A Beginner's Guide To Securing a Wireless Network

Add Your Comments

Simple changes you can make to your wireless network to improve security – Paul Macklin

Disclaimer:

I am by no means an expert at networking or network security. I am writing this article as an overview of the techniques I have learned that a relative novice at wireless networking can easily implement to improve wireless networking security with minimal confusion. It should be understood as a starting point on the quest for greater wireless networking security, not the complete solution.

Rather than help with the actual setup of your network, this guide instead focuses on the configuration of the various security options that may be available to you.

Introduction

I recently set up a wireless home network for my apartment. In my previous apartment, I had strung up a simple 10/100 hub and nailed some cable-holders along the perimeter of the walls to hold the cables. However, I didn’t think the apartment owners in Orange County, CA, would appreciate this sort of option, so I decided to go wireless. It has been a tremendous improvement for aesthetics and simplicity, but security is an issue.

Consider, for example, the recent campaign by the RIAA to sue internet users who illegally share copyrighted music. If you examine these cases a little more closely, you’ll notice that they don’t even determine which computer did the sharing, but rather which IP address was responsible.

Suppose you have a broadband connection and a wireless router/firewall. If somebody bootlegs your connection and participates in KaZaa, it’s going to be your IP address that appears on the subpoena. Granted, this is probably one of those very few cases that could stand a chance in court, but why get there in the first place?

Of course, it goes without saying that you want to safeguard your data and privacy. You’ll also want to reserve your bandwidth for your own surfing, rather than bozo’s pr0n downloads, so these are some other good reasons to invest some time in security. So, let’s get started in at improving security.

In this guide, I’ll go through the simplest changes you can make to your wireless network to improve security. At the end of the day, no wireless network is completely secure, but hopefully you can at least create a deterrence/inconvenience. There ought to be more tempting, less-secure networks nearby that are more tempting targets. The overall approach I’d like to convey is “lock the door and try to hide it.”

Equipment Used

For my network, I use D-Link’s DI-614+ wireless router/firewall. It’s an 802.11b router with a proprietary method of doubling the data rate to 22 Mbps. It also allows for 256-bit WEP passwords. (So long as it’s used with other D-Link networking hardware, such as the DWL-650+.) Best of all, while giving pretty good performance, they’re also pretty cheap. At the time of this writing, the DI-614+ cost $39 at Newegg.com with rebates, $66 without rebates.

If you use different hardware, the terminology and/or techniques will likely differ, but the general approach should still apply.

General Hardware Setup

My internet connection is through my cable modem, which is, in turn, connected to my firewall/router by an Ethernet cable. I have three computers on my network. Computer 1 is attached to the router with a standard 10/100 Ethernet cable; computers 2 and 3 are connected via PCI wireless cards.

Router Security

For security, it is best to only use a “wired” computer (Computer 1 in my network) to administer the firewall/router. Thus, your setup should include at least one wired computer. This typically isn’t a big deal, because you’ll probably have a computer next to your router and cable modem anyway.

Also, firmware updates to your router should only be done through a wired computer. This reduces the risk that data corruption in your network could corrupt the firmware on your router.

You should immediately add a password to your admin account on your router. On my D-Link router, this and all settings can be changed by going to in any web browser. For the D-Link router, look at the “Admin” section of the “Tools” tab.
{mospagebreak}

SSID Security

Your SSID, or service set identifier, is basically the unique name of your local area network (LAN). By default, the SSID is “default” for my D-Link hardware. You should change this name. Don’t use the name of your company or family, though. (This makes it too easy for outsiders to figure out whose network it is and if the data might be interesting.) Instead, choose a random or pseudo-random name, like “lalaMyNet823”. You might also want to change the channel from the default.

By default, most of these wireless routers broadcast the SSID – this makes it easier for other computers to detect and connect to the network. While this is great from an initial setup point of view, it’s something you’ll want to avoid for your network. (A network is more secure if it’s harder to know it’s there at all.) You’ll therefore want to disable this feature. On my D-Link router, you can change this by going to the “Advanced Tab”, then “Performance”, and changing the “SSID Broadcast” feature to “Disabled.”

Notice that once this is done, you’ll have to manually configure each wireless device on your network to the SSID you chose.

Encryption

All 802.11b wireless routers have some sort of WEP (wireless equivalent protocol) encryption built in. All the routers can do 64-bit WEP encryption, and most can do 128-bit encryption; some can also do 256-bit encryption. (My D-Link router is one such example.) Enabling this encryption provides some security for the data as it is transmitted between the router and the wireless clients. It also helps prevent unauthorized computers from accessing your network.

