A guide to securing a wireless network
There is a lot of talk on securing wireless networks recently, and with some governments passing laws that make such practice obligatory, a lot of Mac switchers and Windows users alike are left a bit in the cold by the incomprehesibilities of wireless gear manuals. Don’t get me wrong, it’s always a good thing to read one (especially when you are new to it), but they don’t always explain what exactly you should do and, most importantly, why you should do it.
Now, I don’t pretend to have the best article about wireless network security out there, but I will try to make it as comprehensive as possible, outlining and describing the best practices one can adhere to in locking down a wireless network.
First thing you should do is to read the manual on how to login into your router. If you are new to all this wireless networking thing, use an Easy Setup CD that usually comes with your hardware. Mac users in their majority are left out in the cold, so you have to take a different approach – manual setup.
No matter how big of a task it might be, manual setup is usually the better choice as it gives you more control.
To start a manual setup, you usually have to open your browser and navigate to an address that will look something like: http://192.168.1.1 (or http://10.0.0.2) – again, consult your manual with regards to this. Also it will tell you which password to use, although some routers require no password by default. Now, to security.
1. Fit thing that you should do is to change name for administrator account (use marco, peach, mywife – whatever you like) if there is such an option, but most importantly, CHANGE OR SET UP A PASSWORD FOR YOUR ADMINISTRATOR ACCOUNT! There is a reason I put this in capitals, as this is the silliest mistake people make and the first thing hackers do is to check if they can get in by using default password. Default passwords for a lot of wireless hardware can be found on the Internet, for example here.
2. Rename your default administrator account if such an option is available. For example, if it is ‘admin’, name it ‘bobtheboss’ instead. This is just another way to make it harder for people practicing wardriving to get into your network by cracking your password using a default administrator account name.
3. Rename your network (the SSID option, which stands for Service Set Identifier) – something like ‘nowiresbox’ will do, and turn off SSID broadcasting. There are two reasons for doing that. First one is if your network is broadcasting its SSID, fewer outsiders can resist the urge to poke around to see if they can get in. Second one is because a default SSID gives out extra information about your network and what hardware it runs on. Only you should know the SSID name of your wireless network and there is no reason why someone else should. While SSID can still be discovered easily, it is still a good practice to disable its broadcast.
4. Set up MAC address filtering. Every network device (Ethernet card, AirPort, etc.) have an individual MAC address that looks like this: 00:0d:93:8c:2e:3b. This means only network devices with MAC addresses you specify will be able to connect to your wireless network. To find out your MAC address, open Network Utility (in Applications>Utilities) and click on ‘Info’ tab. Select ‘Network interface (en1)’ to view info about your wireless card or ‘Network interface (en0)’ to view info about your Ethernet card. The ‘Hardware address’ entry will display MAC address for each of the interfaces selected. Windows users have to open a command prompt and type ‘ipconfig /all’. Write your MAC addresses down, and put them in your router options as MAC filtering entries. Again, while it is possible for a hacker to spoof a MAC address, this is a good practice that would give another hurdle to those who try to get into your network.
5. Set up wireless encryption – this is the second most important step after changing your default password. This means transmitted packets on your will be encrypted (scrambled) so that they can’t be read by eavesdroppers, meaning that whenevr you check on the status of your bank account online, all your login usernames and passwords that you send wirelessly to authenticate your identity will be encrypted. The main methods of encryption are: WEP (wired equivalent privacy), WPA (wi-fi protected access) and WPA2 (enterprise-grade WPA). There are also other methods that authenticate a valid user against a RADIUS server (LDAP directory), but this is most likely an overkill for a SOHO environment (unless you have a server that runs your network). First thing to know is that you should avoid using WEP and use WPA (or, better yet, WPA2) instead, as WEP is very easy to crack with the right tools. Also, try to make up a long encryption key. This guide will be updated with more information on WEP and WPA differences, so keep checking on it.
6. Turn on logging on your router so that you know what’s happened last in case things go sour.
7. Mind that every time you press that reset button, all your settings (including administrator password) default to the factory state. To avoid redoing all the work, after you have set up your router with the instructions above in mind, back up your settings so that when you have to reset your router, you can restore everything back in a snap.
8. Also, sometime it might be a good idea to limit the amount of IP addresses that your router’s DHCP server gives out to only the number of computers you have connected to it. Say, if your router’s IP address is 192.168.1.1 and you have 3 computers in your house, set up an option in DHCP lease to give out IPs starting from 192.168.1.2 to 192.168.1.4 – but make sure you know what you are doing. Otherwise you can turn off DHCP leasing on the router completely and set up each client manually if you know how to do that.
9. Disable wileress login for router administration. Once your router is configured, there is no real need to be able to access its configuration pages wirelessly. This thwarts off all those wardriving cowboys who want to hijack your network’s configuration (which contains your ISP login name and password, by the way) wirelessly. If you still need to make changes, it is not a big deal to connect your laptop to your router using an Ethernet cable and do all the maintenance that way.
This is all for now, but I shall be updating this guide with more information as I get time to do this, so please keep checking back.
