Simple changes you can make to your wireless network to improve security – Paul Macklin
Disclaimer:
I am by no means an expert at networking or network security. I am writing this article as an overview of the techniques I have learned that a relative novice at wireless networking can easily implement to improve wireless networking security with minimal confusion. It should be understood as a starting point on the quest for greater wireless networking security, not the complete solution.
Rather than help with the actual setup of your network, this guide instead focuses on the configuration of the various security options that may be available to you.
I recently set up a wireless home network for my apartment. In my previous apartment, I had strung up a simple 10/100 hub and nailed some cable-holders along the perimeter of the walls to hold the cables. However, I didn’t think the apartment owners in Orange County, CA, would appreciate this sort of option, so I decided to go wireless. It has been a tremendous improvement for aesthetics and simplicity, but security is an issue.
Consider, for example, the recent campaign by the RIAA to sue internet users who illegally share copyrighted music. If you examine these cases a little more closely, you’ll notice that they don’t even determine which computer did the sharing, but rather which IP address was responsible.
Suppose you have a broadband connection and a wireless router/firewall. If somebody bootlegs your connection and participates in KaZaa, it’s going to be your IP address that appears on the subpoena. Granted, this is probably one of those very few cases that could stand a chance in court, but why get there in the first place?
Of course, it goes without saying that you want to safeguard your data and privacy. You’ll also want to reserve your bandwidth for your own surfing, rather than bozo’s pr0n downloads, so these are some other good reasons to invest some time in security. So, let’s get started in at improving security.
In this guide, I’ll go through the simplest changes you can make to your wireless network to improve security. At the end of the day, no wireless network is completely secure, but hopefully you can at least create a deterrence/inconvenience. There ought to be more tempting, less-secure networks nearby that are more tempting targets. The overall approach I’d like to convey is “lock the door and try to hide it.”
For my network, I use D-Link’s DI-614+ wireless router/firewall. It’s an 802.11b router with a proprietary method of doubling the data rate to 22 Mbps. It also allows for 256-bit WEP passwords. (So long as it’s used with other D-Link networking hardware, such as the DWL-650+.) Best of all, while giving pretty good performance, they’re also pretty cheap. At the time of this writing, the DI-614+ cost $39 at Newegg.com with rebates, $66 without rebates.
If you use different hardware, the terminology and/or techniques will likely differ, but the general approach should still apply.
My internet connection is through my cable modem, which is, in turn, connected to my firewall/router by an Ethernet cable. I have three computers on my network. Computer 1 is attached to the router with a standard 10/100 Ethernet cable; computers 2 and 3 are connected via PCI wireless cards.
For security, it is best to only use a “wired” computer (Computer 1 in my network) to administer the firewall/router. Thus, your setup should include at least one wired computer. This typically isn’t a big deal, because you’ll probably have a computer next to your router and cable modem anyway.
Also, firmware updates to your router should only be done through a wired computer. This reduces the risk that data corruption in your network could corrupt the firmware on your router.
You should immediately add a password to your admin account on your router. On my D-Link router, this and all settings can be changed by going to in any web browser. For the D-Link router, look at the “Admin” section of the “Tools” tab.
{mospagebreak}
Your SSID, or service set identifier, is basically the unique name of your local area network (LAN). By default, the SSID is “default” for my D-Link hardware. You should change this name. Don’t use the name of your company or family, though. (This makes it too easy for outsiders to figure out whose network it is and if the data might be interesting.) Instead, choose a random or pseudo-random name, like “lalaMyNet823”. You might also want to change the channel from the default.
By default, most of these wireless routers broadcast the SSID – this makes it easier for other computers to detect and connect to the network. While this is great from an initial setup point of view, it’s something you’ll want to avoid for your network. (A network is more secure if it’s harder to know it’s there at all.) You’ll therefore want to disable this feature. On my D-Link router, you can change this by going to the “Advanced Tab”, then “Performance”, and changing the “SSID Broadcast” feature to “Disabled.”