Recently, however, it has been shown that this encryption has some security flaws. From what I’ve read thus far, a 128-bit key can be broken in roughly one week solely from data interceptions and pattern analysis. A 64-bit key can be broken in a matter of hours.

Some maintain that these flaws are great enough that WEP shouldn’t even be bothered with, and using it only produces a false sense of security. I remember seeing a similar argument used at rifle ranges:

“Gun safety mechanisms are mechanical devices that are subject to failure, so relying on them is false security. Therefore, don’t use them, and teach discipline instead.”

Well, even the best-trained marksman can trip while carrying a firearm, and a fallback mechanism is nice. Likewise, I would maintain that weak encryption is better than no encryption, especially when used in conjunction with other protective measures.

Therefore, I would recommend using the highest-level protection that your network can allow. On my D-Link, I use the full 256-bit protection. On the D-Link, you can enable the WEP and set the key in the “Wireless” section of the “Home” tab. I generally choose to enter a hex string rather than an ASCII string because you can fit more hex characters (4 bits each) than ASCII characters (8 bits each) into a string of a fixed number of bits; this results in a more-random key.

=
When choosing your WEP key, choose something random. Whatever you do, don’t stick with the default “000000000…..” key! In the “Downloadable Tools” section of this write-up, I have provided a random hex key generator to make this a little easier.

Some routers (such as my D-Link) allow you to choose an “open” or “shared” WEP Authentication. I would select “shared”. If you were to choose “open”, only those computers with MAC addresses and the correct WEP key would be able to connect to your network, but the wireless access point would be visible to all. Changing the option to “shared” fixes that. For the D-Link router, you can change these Open/Shared options under “Performance” in the “Advanced” tab.

You’ll need to manually enter your WEP key into every wireless device on your network.

I would recommend changing your WEP key every week or less. This way, if somebody is monitoring your network, your key will likely have been changed before they will have broken it.
{mospagebreak}

DHCP Security

By default, the D-Link router (and most wireless routers) have the DHCP (Dynamic Host Control Protocol) server enabled. This is helpful for setting up a network, because it assigns an IP address to all devices as they boot up and try to connect to the network. However, from a security standpoint, they make it much easier for any computer to connect to your network (including passers by who may notice your network), authorized or not. However, you can get around this with a small amount of effort.

Each piece of networking hardware has a unique MAC (Media Access Control) address. You can configure your router to only accept networking commands/requests from a specified list of hardware by specifying the MAC addresses.

First, go to each computer on your network, open a command prompt, and type:

        ipconfig /all

if you’re in WinXP or Win2k, or type

        winipconfig

in Win9x or WinME. The MAC address may sometimes be referred to as the adapter address. In Linux, use the “ifconfig -a” command. A typical address is

        00-A0-C9-05-5A-E8

Then, for each computer, write down its MAC address and choose a unique IP address, such as 192.168.0.x, where x > 1.

Then, go to your router and assign these static IP addresses to each MAC address. For the D-Link router, you do this at the “DHCP” section of the “Home” tab, under “Static DHCP”.

Once you have added each MAC address and associated IP address to the Static DHCP Client List, you should disable the DHCP server on your router. On the D-Link router, this is done by selecting “DHCP server Disabled” in the “DHCP” section of the “Home” tab.

However, this isn’t quite the last step on the router configuration. Right now, you’re preventing other pieces of hardware from getting assigned IP addresses, and you’re manually assigning IP addresses to the hardware on your network. You also want your router to deny traffic to all devices you haven’t recognized and manually assigned addresses to.

You do this by enabling MAC filtering on your firewall. On the D-Link router, this is done in the “Filters” section of the “Advanced” tab. Choose “MAC Filters”, choose “Only allow computers with MAC address listed below to access the network”, and enter the first MAC address on your list. List all the devices that way.

Once this is all done, you will have to manually set the IP address, Default Subnet, Default Gateway, and DNS server on each computer (Both wired and wireless). The IP address is set as you chose it. The Default Gateway and DNS server are both the IP address of your router. (In most cases, this is 192.168.0.1.) The default subnet is usually 255.255.255.0.

