cancel
Showing results for 
Search instead for 
Did you mean: 

General: Wireless Network Security

lowry
Grafter
Posts: 478
Registered: 08-04-2007

General: Wireless Network Security

Tutorial: General: Wireless Network Security

The topic of internet security is one that has appeared in various publications and in the media over the last 12 months. Internet users are frequently being told to make sure their computer is secure by using a NAT router for connecting to their ADSL connection (this acts as a hardware firewall), using Anti-Virus software and a software firewall. However, with the advents of wireless networking, security is becoming even more crucial. Broadband is becoming ever more popular, and so wireless networking is now increasing in popularity.

Since computers in wireless networks communicate with each other via signals in the air, the data is easier to intercept than the data in traditional wired networks. One threat to wireless networks is the practice of ‘War Driving’. This is where people drive around in search of an insecure wireless network with the aim of accessing it and most likely, causing some harm.

Wireless networks are now relatively safe enough for use in homes and businesses but it is worth taking some steps to prevent something untoward gaining control of the network.


  • Change default password on wireless ADSL router and if applicable, wireless access points.
    At the centre of a wireless home network will be a wireless ADSL router and possibly some wireless access points to improve the coverage of the network around the house. However, it is important that after purchasing this equipment that the default username and password for the router and wireless hardware is changed immediately as the default username and password could easily be found out by someone wishing to cause some mischief on the network.

  • Change the System ID - Wireless networking devices come with a default system ID called the SSID (Service Set Identifier) or ESSID (Extended Service Set Identifier). It is easy for a hacker to find out what the default identifier is for each manufacturer of wireless equipment and so it is necessary for this to be changed to something unique. It is important that the SSID is not changed to something that could be easily guessed by a prospective hacker. Many ADSL routers will allow you to hide the SSID.

  • Use Encryption – There are two common types of wireless encryption methods in use today. WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) encrypt your data so that only the intended recipient is supposed to be able to read it. Unfortunately, WEP is known to have some holes in it and it can be cracked by a determined hacker. However, it is unlikely that a hacker will go to great lengths to crack it just to gain access to a residential ADSL connection. If possible, WPA encryption should be used (most older equipment can be upgraded to be WPA compatible). WPA fixes the security flaws in WEP but it is still subject to DOS (denial-of-service) attacks.

  • Use the firewall feature (if available) on your wireless router – Any wireless ADSL router worth its salt should have a firewall feature built in. If the one in your network does, make sure this is switched on as this adds an important layer of security to your network, and should stop any rogue data entering your network.

  • Enable MAC Address Filtering – Each piece of wireless hardware on the network has a unique identifier called a MAC Address. Wireless access points and routers keep track of the MAC addresses of all devices connected to them. MAC address filtering is when wireless routers and access points are set up to only allow access to the network from certain MAC addresses. However, it is possible for a hacker to fake a MAC address and gain access to the network. Software like AirSnare can also be used to only allow certain MAC addresses on the network.

  • Keep each computer on the network up-to-date – It is also important that each computer on the network is kept up to date with Windows security patches from Windows Update, and that each computer on the network has access to up-to-date software virus protection.


Useful Links



I hope this helps somewhat. If you have any questions or queries on any of the information featured here then please PM me or one of the other tutorial members.

By Lowry
5 REPLIES
Community Veteran
Posts: 4,729
Registered: 04-04-2007

Re: General: Wireless Network Security

Quote
One threat to wireless networks is the practice of ‘War Driving’. This is where people drive around in search of an insecure wireless network with the aim of accessing it and most likely, causing some harm.


Can I just correct your comment about `War Drivers`, true War Drivers have no interest in connecting to your wireless network or cracking into to it. They are simply interested to detecting its presence, and recording it in a sad train spotting way, and moving on to increase their count of networks found. A less emotive name that some prefer is Net Stumblers.

That is not to say that there are not crackers (Note I have chosen to leave the term `Hackers` for programmers). Those are interested in cracking your network for personal gain, such as stealing your files or bandwidth. And with bandwidth costing about £1.50 a Gigabyte for Pay as You go accounts, they could push up your monthly charges.

Great tutorial, we need to encourage all users of wireless networks to secure them.

Chilly
N/A

General: Wireless Network Security

Something you missed from your tutorial:

2 rules:
1.Always seperate the wireless network into a seperate subnet
2.Always enforce appropiate trust relationships

To explain further:
1.
Most wireless DSL routers will stick the wireless hosts and the wired hosts into the same subnet. This means if someone cracks your wifi security then they have full access to your wired hosts and it is impossible to seperate them.

2.
Most networks are designed with the assumption that all internal hosts can be trusted and all external hosts should be untrusted by default. In most situations this is adequate, but wireless networks introduce the new risk that a stranger could connect to your internal network.

Suppose your network currently uses 192.168.1.x IP addresses. When adding wireless, first put a router between your current network and what will become the new wireless network:

[internet]-------[ADSL router/modem]----[ethernet switch/hub]-----[ethernet router]-----[ethernet switch/hub]

The other side of this router will be given the IP of 192.168.1.250 on the current network and 192.168.2.1 on the new network.
Now plug a wireless acess point into the switch/hub. The router should have access control lists / packet filtering to prevent the 2 subnets talking to each other. You now need a DHCP server on the same subnet as the wireless access point to hand out 192.168.2.x addresses. Tell this DHCP server the MACs of all your wireless hosts and get it to assign IP addresses, DNS server addresses and the gateway address (192.168.2.1). Get the router to only let these IP addresses through and set static ARP entrys on it. Cisco IOS or any linux distro makes this very easy. Set a route for 192.168.2.0 pointing to 192.168.1.250 as a gateway. Now if anyone connects to your wireless network they will only be able to see your DHCP server, the wireless access point and any wireless hosts. They will not be able to steal your bandwidth or compromise hosts on the other side of the router.
N/A

General: Wireless Network Security

aspiesforfreedom,

While I don't disagree with that you've stated, and far be it from me to comment on Matt's (lowry's) behalf.

I think some of the items mentioned within your posting might not be suitable for audience the tutorial was written with in mind. Not everyone understands the concepts etc. behind subnets for example.

However the material you've posted is perfectly valid, and maybe could be included in a more advanced version or suplementary version to the tutorial.

Finally, this is only my point of view, and I feel it would obviously be upto to Matt to comment with his feelings on the matter.
N/A

General: Wireless Network Security

Perhaps this level of security isn't needed for home users, but it is very important for business users who may be specifically targeted. The basic wi-fi encryption acts as a deterrent to the opportunist wardriver wanting to use your bandwidth. What it doesn't do is protect against a targeted attack.
lowry
Grafter
Posts: 478
Registered: 08-04-2007

General: Wireless Network Security

apiesforfreedom,
Thanks for your feedback. I appreciate any help with the tutorial. I would tend to agree with Aaron though that maybe the topics that you have mentioned (although perfectly valid and very useful) are possibly not appropriate for the intended audience that I had in mind for this tutorial.

It really serves as a basic wireless network security guide for the many newbies to wireless networking that will undoubtedly be present on these forums. I could add a small bit about those topics to the tutorial, and I'll certainly think about it. However, I'll see what the other tutorial team members think about this first.

Thanks again for your assistance and feedback,
matt Wink