Notice that once this is done, you’ll have to manually configure each wireless device on your network to the SSID you chose.
All 802.11b wireless routers have some sort of WEP (wireless equivalent protocol) encryption built in. All the routers can do 64-bit WEP encryption, and most can do 128-bit encryption; some can also do 256-bit encryption. (My D-Link router is one such example.) Enabling this encryption provides some security for the data as it is transmitted between the router and the wireless clients. It also helps prevent unauthorized computers from accessing your network.
Recently, however, it has been shown that this encryption has some security flaws. From what I’ve read thus far, a 128-bit key can be broken in roughly one week solely from data interceptions and pattern analysis. A 64-bit key can be broken in a matter of hours.
Some maintain that these flaws are great enough that WEP shouldn’t even be bothered with, and using it only produces a false sense of security. I remember seeing a similar argument used at rifle ranges:
“Gun safety mechanisms are mechanical devices that are subject to failure, so relying on them is false security. Therefore, don’t use them, and teach discipline instead.”
Well, even the best-trained marksman can trip while carrying a firearm, and a fallback mechanism is nice. Likewise, I would maintain that weak encryption is better than no encryption, especially when used in conjunction with other protective measures.
Therefore, I would recommend using the highest-level protection that your network can allow. On my D-Link, I use the full 256-bit protection. On the D-Link, you can enable the WEP and set the key in the “Wireless” section of the “Home” tab. I generally choose to enter a hex string rather than an ASCII string because you can fit more hex characters (4 bits each) than ASCII characters (8 bits each) into a string of a fixed number of bits; this results in a more-random key.
=
When choosing your WEP key, choose something random. Whatever you do, don’t stick with the default “000000000…..” key! In the “Downloadable Tools” section of this write-up, I have provided a random hex key generator to make this a little easier.
Some routers (such as my D-Link) allow you to choose an “open” or “shared” WEP Authentication. I would select “shared”. If you were to choose “open”, only those computers with MAC addresses and the correct WEP key would be able to connect to your network, but the wireless access point would be visible to all. Changing the option to “shared” fixes that. For the D-Link router, you can change these Open/Shared options under “Performance” in the “Advanced” tab.
You’ll need to manually enter your WEP key into every wireless device on your network.
I would recommend changing your WEP key every week or less. This way, if somebody is monitoring your network, your key will likely have been changed before they will have broken it.
{mospagebreak}
By default, the D-Link router (and most wireless routers) have the DHCP (Dynamic Host Control Protocol) server enabled. This is helpful for setting up a network, because it assigns an IP address to all devices as they boot up and try to connect to the network. However, from a security standpoint, they make it much easier for any computer to connect to your network (including passers by who may notice your network), authorized or not. However, you can get around this with a small amount of effort.
Each piece of networking hardware has a unique MAC (Media Access Control) address. You can configure your router to only accept networking commands/requests from a specified list of hardware by specifying the MAC addresses.
First, go to each computer on your network, open a command prompt, and type:
ipconfig /all
if you’re in WinXP or Win2k, or type
winipconfig
in Win9x or WinME. The MAC address may sometimes be referred to as the adapter address. In Linux, use the “ifconfig -a” command. A typical address is
00-A0-C9-05-5A-E8
Then, for each computer, write down its MAC address and choose a unique IP address, such as 192.168.0.x, where x > 1.
Then, go to your router and assign these static IP addresses to each MAC address. For the D-Link router, you do this at the “DHCP” section of the “Home” tab, under “Static DHCP”.
Once you have added each MAC address and associated IP address to the Static DHCP Client List, you should disable the DHCP server on your router. On the D-Link router, this is done by selecting “DHCP server Disabled” in the “DHCP” section of the “Home” tab.
However, this isn’t quite the last step on the router configuration. Right now, you’re preventing other pieces of hardware from getting assigned IP addresses, and you’re manually assigning IP addresses to the hardware on your network. You also want your router to deny traffic to all devices you haven’t recognized and manually assigned addresses to.
