Proposed Security Article

From ColumbusFreenet.org - The Columbus Georgia Wireless Community
Jump to: navigation, search

Securing your Wireless Network

If your wireless LAN is located in a single family home, then you are probably more at risk from intruders coming in via your Internet connection than from folks gaining access to your LAN over the air. But if your LAN has some means of wireless connectivity, you've added another way to access your LAN that doesn't require getting past your router's firewall and doesn't even require physical access!


Contents

What can I do?

Actually, there's a lot you can do to secure your wireless LAN. Most of these tips apply to 802.11b based LANs, since they're the most prevalent. But some tips are just good network security practice and can help no matter how you build your LAN:

Don't use TCP/IP for File and Printer sharing!

Access Points are usually installed on your LAN, behind any router or firewall you may be using. If someone successfully connects to your Access Point, they'll be on your LAN, just like any of your other clients. But since they'll be using TCP/IP to make the connection, you can easily deny access to MS File and Printer sharing by using a protocol other than TCP/IP for those services. That way, they may get access to your Internet connection, but they won't get access to your files! See this page for instructions on using NetBEUI for File and Printer Sharing.

Follow secure file-sharing practices

This means:

  • Share only what you need to share (think Folders, not entire hard drives)
  • Password protect anything that is shared with a strong password.

Enable WEP Encryption

802.11b's WEP encryption has had a lot of bad press lately about its weaknesses. But a weak lock is better than no lock at all, so enable WEP encryption and use a non-obvious encryption key. Look for and use products that support 128bit WEP. Prices have come down on 802.11b equipment so there's no need to buy something that doesn't support 128bit WEP. See this page if you need help getting WEP to work.

Use WEP for data and Authentication

Some products allow you to separately set the Authentication method to "Shared Key" or "Open System". Use the "Shared Key" method so that encryption is used to both authenticate your client and encrypt its data. See this page for more info.

Use non-obvious WEP keys and periodically change them

While the limitations that some wireless client utilities have don't help (hexadecimal only support, single keys, forgetting keys, etc.), don't make it easy for potential snoops to get onto your LAN by using simple keys like 123456, all ones, etc. Changing the keys periodically is more difficult, because it requires sending out information about the new keys to users and that can be a security problem in itself. But changing keys periodically can help keep your LAN secure, so consider getting a procedure into place to do it.

Secure your wireless router / Access Point (AP)

Your router or Access Point should require a password to access its Admin features. If it doesn't, get one that will! Also, change your password from the default and use a strong one!

Disallow router/ AP administration via wireless

Unfortunately, this feature is usually only present in "Enterprise-grade" APs, and shuts off the ability to administer your Access Point from wireless clients. But if your router/AP has it, use it!

Use MAC address based Access and Association control

Previously available only on "Enterprise-grade" products, many routers and Access Points are being upgraded to have the ability to control the clients that can use them. MAC addresses are tied to physical network adapters, so using this method requires a little coordination and maybe a little inconvenience for LAN users. And MAC addresses can be "spoofed" or imitated/copied, so it's not a guarantee of security. But it adds another hurdle for potential intruders to jump. If you already have a product that doesn't include this feature, check your Manufacturer's Web site for a firmware upgrade.

Don't send the ESSID

ORiNOCO and Apple call the ability to stop their products from sending out the network ESSID the "closed network" feature. Other manufacturers are adding this ability, so check your Manufacturer's Web site for a firmware upgrade. Note that the feature doesn't have a consistent name, so check your product's documentation.

Don't accept "ANY" ESSID

ORiNOCO and Apple's "closed network" feature also won't accept connections from clients using the default "ANY" ESSID. Other manufacturers' products have the ability to not accept clients with an "ANY" ESSID, but you'll need to check your product's documentation, since there's not a consistent name for the feature.

Use VPN

Of course, if you really don't want to take chances with your data, then you should run a VPN tunnel over your wireless connection, too. You may take a throughput hit, but isn't your data's security worth it?

References

Terminology

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox