to look for even if readers don't have the same hardware. Since linksys routers are in major use, that would be a good candidate. -- macklin01

[JimmyG]

Quote:

Originally Posted by TalRW

Edit: Plan to add how to set these methods up this weekend when I get some free time

The setup based upon the Linksys router is great, but it would be good if someone posted the setup screens for a Netgear router.

[Captain Newbie]

Having recently read Wi-Foo, I'd like to see a disclaimer either prepended or appended to this, something like the following:

Quote:

The most that basic WEP and SSID hiding tell to an intruder is 'back off, we like our privacy'. They do little more to a determined intruder other than establishing a clear legal line in the sand, as breaking WEP and SSID hiding clearly constitutes attempted breaking and entering.

Granted, none of us should be broadcasting state secrets through our 802.11s...but thanks to chatty protocols and such, it's actually not that difficult to break WEP if you have enough packets flying around.

[macklin01]

That's a great point. Also, this sticky has really improved since the last time I checked on it. Very good. -- Paul

[cornbread]

Great sticky, found this info very useful, thhanks.

[Wiggles]

Another good tip to router security is to change the router's IP. It might not keep all out, but at least it'll keep out those who know the famous 192.168.1.1 address that will bring up the login prompt for the admin password. Since most routers give out 100+ to users, change it to something like 2-99.

I do the above, have my SSID changed and admin password changed, and filter by mac address. I'm not worried about encryption due to the area I live in.

[Alpha_One]

Quote:

Originally Posted by TalRW

Wi-Fi Protected Access Preshared Key (WPA-PSK) (Encryption)
...

Weaknesses: While the encryption itself is virtually uncrackable the pass key a user selects can be prone to dictionary attacks. Attackers could possibly capture packets with a packet sniffer and use brute force and dictionary attacks. To overcome use "strong" passwords consisting of random letters, numbers, and characters as well as long as possible (63 charchters maximum). Use cut and paste to put passwords into devices. Do not use phrases as this is easier to crack through brute force than random characters. [/list]

Another weakness, is that your generally trusted, laptop-wielding brother/sister/cousin/mother/friend/roommate/etc. can - ignorantly or maliciously - give away the PSK. Or someone can look in his/her computer (or yours, for that matter) for it. Not that it's a huge issue anyway with MAC filtering and some paranoia, but I thought it would be worth mentioning.

[macklin01]

Quote:

Originally Posted by Alpha_One

Another weakness, is that your generally trusted, laptop-wielding brother/sister/cousin/mother/friend/roommate/etc. can - ignorantly or maliciously - give away the PSK. Or someone can look in his/her computer (or yours, for that matter) for it. Not that it's a huge issue anyway with MAC filtering and some paranoia, but I thought it would be worth mentioning.

Physical access can defeat just about any security, so it's not the most valid criticism, although it is a very important point.

MAC filtering is a very weak security vs good encryption, so actually, that is a big deal. (Breaking the encryption brings you within one easy step of getting in. Breaking MAC filtering still leaves you with encryption.)

As far as I understand it, though, it would still take some great effort to extract the key from physical access to the computer, as they generally aren't stored in plain text. But again, once somebody has physical access, most security goes in the toilet.

A good way to store a key might be steganographically, where the information is hidden inside other data. -- Paul

[e6600]

Will something like WPA2 slow down your connection at all?
Ive just set up my wireless and i notice that pages take a little longer to load and i have about 10ping lower in some games, even when all of my other computers are turned off.

[soulrider4ever]

Quote:

Originally Posted by SinsFeelNatural

This is going in my bookmarks until it gets a sticky. Good work so far!
Maybe stick in links for the major router manufacturers if the user needs more specific information.

http://www.ivisit.com/help/reference/routers-urls.html

[Incesticide]

Quote:

Wi-Fi Protected Access Enterprise (WPA2) (Encryption)
What it does: WPA2 is similar to WPA-PSK but is intended for corporate environments. WPA2 uses a server to authenticate each user so that each user has a individual WPA key.
Why use it: Not needed for most home users. A business would want to use this for two main reasons. Firstly if a business was using WPA every end user would have the same password and key and could then spy on other users on the network. Secondly ex-employees who knew the key could gain access to the network with standard WPA-PSK. With WPA2 you can simply remove the ex-employee from the authentication server.

WPA2 is WPA with AES encryption instead of TKIP (read: RC4 based) encryption. WPA-TKIP encryption is vulnerable to the same attacks that WEP is vulnerable to (weak initialization vectors), and adding AES fixed that. And actually on alot of equipment AES provides better performance than WEP or WPA-TKIP due to hardware encryption. So there is no reason not to use it.

I think steve gibson (or wherever you got your information from) got 802.11x and 802.11i mixed up, as 802.11x does what he is talking about, and WPA2 is a full implementation of 802.11i, whereas WPA is a partial implementation of the security standard.

See here: http://en.wikipedia.org/wiki/IEEE_802.11i

[JCLW]

Note: If you want to use WPA2 then you're going to want this MS update: http://support.microsoft.com/kb/917021

Here's the screens for a WRT54G. I'm running third party firmware (highly recommended: http://www.thibor.co.uk/) so might screens might look a little different.


- Wireless Network Name (SSID): Use something original
- Wireless SSID Broadcast: "Disable"


- Security Mode: I'd recommend "WPA2 Personal"
- WPA Algorithms: I use "TKIP+AES", which allows legacy WPA-TKIP connections if the client doesn't support WPA2-AES.
- WPA Shared Key: Use something original, with both letters and numbers, and really long


Here you can allow/block PCs according to their MAC addresses.


The only thing worth mentioning here is the transmit power - if you're using your laptop right beside you router (or access point) you could turn the power down to prevent others from picking up the signal.


Always make sure that both remote access and wireless access is turned off for the router (unless you really need it).

--------

Other:

Two kinds of WAP2:
WPA2-Personal uses AES
WPA2-Enterprise uses a RADIUS server

[JCLW]

Here's the screens for setting up an intel wireless card:

Start off by adding a profile, which brings you to:

Profile Name: Can be anything, make it descriptive (Home network, etc...)
SSID: Whatever you put in your router


Choose "Personal Security", unless you're running a RADUIS server.
Security Settings: Choose whatever you picked in your router. Because I picked TKIP+AES in the router setup I could use either but WPA2-AES is more secure
Password: Your (hopefully) big long complicated password you put in the router

And that's it.

After it connects the details page should show you:

We've connected using WPA2-Personal / AES-CCMP mode.

[Silversinksam]

I'll add a couple noteworthy tidbits of info:

Here's the Default Router Password Database

http://www.routerpasswords.com/


Second, with drive-by-pharming being possible, changing your router password is just one of those things that is on your must do list.