You do this by enabling MAC filtering on your firewall. On the D-Link router, this is done in the “Filters” section of the “Advanced” tab. Choose “MAC Filters”, choose “Only allow computers with MAC address listed below to access the network”, and enter the first MAC address on your list. List all the devices that way.
Once this is all done, you will have to manually set the IP address, Default Subnet, Default Gateway, and DNS server on each computer (Both wired and wireless). The IP address is set as you chose it. The Default Gateway and DNS server are both the IP address of your router. (In most cases, this is 192.168.0.1.) The default subnet is usually 255.255.255.0.
Notice that once you have MAC filtering enabled, you technically don’t have to turn off the DHCP server. Even if some unauthorized piece of hardware gets assigned an IP address, the MAC filter should prevent it from interacting with your network. However, disabling the DHCP server should make it that much more inconvenient for unauthorized users to gain a foothold in your network, and I still recommend disabling it.
One last thing I might recommend regarding IP addresses is changing the address of your router (typically 192.168.0.1) and other devices to other addresses. Because 192.168.x.y is so commonly used by default on most wireless (and wired) home and small networks, it is a common starting point for hacking attempts. Generating some random addresses should add some additional obstacles to hacking your network.
A hidden locked door is more secure than a locked door. It is therefore a good approach to try to hide your wireless network from the outside world. I have found that my router broadcasts data with much more power than is necessary. Fortunately, there is a way to adjust this power. On my D-Link router in the “Performance” section of the “Advanced” tab, I can choose 100%, 50%, 25%, or 12.5% antenna transmit power.
After experimentation, I found that I could reduce the power to 12.5% and still get >90% signal strength and quality on all my networked devices. If you can adjust the antenna strength on your router, you should try to find the minimal strength necessary for maintaining quality connections.
Another thing you can do to hide your network (and not just your wireless network) from the outside world is to disable the WAN (wide-area network) ping. This ping is often the first step in probing your computer from the internet-side for attacks. It could also be used to detect your wireless network. On my D-Link router, you can disable this ping by selecting “Discard PING from WAN side” in the “Misc” section of the “Tools” tab.
Here are some additional tips for everyday computing that will help improve the security of your network.
- For transactions including your social security number, financial data, credit cards, etc., you should only use a wired computer.
- Never distribute your WEP keys or other security data by shared data files or emails. If you must use a file to convey the keys, then do so manually with a floppy disk.
- Change your WEP frequently. Once every week or so is generally acceptable for a 128-bit or higher key.
- Check your firewall/router logs. If you notice unusual activity or a new machine connected to it, change your WEP key and static IP address immediately!
- Don’t post screenshots of your configuration, etc.
- Security is never finished. Keep up-to-date on developments in wireless security, and keep your firmware and drivers up-to-date as well.
This is a good baseline security setup. A good step from here is setting up VPN’s (virtual private networks.) These use a secured tunneling protocol to connect members of a network across public telecommunications. They can be applied above and beyond the WEP encryption and other means described in this article. (But they are above the scope of this article for beginning security.)
Another possible method that has been brought to my attention is NoCatAuth. They use their own authentication process that could be handy in restricting web usage through your home network, although I haven’t had a chance to review its applicability beyond the standard NoCat network.
- Random hex WEP key generator (117 KB):
I wrote a small command-line random key generator. You tell it how many bits your key is (e.g., 64, 128, 256 bits), and it will automatically generate a random key of appropriate length. It will both display this key on a screen and save it to a file for you.
- NetStumbler: You can use this tool to test out your new security settings. Note that on some machines, if you’re logged onto your wireless network while you use NetStumbler, it will mistakenly identify the SSID. (i.e., even if you aren’t broadcasting the SSID, it will find it.)
With sufficient demand (and if I can get the time to learn it), I might add information on VPN’s and new/improved downloadable tools to this guide.
- SearchNetworking.com Glossary
This site has a great, indexed glossary of the many terms you’ll see in wired and wireless networking.
