Wednesday, May 25, 2005

Security Briefing #2

Wireless Security Part 2

If you have a home wireless network you should take the time to set it up securely. Make sure you have a personal firewall installed on all computers on your home network as well as up-to-date anti-virus software. Make sure you do Windows updates, if you have Windows computers.

Home Wireless Networks Best Practices

You will need to view the documentation that came with your wireless WAP/router in order to do many of the following tasks. You can also go to the manufacturer's website or Google 'home wireless security' for more info.

WAP: Wireless Access Point. The hardware the broadcasts your Internet connection via radio waves.
WEP: Wired Equivalent Privacy. The earliest attempt at wireless security systems, flawed at best.
WPA: WiFi Protected Access: the current, and more secure wireless security system.
VPN: Virtual Private Network. The ability to create a 'private' network over the Internet. On a wireless network, it can give you the same privacy you would have had your computers been connected by cable, in the same building.
MAC: Media Access Code. Unique identifier hardcoded onto all Internet- connected hardware, including network cards, WAPs, routers.

  1. Buy the most recent, most secure wireless hardware you can afford.
    You can buy Wireless Access Points for under $50 which will allow you to set up a wireless network very quickly and easily. But, setting up a WAP to be secure can be difficult. Although they are pricier, if you can afford the pricetag (roughtly $200?) you should really consider getting a Wireless Access Point that can also act as a router or getting both a Wireless Access Point and a router. A router can set up a firewall and provide some built-in security.
    Things to look for in a Wireless Access Point:
    --Router capabilities
    --Built-in Firewall
    --WPA security
    --802.11g standard
    --VPN (Virtual Private Network) capabilities.
  2. Restrict broadcast of your SSID. The SSID is the name of your wireless network. If you don't publish or broadcast this, it's harder for outsiders to find your network. (Not impossible, though). See your documentation on how to NOT publish this. By default, most wireless routers will broadcast the SSID, advertising your network's presence to the world.
  3. Change the name of your SSID to something other than the default name. Even if you don't broadcast the name, it's possible for people to 'see' your network. If you've kept the default name, all they have to do is go through a list of common default names and they've found you. You want to avoid the default names like 'linksys' or 'apple'
    and avoid generic things like 'wireless.' You also want to avoid easily guessible things like EllisNetwork (people can always get your name off your mailbox on the curb). Change this SSID on a regular basis.
  4. Change the default password provided by the manufacturer on the access point or wireless router. IF you don't, anybody can break in after taking a quick visit to the manufacturer's website and going to the Support area. Most manufacturer's publish their default passwords.
  5. Place the access point or router in the center of your home and not near a window or exterior wall. Check the range (with a wireless laptop) Can you reach the network from your front yard or from down the street? If so, you need to be extremely vigilant about safeguarding your network.
  6. Restrict MAC addresses. Your WAP/router will allow you to restrict which computers can connect to your network by identifying their MAC IDs. This is not Apple related, this stands for Media Access Code. Every Network Card that connects to the Internet has a unique identifier -- the MAC -- which is hardcoded onto that card. By limiting access to only computers you 'know,' you will be providing a small amount of security. But don't get smug -- it's very easy for somebody who's already attached to your network to 'impersonate' an allowed user by taking on (spoofing) their MAC address. The intruders would, however, need to know what your MAC addresses are already. If they've already been on your wireless network, this is extremely easy to get and to impersonate.
  7. If you have an older (801.11 a or b) router and net cards, set up WEP. Most people don't do this because it's a pain to get right. And there's the added bonus that it's easily crackable. You should try, though. See your router documentation for details. WEP requires the WAP and each network card that attaches to the wireless network to exchange 'passwords.' Once set up, it will protect your data from packet sniffers (software that can eavesdrop on internet traffic). But, it's extremely easy to crack.
  8. If you have a newer (802.11 g) WAP/router, use WPA. This is a bit more difficult to set up but is more secure. Again, it relies on a 'passwords' scheme between the WAP and network cards to access data, but the encryption is more secure. See your WAP/router documentation for details.
  9. Once you buy your equipment - be aware that it, just like your software, will need to be updated occasionally. Example: Netgear sells a WAP/Router with VPN capabilities for which a recent exploit was found. The exploit allows hackers to very easily get your router's administrative password (meaning they can turn off the firewall, add themselves to the network, shut you out...). If you were using this particular router and hadn't upgraded to the latest firmware, you'd be at risk. Go to the manufacturer's website for more details about your own hardware.
  10. Turn off shared resources. Don't have Windows share printers, files or folders without any password protection.
  11. Turn off unused services. Don't run FTP or Telnet services.
  12. Set up a Virtual Private Network. Unless this ability is built into your WAP/router, this can be a daunting task. There are some Open Source tools that will allow you to do this on your own (Even with older equipment). But this can be a daunting task, even for system administrators.


Post a Comment

<< Home