Securing your home wireless network [Archive] - Glock Talk

PDA

View Full Version : Securing your home wireless network


Cyoung
11-30-2005, 13:37
I am a network administrator on a medium-sized government network somewhere in the South. I have had a lot of folks ask me for advice on securing home/business wireless access points (APs). Here is a quick and easy summary of what to do:

1. Turn on WPA-PSK (pre-shared key or 'personal' mode)security on your wireless access point.

2. Assign one or more keys to the WPA key list; make them all 20 characters or more; include numbers and other odd characters.

3. Turn off the option to broadcast your SSID.

4. Turn on and set up MAC address filtering.

While not making your AP 100% secure, this will make finding it and accessing it hard enough that the malicious user will likely go find another easier target.


Discussion:

WEP sucks. It is not secure. It never was. It was a temporary solution that was never really secure. Go to WPA right now!!! Better yet, go to WPA2 when it becomes more available.

For your keys, do not use common phrase, dictionary words, or other easy to guess combos. Do not use the MAC address of the AP, as it is broadcast in the clear, even on encrypted networks. I like to use long combinations like airplane names and numbers (i.e., B2Ste@lthB0mberR0xorsTh3W0rld). Short WPA keys or dictionary keys can be cracked given enough time.

SSID broadcasting. By default, most APs happily broadcast the world their presence and the name of the Service Set Identifier (SSID). Having this on makes the AP easier to find and connect to. If this is ok for you, great, but turning this off makes it harder for uninvited users to see you, but not impossible.

MAC address filtering. All network devices come from the factory hard wired with a unique number in them. This is called a MAC address. If you tell your AP to only talk to authorized addresses, this will help prevent unauthorized users from getting into your AP. Warning - MAC addresses can be faked very easily.

These steps, when combined, make it rather difficult, but not impossible to gain unauthorized access to an AP. With all these measures in place, the vast majority of folks will give up and find some other unsecured AP broadcasting a SSID of 'default' or 'Linksys.'

briantf
12-01-2005, 04:51
Anyone that has the tools to compromise a wireless AP won't even be slowed down by SSID beaconing being turned off. All it does is make the network fussy to connect to, and if you have multiple AP's it screws up your roaming.

http://www.icsalabs.com/html/communities/WLAN/wp_ssid_hiding.pdf

Regards,
Brian in CA

Wicked96SS
12-01-2005, 07:17
Good Advice, and the best you are going to be able to do with the tools given.

WEP does stink, but with the 802.11G standard (and beyond), it is much better than the 802.11b stuff. Using Airsnort we were able to break into our wireless network in about 5 minutes with medium traffic with the encryption turned on. This was using a laptop and medium to low traffic. Seems that in 802.11b the PRNG wasn't all that random after all!

Anyhow, what you do, is what I do at home... so, a +1 for ya!

Cyoung
12-01-2005, 08:28
briantf -

You are, of course, right, because the packets of a non-SSID broadcasting network still has the SSID in the clear in service frames. The idea is to take steps that make it harder to get on your local AP, not impossible.

An attacker that determined or equipped will eventually compromise nearly any wireless network given enough time and effort. The idea is to get Joe six-chip to go find easier prey!

Now, implement WPA2 using 802.1x is nearly impossible to break, but I doubt most users are up to that task!

darth_rifle
12-01-2005, 21:10
Anyone serious about wireless network security should install a Faraday cage.

- D. Rifle

hapuna
12-02-2005, 11:23
Originally posted by Cyoung
I am a network administrator on a medium-sized government network somewhere in the South. I have had a lot of folks ask me for advice on securing home/business wireless access points (APs). Here is a quick and easy summary of what to do:

1. Turn on WPA-PSK (pre-shared key or 'personal' mode)security on your wireless access point.

2. Assign one or more keys to the WPA key list; make them all 20 characters or more; include numbers and other odd characters.

3. Turn off the option to broadcast your SSID.

4. Turn on and set up MAC address filtering.

OK while I'm with you on most of this what's not apparent is how that will change how you and your friends use the system. Does #1 mean that every user needs to have the key before they can connect? It also means you need to create an approved list of mac addresses right? I have a VOIP phone connected to my wireless network...how do I get it to use a WPA key?

jhall
12-04-2005, 02:20
While we are on the topic of securing networks..

I have a Linksys WCG200. That is a cable modem,Router,AP and firewall all rolled into one.

But, as I just recently began looking into securing the network, I just discovered that it doesnt have WPA, just WEP.

I do have WEP on, Im not broadcasting the SSID, and I have MAC filtering on also.

Anything else I can do to secure it since WEP isnt so great?

Cyoung
12-05-2005, 06:32
With WPA-PSK, yes, you have to tell each connecting machine what the key is. In Windows and the Mac OS, this is quite easy. In fact, if you go ahead and broadcast the SSID, both OSes *should* auto-detect the encryption and ust ask for the key. Do yourself a favor and use a loooooong key and change it once in a while.

If you do not broacst SSIDs, you will need to go the properties of your wireless adapter, go the the networks tab, and add an entry for the network you are connecting to. It will want the SSID, the type of security (WPA or WPA2) and the key.

To answer the second question, ditch WEP and go to WPA or WPA2.

HVAC-TEK
12-06-2005, 06:54
All good advice, just one thing to add. Change any "factory default" names and passwords. You wouldn’t believe how many office networks, wireless routers are left with the default admin name and password. Doctor’s offices, law offices, just lazy network technicians.

KIM

Cyoung
12-07-2005, 06:20
A big +1 on that one!!!


I wonder if we should sticky this topic. I know it will come up again.

atlp99
12-07-2005, 21:04
While we are talking wireless,
I am runing a wireless nework at home. Linksys router.
In order to get a solid connection I have to manually input the IP address, default gateway, etc..

That is fine when I am home but everytime I take my laptop to school I have to reset it to auto connect to the network at school.

Is there a way to change this so I can just keep it set up to auto detect the network at home and at school?
Thanks

neeko
12-07-2005, 22:17
posted this same advice in another thread, just limit your ip allocation from your dhcp server. if your server only hands out 5 IPs and all your 5 machines have one then an attacker can not get one unless he forces the router to reestablish with each machine.