(Oh No – You Mean My
Wireless Home Network is At Risk?)
Part of what we teach
as part of the NRA's "Refuse to Be a Victim" program is online security to keep
you safe while on the Internet. The most common type of home network these
days is a wireless network. Wireless networking allows for much easier
setup without all that cable installation that we had to do to set up our home
networks back in the day. But wireless networking brings with it
some added security concerns that you may want to consider. From where I
sit in my office on the second floor of my house, for example, I can detect
at least five wireless networks from here. And not all of them are secured
networks. Practically anyone can join an unsecured wireless network and surf to
their heart's content. This article is intended to give you some ideas on
how you can make your wireless network a little more secure.
WARNING: There is a lot of "geek-speak" in this article. If it doesn't make sense, just email me and I will explain it to you.
So now that your wireless network is all set up, no worries, right? I mean so what if someone in the ‘hood' steals a little of your signal, connects to your network and surfs for
themselves. The cable company won’t know and the bandwidth they steal probably
won’t affect you! Well – here’s the deal with that: If anyone can get on your
network and surf the web, then that means that they can also get to the files on
your computer(s) if they are smart enough – and these days it doesn’t take much
to hack into an unprotected system. They are completely bypassing your firewall
and they are now on the inside. Inside and free to get to all of your personal
information, tax records, personal letters, email files, you name it.
But so what if they
aren’t after your stuff, but rather just want an Internet connection so that
they can surf for free – or worse, like doing illegal things – gambling, porn,
child exploitation, download some copyrighted movies…. And it isn’t just your neighbors – it’s those nasty little
WAR drivers, driving around with laptops and programs like
Net Stumbler or
AirSnort, scoping you out so they can
come back later and steal your signal or hack your systems. Then they can make maps of where all the wireless networks are
located and share with their buddies.
Small business
owners, you should really listen up here – there are liability issues:
Guess who get’s tagged when someone decides to crack down on illegal Internet
activities through your service provider’s records or other means. You do!
Current legislation limits the ISP's liability for illegal activities, and the
account owner
becomes the responsible party since your name is on the account. There may
be no evidence on your computer, because you weren’t doing anything wrong.
But all they know from their investigations it that the suspicious traffic came
to and from the connection into your network. And after you get your
computer back (after months of forensic investigation) you will be in the clear.
But can you do without your computer for that long? Worse yet, can you do
without your data for that long? Stealing your signal for free
Internet access is one thing. Using your network for illegal purposes is another – and since
you have
no idea what the attacker’s real intentions are, you really should be just keeping
unauthorized users off in the first place. So, let’s just nip this little
problem in the bud and protect ourselves by using some of the built in features
of the wireless equipment and our own common sense.
Your
New Router/Wireless Access Point:
You have just
purchased that new combo router/access point and pulled it out of the box. They
are all configured the same, meaning that they all have the same default
settings for administrative passwords, router name, IP address ranges, and
network broadcast names (more on SSIDs in a bit). Immediately change those
factory settings. Every bad guy in the world knows that the default password for
a Linksys router is “Admin” and the default SSID – the network name that it
broadcasts is “Linksys.” These settings change slightly depending on
manufacturer, but they are similar, and more importantly, they are all well
known. In other words, if you have a router/access point right out of the box
and you don’t change anything before placing it in service in your network, all
the little WAR drivers will know it, and they already know the information they
need to log in to your router and change its settings to accommodate their
needs.
At a minimum:
-
Change the default password
-
Restrict which addresses can access your network
-
Encrypt to make your network a secured network
-
Change the default wireless network SSID
-
Disable wireless router management
-
Give your router a name
If they can’t get an address,
they can’t surf:
Two addresses are
important: The MAC address (physical address), and the IP address (logical
address). The easiest of the two addresses to restrict on your wireless
address is the MAC address, by the way. The MAC (Media Access
Control) address is an address that is hard coded into the network card on your
computer. This is often referred to as the physical address. You can configure your wireless access point so that only the MAC
addresses in your approved list will be able to connect to your network. MAC addresses
can be very easily spoofed, however, but the attackers have to know the exact
MAC address(es) listed in your access point authorized list in order to spoof the right one.
This isn’t fool proof by any means, but at least it will give you something a
bit more secure than no restrictions at all.
The IP (Internet Protocol)
address is the "192.168.1.6" type address that computers use to communicate -
often referred to as the "logical" address. All computers on a
network have an IP address if they want to communicate, especially if they want
to communicate with your router to get to the Internet. The IP address can be given to
you automatically by what is known as a DHCP server (dynamic), or it can be hard coded (static)
address. If you use a router, by default your router is using its DHCP
feature to configure these addresses on your computer for you. If you are letting your router dish out addresses
to your computers, then that means that they are likely to be available to
anyone with a computer who can see your wireless network and “ask” for one.
This is simple – just don’t make any available! Hard code all of your IP
addresses into your computers, and tell your router not to make DHCP addresses
available. I set all of the addresses on my computers statically.
But one of the reasons this is a more complicated address to restrict is because
using this method requires you to know something about IP addressing, subnet
masks, DNS services, and default gateways. Because of this complexity,
many people do not use this method, but I'm a geek, so.....
If you do this also, you can go one
step further and make the subnet mask for your network non-standard. For
example, many people at home use the private IP address range of 192.168.1.x.
The default subnet mask for this range is 255.255.255.0. If you only have a few
computers in your network, you can change your subnet mask to something like
255.255.255.240. That mask will allow you enough address space for fourteen
computers. If you want more addresses, or need fewer addresses, you can adjust
the mask you are using. The added benefit is that even if the attacker hard
codes in their own address to fit the range you are using, they have to guess
the right mask or they won’t connect.