Notice that once you have MAC filtering enabled, you technically don’t have to turn off the DHCP server. Even if some unauthorized piece of hardware gets assigned an IP address, the MAC filter should prevent it from interacting with your network. However, disabling the DHCP server should make it that much more inconvenient for unauthorized users to gain a foothold in your network, and I still recommend disabling it.

One last thing I might recommend regarding IP addresses is changing the address of your router (typically 192.168.0.1) and other devices to other addresses. Because 192.168.x.y is so commonly used by default on most wireless (and wired) home and small networks, it is a common starting point for hacking attempts. Generating some random addresses should add some additional obstacles to hacking your network.

Further Hiding Your Network

A hidden locked door is more secure than a locked door. It is therefore a good approach to try to hide your wireless network from the outside world. I have found that my router broadcasts data with much more power than is necessary. Fortunately, there is a way to adjust this power. On my D-Link router in the “Performance” section of the “Advanced” tab, I can choose 100%, 50%, 25%, or 12.5% antenna transmit power.

After experimentation, I found that I could reduce the power to 12.5% and still get >90% signal strength and quality on all my networked devices. If you can adjust the antenna strength on your router, you should try to find the minimal strength necessary for maintaining quality connections.

Another thing you can do to hide your network (and not just your wireless network) from the outside world is to disable the WAN (wide-area network) ping. This ping is often the first step in probing your computer from the internet-side for attacks. It could also be used to detect your wireless network. On my D-Link router, you can disable this ping by selecting “Discard PING from WAN side” in the “Misc” section of the “Tools” tab.

Security-Minded Living

Here are some additional tips for everyday computing that will help improve the security of your network.

  1. For transactions including your social security number, financial data, credit cards, etc., you should only use a wired computer.
  2. Never distribute your WEP keys or other security data by shared data files or emails. If you must use a file to convey the keys, then do so manually with a floppy disk.
  3. Change your WEP frequently. Once every week or so is generally acceptable for a 128-bit or higher key.
  4. Check your firewall/router logs. If you notice unusual activity or a new machine connected to it, change your WEP key and static IP address immediately!
  5. Don’t post screenshots of your configuration, etc.

  6. Security is never finished. Keep up-to-date on developments in wireless security, and keep your firmware and drivers up-to-date as well.

Additional Security

This is a good baseline security setup. A good step from here is setting up VPN’s (virtual private networks.) These use a secured tunneling protocol to connect members of a network across public telecommunications. They can be applied above and beyond the WEP encryption and other means described in this article. (But they are above the scope of this article for beginning security.)

Another possible method that has been brought to my attention is NoCatAuth. They use their own authentication process that could be handy in restricting web usage through your home network, although I haven’t had a chance to review its applicability beyond the standard NoCat network.

Downloadable Tools

  1. Random hex WEP key generator (117 KB):

    Temp1

    I wrote a small command-line random key generator. You tell it how many bits your key is (e.g., 64, 128, 256 bits), and it will automatically generate a random key of appropriate length. It will both display this key on a screen and save it to a file for you.

  2. NetStumbler: You can use this tool to test out your new security settings. Note that on some machines, if you’re logged onto your wireless network while you use NetStumbler, it will mistakenly identify the SSID. (i.e., even if you aren’t broadcasting the SSID, it will find it.)

Future Directions

With sufficient demand (and if I can get the time to learn it), I might add information on VPN’s and new/improved downloadable tools to this guide.

Additional Web Resources

  1. SearchNetworking.com Glossary

    This site has a great, indexed glossary of the many terms you’ll see in wired and wireless networking.

  2. NoCat and NoCatAuth

    This site has information on the NoCat network and NoCatAuth that they developed.

  3. Oreilly Article on Vulnerability of WEP and Wireless Networks

    A spooky write-up on what a really knowledgeable person can do with a little luck (although they only used some relatively older hardware and 64-bit keys).

  4. Net-Security.org

    A good site for online security know-how.

  5. Overclockers Forum Discussion

    Where the original discussions on the contents of this write-up occurred.

Acknowledgements

I would like to thank Steve (larva), Tebore, trey_w, orion25, and XWRed1 for their contributions in the aforementioned forums discussion. They helped me to develop a better understanding of security and the available resources.

Contact

For help or comments, please use

pmacklin@math.NOSPAM.uci.edu

(Please remove the “NOSPAM” to email.) I am particularly interested in further tips for security-minded living.

UPDATE on page 4…

Important Updates – Commentary from the Field:

I received some email feedback with additional tips and comments from the field. Because security is important, I want to provide you with the most accurate information I possibly can. So, I’ll share some with you here. Anything you read here supercedes what was written above! The most important change is in encryption.