- NoCat and NoCatAuth
This site has information on the NoCat network and NoCatAuth that they developed.
- Oreilly Article on Vulnerability of WEP and Wireless Networks
A spooky write-up on what a really knowledgeable person can do with a little luck (although they only used some relatively older hardware and 64-bit keys).
- Net-Security.org
A good site for online security know-how.
- Overclockers Forum Discussion
Where the original discussions on the contents of this write-up occurred.
I would like to thank Steve (larva), Tebore, trey_w, orion25, and XWRed1 for their contributions in the aforementioned forums discussion. They helped me to develop a better understanding of security and the available resources.
For help or comments, please use
(Please remove the “NOSPAM” to email.) I am particularly interested in further tips for security-minded living.
Important Updates – Commentary from the Field:
I received some email feedback with additional tips and comments from the field. Because security is important, I want to provide you with the most accurate information I possibly can. So, I’ll share some with you here. Anything you read here supercedes what was written above! The most important change is in encryption.
If possible, it’s also best to disable administration of the router from wireless clients. Not all firewall/routers will be able to do this, but if you can, you should.
Hiding SSID does little to help security, as there are circumstances where the wireless access point will respond to queries about its name. Furthermore, the wireless clients probe for the SSID in plaintext somewhat frequently, too.
However, I still feel that even a small obstacle is a positive measure to take. It certainly won’t prevent a dedicated hacker from hacking security, but it might keep casual passers by from bothering to connect to it. Furthermore, little measures like this can help keep honest outsiders honest. (Sometimes curiosity can get the better of anybody, but if it’s not immediately clear how to get in, the honest will move on.) It will also help prevent outsiders from accidentally trying to connect to your network.
It has come to my attention from multiple independent sources that due to additional flaws in WEP, using shared authentication can make your WEP key much easier to determine, no matter its length. Therefore, you should use open authentication, not shared authentication.
In the present and near-future, a new encryption called WPA (Wi-Fi Protected Access) will be available that fixes the known holes in WEP (it will replace WEP). Much existing hardware will get WPA by firmware upgrades, and future products likely will already have it.
If you’re in the market to buy hardware today or soon, I’d recommend waiting until you can get something with WPA. If you have heard that a hardware maker will be updating current hardware to WPA via a firmware update, you should contact them directly to get a better estimate. I emailed D-Link and mentioned this article, but they did not respond. They promised WPA updates for Q2 or Q3 of 2003, and they still aren’t there. I’d take that as an example for any companies promising WPA support through future updates.
It has been pointed out that if the WEP has been cracked, then the DHCP steps I outlined are largely pointless and only an inconvenience to the user. I would still recommend disabling the DHCP server as a means of withholding information about your network to the outside world in every way possible to you, but it isn’t as critical as good, frequently-updated encryption.
I have learned that VPN’s are still vulnerable due to the security problems at the IP layer, and tools exist to thwart it in the wireless context. Furthermore, they are largely aimed at business users and may not be appropriate or easy to set up for home users on their networks. It therefore seems that doing your best with WEP and keeping the keys updated is more important to keeping the network as secure as possible, and there would be little to be gained from the time investment of VPN’s.
Note that mobile users do have some pretty sophisticated antennas (directional antennas, etc.) that can overcome the lower transmission powers I recommended. However, any reduction in signal strength will help combat the detection of and connection to your network and is worthwhile.
Turning off the WAN (WLAN) ping doesn’t help with the wireless security.
For help or comments, please use
(Please remove the “NOSPAM” to email.) I am particularly interested in further tips for security-minded living.
8 replies
Loading new replies...
Member
Computational Oncologist / Biomathematician / Mode
Computational Oncologist / Biomathematician / Mode
Senior Member
Computational Oncologist / Biomathematician / Mode
Member
Computational Oncologist / Biomathematician / Mode
Computational Oncologist / Biomathematician / Mode
Join the full discussion at the Overclockers Forums →