Mephisto2

This topic comes up again and again. I have posted regularly on this. I work specificially in the wireless networking industry, so let me offer you some advice.

Carry out the following steps...

1 - Enable WPA if at all possible
Background
WPA (WiFi Protected Access) greatly increases WLAN security. It introduces several new enhancements, including TKIP (Temporal Key Integrity Protocol) that mitigates against so-called AirSnort or Wardriving attacks, and MIC (Message Integrity Check) that protects against Man in the Middle attacks. It also increases the WEP Initialization Vector from 24bits to 48bits, which is a huge improvement, as this makes the statistical likelihood of a weak IV being captured much lower. Finally, WPA introduces a dynamic key management feature, which allows for regular and automatic regeneration of WEP keys.
Implementation
WPA for most home wireless kit will run in WPA-PSK mode. The PSK stands for Pre Shared Key. This is effectively a password that you enter in your Access Point and your client that is used to independently generate new WEP keys on a regular basis. Ensure your passphrase is at least 20 characters long!
Caveats
Not all Access Points support WPA. This is unfortunate, but is not the end of the world. See below...



2 - Change default SSID
Background
SSID (Service Set Identifier) can be considered analogous to a network name. All Access Points come "out of the box" with a default SSID. Every hacker worth his salt will know the most common SSIDs. Common examples are "Linksys" (for Linksys kit), "Netgear" (for Netgear kit), "Tsunami" (for Cisco kit) etc.
Implementation
Change the SSID to something more appropriate to you. Your name, favourite band, pet... whatever. Just don't use the default.
Caveats
None. There is no reason this should not be done.



3 - Disable SSID Broadcast
Background
SSID (Service Set Identifier) can be considered analogous to a network name. Most Access Points "broadcast" this by default. That is, they advertise the SSID to any listening client devices. This is fine for enterprise networks or "hotspots", but there is no reason to advertise your network to your neighbours. You will know the SSID anyway (see above), so you don't need to broadcast it.
Implementation
Different for all manufactures, but it should be pretty obvious. Just look for "SSID Broadcast" and disable it.
Caveats
This should not be considered a security improvement, as it's still possible to ascertain the SSID of a network that is not broadcasting, but it IS best practice. Just do it.



4 - Enable MAC filtering
Background
All Ethernet devices, including WLAN interfaces, have a MAC address. This is a 6-byte hexadecimal address that a manufacturer assigns to the Ethernet controller for a port. MAC addresses are "lower level" that IP addresses and are used on the Data layer. You can setup your Access Point to only allow certain MAC addresses (ie, certain devices) use your WLAN. In other words, you configure it to only allow your computer (laptop, sister/brother's etc) to associate to the WLAN. This will prevent unwanted visitors from hitching a free ride...
Implementation
Search for MAC Filter in your Access Point config guide. You will have to go to each computer you will use on your WLAN and note down their MAC address. Make sure you note down the WIRELESS adaptor, and not the wired network card! It's a bit tedious (as a MAC address is a long sting of hex), but it's worth it.
Caveats
Not entirely foolproof, as experienced hackers can spoof MAC addresses. But it certainly adds greatly to security.



5 - Turn down transmit power
Background
Most Access Points can transmit at up to 100mW; some even more. Why bother covering more area that you need? There's no point is offering temptation to the people across the street, so you should turn down your transmit power to the lowest level that sufficiently covers your house/apartment.
Implementation
Different for every manufacturer. Check your user guide.
Caveats
You may need some tweaking to get it right. If you do, then congratulations. You just carried out what is called a "Site Survey" in the industry. Soon, you'll be doing this for a living!


6 - Change the admin password
Background
All Access Points come with an Admin account and password. You would be surprised at how many people leave these as the default ("Admin" and "Admin" for Linksys kit for example). You should change the password to something only you know as soon as you can.
Implementation
There shouldn't be any problem doing this. Just look for the Admin or Account Management section on your configuration page.
Caveats
Make sure you note down what you change the Admin password to!!



What happens if my Access Point doesn't support WPA?!!!
Well, you can still follow steps 2 to 6 above. But you will have to manually setup a WEP key on your Access Point and your client devices. This is a pain, but ABSOLUTELY NECESSARY. You should also change this regularly; at least once every few months.





Any more questions, feel free to ask.


Mr Mephisto