Regarding Router Security

If possible, it’s also best to disable administration of the router from wireless clients. Not all firewall/routers will be able to do this, but if you can, you should.

SSID Security

Hiding SSID does little to help security, as there are circumstances where the wireless access point will respond to queries about its name. Furthermore, the wireless clients probe for the SSID in plaintext somewhat frequently, too.

However, I still feel that even a small obstacle is a positive measure to take. It certainly won’t prevent a dedicated hacker from hacking security, but it might keep casual passers by from bothering to connect to it. Furthermore, little measures like this can help keep honest outsiders honest. (Sometimes curiosity can get the better of anybody, but if it’s not immediately clear how to get in, the honest will move on.) It will also help prevent outsiders from accidentally trying to connect to your network.

Encryption

It has come to my attention from multiple independent sources that due to additional flaws in WEP, using shared authentication can make your WEP key much easier to determine, no matter its length. Therefore, you should use open authentication, not shared authentication.

In the present and near-future, a new encryption called WPA (Wi-Fi Protected Access) will be available that fixes the known holes in WEP (it will replace WEP). Much existing hardware will get WPA by firmware upgrades, and future products likely will already have it.

If you’re in the market to buy hardware today or soon, I’d recommend waiting until you can get something with WPA. If you have heard that a hardware maker will be updating current hardware to WPA via a firmware update, you should contact them directly to get a better estimate. I emailed D-Link and mentioned this article, but they did not respond. They promised WPA updates for Q2 or Q3 of 2003, and they still aren’t there. I’d take that as an example for any companies promising WPA support through future updates.

DHCP Security

It has been pointed out that if the WEP has been cracked, then the DHCP steps I outlined are largely pointless and only an inconvenience to the user. I would still recommend disabling the DHCP server as a means of withholding information about your network to the outside world in every way possible to you, but it isn’t as critical as good, frequently-updated encryption.

VPN’s

I have learned that VPN’s are still vulnerable due to the security problems at the IP layer, and tools exist to thwart it in the wireless context. Furthermore, they are largely aimed at business users and may not be appropriate or easy to set up for home users on their networks. It therefore seems that doing your best with WEP and keeping the keys updated is more important to keeping the network as secure as possible, and there would be little to be gained from the time investment of VPN’s.

Further Hiding your Network

Note that mobile users do have some pretty sophisticated antennas (directional antennas, etc.) that can overcome the lower transmission powers I recommended. However, any reduction in signal strength will help combat the detection of and connection to your network and is worthwhile.

Turning off the WAN (WLAN) ping doesn’t help with the wireless security.

Contact

For help or comments, please use

pmacklin@math.NOSPAM.uci.edu

(Please remove the “NOSPAM” to email.) I am particularly interested in further tips for security-minded living.

Leave a Reply

Your email address will not be published. Required fields are marked *

Discussion
  1. I just recently set up a wireless network for my parent's. In order to get even a trace of a signal you have to be standing at least 10-20 feet inside the yard , and on 1 side you have to be inside the house. With a setup like this how important is securing the network ? I have it running 128bit security already ( highest my router would go ) .
    That's a good question.
    I think it's still moderately important because there are a lot of tools out there to overcome weak signals. People who do "war driving" often have directional, amplified antennas that can pick up surprisingly weak signals. So, just because your computer can't connect well outside of 10-20 feet doesn't mean that somebody else with the proper equipment can't from farther. But it's definitely a help, because the percentage of people with this "proper equipement" is much lower; your odds of being detected at all are now much lower. :)
    That said, the 128bit encryption should help quite a lot. Otherwise, I wouldn't worry too much, but you should check in on the security from time to time. (And I still personally recommend changing the key regularly, since it's a weak encryption.)
    I hope this helps! Thanks for your interest in my article!! :) -- Paul
    Originally posted by UnseenMenace
    1) Do you have a wireless network ? - Are you currently considering it.

    Yes. :)
    2) Has the security concerns regarding wireless networks effected your decision to buy wireless networking products?

    It has, and that's why I made sure what I bought had at least 128bit security. If I had known then what I do now, I might have waited a bit longer or chosen something with WPA instead, such as the more expensive 802.11g products out there.
    3) Does the price of wireless networking products effect your decision to buy wireless networking products? - If this is the case how much cheaper do they need to get ?

