Security
From ColumbusFreenet.org - The Columbus Georgia Wireless Community
Contents |
Securing your Wireless Network
Any network connected to the Internet is at risk to intrusion. Wireless networks expose a network to addional risks, but measures can be taken to mitigate them.
Reducing the risks
The following tips apply primarily to 802.11b and 802.11g networks. However, some can help no matter what medium you use for communication in your network.
File and print sharing
Wireless APs (access points) are usually situated on your LAN, behind any router or firewall you may be using. If someone successfully connects to your AP, they'll be on your LAN behind any firewall or NAT device (like a broadband router) that normally protects you from Internet intruders. All shared drives and printers will be exposed to anyone who connects to your AP.
Secure what you share
This means:
- Share only what you need to share (think folders, not your entire C: drive!)
- Set a good password on anything you share. Don't use an easily guessed password... use a mixture of uppercase letters, lowercase letters, and numbers.
Encryption
Encryption is a way of preventing others from reading the contents of your data while it's in transit. Huge books have been written about encryption; you should at least know the basics about using simple encryption to protect your wireless network.
If nothing else, use WEP
Wired Equivalent Privacy, or WEP, is a flawed encryption system that can be broken by a malicious intruder in a few hours. It is, however, better than nothing! Most broadband routers ship with a default of no encryption whatsoever, so if you're the least bit concerned about the data on your network you should enable WEP to deter the casual passer-by.
Use good WEP keys
WEP works by using a pre-shared key. You set a particular key on the AP, and you need to set the same key on the clients to connect. This is usually done through the same utility you use to configure your wireless card.
Don't pick an obvious key, like 12345. Changing the key periodically may be recommended to you, but realistically this is probably more trouble that it's worth. A determined attacker using readily available software tools can break your WEP key in a couple of hours, so unless you're changing your key every 30 minutes or so (!) this probably isn't a good way to mitigate the risk.
WPA
Wifi Protected Access, or WPA, is a successor to WEP, and is intended as an intermediate standard for encrypting wireless networks until we can all standardize on something better.
- Netgear devices that support WPA are listed here.
- Configuring WPA on the WRT54G access point.
- Setting up clients for WPA on Windows XP.
Secure the AP's admin account
Wireless APs (and other network devices) typically ship with a default login and password for the administrative account. Bad guys have all of them memorized! Even if they didn't have them memorized, they're usually easy to guess... usually something like "admin/admin". Change the password!.
Lock clients to their MAC address
Many APs have the ability to control the clients that can use them. Every NIC broadcasts a hard-coded MAC address, which can be used to authenticate users. MAC addresses can be spoofed, or imitated, so it's not a guarantee of security... but it does add another obstacle for any would-be intruders.
Don't broadcast the SSID
Wireless frames are tagged with a Service Set Identifier, or SSID. An AP may advertise itself by broadcasting this SSID to clients within range. Although turning this off doesn't make it invisible, it is another step in obscuring your network from someone casually stumbling onto it.
Use a VPN
A Virtual Private Network, or VPN, may be used to authenticate and protect data that travels from your computer's wireless NIC to the main network. This requires more technical knowledge to get working, but is mandatory if you have very sensitive information on your network. Using a VPN will allow you to perform the encryption at a higher level of the TCP/IP stack, which means your AP can even be wide open if you'd like... but clients won't be able to interact with your network without the proper VPN client setup.
Implementing a VPN is probably not for a casual home network user, as it requires a more complicated set up. It's more geared towards people who are already familiar with this technology, and have a pretty good motivation for keeping people out of their network.
Selecting a gateway
A good VPN solution will typically involve placing a gateway between your network and the wireless AP. This gateway then handles the authentication and encryption, taking the complication away from the AP.
Many do-it-yourselfers use something like Linux or OpenBSD to create a VPN gateway, but there are several commercial operating systems and hardware devices that implement VPN solutions that are compatible with multiple client operating systems.
IPsec
IPsec is the security enhancements of IPV6 backported to IPV4. Aside from being rather complicated to understand and configure, it is the most robust and cryptographically secure solution currently available. Keep in mind even if you do use IPsec, you may forfeit its security benefits if you fail to understand and properly implement it!
PPTP
PPTP is the Point-to-Point Tunneling Protocol. It was introduced by Microsoft, but has not yet been ratified by the IETF (which may or may not be important to you.) It is naturally supported by Microsoft servers and clients, as well as an assortment of other offerings (including some Cisco devices.)
Microsoft's FAQ on PPTP is available here.
PPP/SSH
Linux hackers can quickly and easily setup a secure tunnel using a PPP/SSH VPN. This encapsulates a regular PPP connection inside of an SSH tunnel. A simple network with only a few users can easily get by with this, although as the needs increase, the overhead and management will call for something more robust like IPsec.
References
- The article that inspired this one.
- See this page for links to more information about Wireless Networking Security.
- See this ExtremeTech article for more tips on securing your Wireless Network.
- Wireless Networking Tutorial