Encrypt your wireless traffic:
One way that eavesdroppers can find
out things like passwords and other things that you would like to keep private
is that they can “sniff” the traffic on your network and see it in plain text.
There are a variety of free tools out there, such as Ethereal, that allow
people to see network traffic and get information right out of the very packets
traveling across the network. If you encrypt the traffic, however, it comes
across as gibberish and they can’t see this information. There are a couple of
popular encryption schemes built in to home and small business wireless devices
– WEP, WPA, and WPA2. WEP,
which stands for Wireless Encryption Privacy, is a slightly older and somewhat
unsophisticated encryption scheme. It is static, which means it never changes
its encryption keys. You would have to periodically define new keys or
pass-phrases. WEP is minimal security at best, but again it is better than
nothing. A newer wireless encryption for home users, WPA and WPA2 (Wi-Fi Protected Access) is a more
dynamic encryption scheme, and is more secure than WEP. The keys are
dynamically changed during system operation, making it more difficult for
someone to sniff your traffic and find out the pass-phrase used. Not knowing
the correct WEP or WPA keys and pass-phrases to enter into their computers makes
even connecting to your network more difficult for the attackers as well.
The other thing that needs to be
encrypted is your traffic between you and your router/access point management
console. In most home and small business routers, you simply use a web browser
to log into and manage your router’s configuration. The Linksys models (and
most others) include the ability to select HTTPS (port 443) traffic between you
and your router using an SSL certificate. This will provide security in that
eaves-droppers cannot see your router administrative password in plain text if
they are using a program like
Wireshark to
“sniff” your traffic from afar. Don’t confuse encryption with blocking access,
however. Anyone who types in the correct address for your router will be
offered an SSL certificate, and they can choose to install it. If they know the
password, they can still get in. What keeps them out is that they don’t have
the correct password, and you don’t want to make it easy for them to obtain it.
This type of encryption keeps that password from being sniffed, and makes it
more difficult to obtain.
Turn off the SSID broadcast:
The SSID is the network identifier
that gets broadcasts by a wireless network access point. As I mentioned
earlier, a default setting for a Linksys access point SSID out of the box is “Linsys.”
You don’t need the SSID broadcast to connect because you can simply type in the
SSID when you configure your computer(s). If configuration gives you a problem,
turn on SSID broadcasts, configure your computers, then turn the broadcasts back
off. The exception to this is earlier versions of Windows, such as Windows 98
and Windows XP without Service Pack 2. Actually, there was a patch awhile back
to ensure that Windows XP SP1 would connect without the SSID broadcast, but SP1
is about to become a non-supported product. You really need SP2 and above (SP3 is the current Windows XP Service Pack Level) to take
advantage of the Windows XP security features anyway. But Windows XP is
about to go end-of-life for security support (obsolete), so upgrade if possible. Get Windows Vista or Windows 7 and
you can really take advantage of much better security features.
Disable Wireless Management:
Disabling the ability
to manage your router from a wireless connection will help ensure that people
sitting out in the street stealing your wireless connection can’t get into your
router and change settings. You will want to have at least one computer that
has a wired connection so you can connect to your router and perform
configuration changes. If you only have one computer, and it is a laptop, use
the wired connection to connect directly to the router to do maintenance, and
the wireless connection to provide your mobility and your normal day-to-day
connections.
Additionally, you can
ensure that “Remote Access” is turned off. With remote access, you can come
into your router from anywhere else that has an Internet connection. I have
mine turned on because I travel, and sometimes need to come in and make a change
while I’m gone, in case the spouse or kids can’t get connected all of a sudden.
But if you don’t need it, the rule of thumb is to just turn it off.
Other Security Measures:
Securing your
wireless access points does not relieve you of the need to use other basic
security precautions. Just because you have a firewall doesn’t mean that a
personal firewall program on each computer won’t do you any good. I have my
router locked down pretty well, but my personal firewall still alerts on, and
blocks several inbound connection attempts. Antivirus software, anti-malware
software, and keeping your computer up to date with the latest patches are still
important requirements.
You play an important
part in security too – if your personal firewall alerts you to something don’t
just blindly say “Yes” to the event and move on, hoping for the best. Question
everything! Just say NO! You can look at your router’s logs to find suspicious
activity so that you will know what further steps to take. Look at the firewall
logs for your personal firewall software also to find out who is trying to
attack you, and what methods they are trying to use.
Wrapping it All Up:
Wireless networking provides an easy
and extremely flexible medium for setting up your home or small office network.
But remember: your network traffic is now traveling through free space, there
for the taking for the little WAR drivers and other eaves-droppers. All kinds
of things like passwords, personal data, and even access to the files stored on
your computer is at risk. Even the inexpensive router/access points give you a
number of security measures you can implement to help keep you safe. Nothing is
fool-proof.
This article mentioned some simple
measures you can take to increase your chances of being safe and protecting your
network. Be sure to look into the specific configurations that your
router/access point allows, and know what you can do with it. Given enough time
and effort, there is nothing that a hacker can’t break into. But by securing
your system you will more likely than not discourage a would-be hacker, and they
will just move on to the other six networks on your block. Don’t be a target –
protect your computers, your network, and your data.
- NIST
Special Publication SP800-48: Wireless Network Security
- WindowsSecurity.Com:
Wireless Network Security for the Home
- PC Magazine:
Ten
Steps to a Secure Wireless Network
- Microsoft: How to Set Up Your Home Wireless Network