    Yes indeed. Up until recently, this equipment was very pricy. Now, with rebates, you can get the router I use (which has a doubled transmission rate and doubled WEP key) for under $40 on newegg, which is quite affordable.
    4) What are your current thoughts, experiences concerning wireless networking ?

    It's a great advance for home users in terms of convenience, but the security is definitely an issue. It's too bad that the majority of these products have all the security turned off by default. Most home users never even turn it on, and I've had many friends who accidentally connected to their neighbor's networks. (And not intentionally. Windows will generally try to choose the strongest network it can find, so long as it can connect and log in.)
    I think the situation will improve on the security end. The manufacturers are getting a lot of interest, and they don't want the continued bad press like WEP is starting to generate. WPA should be a lot better, and I'd assume they'll be more careful in future selection of standards.
    I guess this is a lot like anything else in life: there's a trade-off between security / privacy and convenience. The U.S. liked relatively porous borders because it made commerce cheaper and faster. 9/11 happened, and now we have to trade some of that convenience for (presumably) better national security. Cordless phones are nice and convenient, but many of us (especially in the 900MHz days and before) have experienced picking up the phone to hear unexpected voices!
    It's finding a livable balance between safety and convenience that's key, I think.
    5) What do you think of this article and the advice it gives ? - Do you have any more ?

    Still looking for helpful comments! :) Thanks! -- Paul
    Agreed. At least not for very long.
    Then again, all locks (physical or in software) can be picked or broken with sufficient effort, so in a sense, there is no such thing as "secure." There are only various shades of relative security. Like most things in life, it's about choosing how much effort needs to be put into security to ensure a reasonable expectation of privacy for the intended purpose of the system and the value of that which you are safeguarding.
    VPN's aren't secure, either. (I had some interesting discussions with a wireless researcher in Australia about wireless security, VPN's, and readily-available tools to crack VPN's, on a wireless or not.)
    If the intended use of the network is mission-critical (e.g., financial operations or accounting or anything else with vital private or sensitive information), wireless is not the right networking form. Only wired networks should be used for sensitive transactions.
    For casual file sharing, internet connection sharing, etc., (i.e., standard home use), wireless is fine so long as reasonable protections are used. WEP is a flawed encryption, but it still takes time to break. Which means that if the key is changed sufficiently regularly and proper precautions are taken, it should do alright for the typical home user.
    It'll certainly be better than the setup of most home users: default settings on, no security enabled at all, and oblivious to whether or not somebody else is connected.
    But I agree with at least a good portion of your statement: under WEP, you shouldn't be completely oblivious to the fact that you're still vulnerable. Just as wearing a bike helmet shouldn't encourage one to bike recklessly, the limited protections of WEP shouldn't encourage one to be needlessly risky. On the other hand, life is safer with a helmet than without.
    So, at the end of the day, it isn't about making a network completely secure, but rather making security better than it was before.
    Thanks!! -- Paul
    This article could not have come at a better time for me. I have actually been considering a wireless network for my home. I was considering wireless simply because it's easier than pulling cable.
    I am not overly concerned about security. Where I live, I know all of my neighbors for over 100 yards in any direction. This is a dead end gravel road 3 miles from town.
    So, just how far away should I really be worried about? The nearest public road is 100+ yards away, is seldom traveled and used only by people who live in this neck of the woods so to speak.
    The cost of wireless networking devices has fallen so far that cost is nearly a non-issue. At least for a small system with a lower need for security (I hope).
    Cuda, thanks for the interest!
    You sound like you're in a pretty fortunate position, since you're quite isolated. Again, amplified antennas can pick up quite faint signals and connect to those networks, but since you're so isolated, the probability is much lower.
    I think if you at the least used WEP with regular key changes, did MAC filtering, and reduced your antenna's range if possible, you'd probably be in good enough shape. It never hurts to be security-minded, though, particularly on financial transactions.
    If possible, I'd try to spend the extra $ on a system that has WPA if it's affordable for you. Otherwise, you'll probably be reasonably safe with the 802.11b systems with >= 128bit WEP, with the standard provisos. :)
    Good luck, and have fun! :) -- Paul
    Just another note: Look at the two networks that popped up today:

    WEP isn't great, but it sure beats out at least some of these alternative encryption methods. ;)
    The people on Channel 1 changed away from what's the typical channel of 6 and managed to turn off SSID. Perhaps they're using VPN or some other security, which is good.
    As for the channel 6er's ...
    -- Paul