View Single Post
Old 01-20-2005, 03:50 PM   #8 (permalink)
Mephisto2
Junkie
 
Make sure to secure your WLAN.

Here's a repost of my guide on this topic:

Quote:
1 - Enable WPA if at all possible
Background
WPA (WiFi Protected Access) greatly increases WLAN security. It introduces several new enhancements, including TKIP (Temporal Key Integrity Protocol) that mitigates against so-called AirSnort or Wardriving attacks, and MIC (Message Integrity Check) that protects against Man in the Middle attacks. It also increases the WEP Initialization Vector from 24bits to 48bits, which is a huge improvement, as this makes the statistical likelihood of a weak IV being captured much lower. Finally, WPA introduces a dynamic key management feature, which allows for regular and automatic regeneration of WEP keys.
Implementation
WPA for most home wireless kit will run in WPA-PSK mode. The PSK stands for Pre Shared Key. This is effectively a password that you enter in your Access Point and your client that is used to independently generate new WEP keys on a regular basis. Ensure your passphrase is at least 20 characters long!
Caveats
Not all Access Points support WPA. This is unfortunate, but is not the end of the world. However...
"What happens if my Access Point doesn't support WPA?!!!"
Well, you can still follow the steps below. And you should manually setup a WEP key on your Access Point and your client devices. This is a pain, but ABSOLUTELY NECESSARY. You should also change this regularly; at least once every few months.



2 - Change default SSID
Background
SSID (Service Set Identifier) can be considered analogous to a network name. All Access Points come "out of the box" with a default SSID. Every hacker worth his salt will know the most common SSIDs. Common examples are "Linksys" (for Linksys kit), "Netgear" (for Netgear kit), "Tsunami" (for Cisco kit) etc.
Implementation
Change the SSID to something more appropriate to you. Your name, favourite band, pet... whatever. Just don't use the default.
Caveats
None. There is no reason this should not be done.



3 - Disable SSID Broadcast
Background
SSID (Service Set Identifier) can be considered analogous to a network name. Most Access Points "broadcast" this by default. That is, they advertise the SSID to any listening client devices. This is fine for enterprise networks or "hotspots", but there is no reason to advertise your network to your neighbours. You will know the SSID anyway (see above), so you don't need to broadcast it.
Implementation
Different for all manufactures, but it should be pretty obvious. Just look for "SSID Broadcast" and disable it.
Caveats
This should not be considered a security improvement, as it's still possible to ascertain the SSID of a network that is not broadcasting, but it IS best practice. Just do it.



4 - Enable MAC filtering
Background
All Ethernet devices, including WLAN interfaces, have a MAC address. This is a 6-byte hexadecimal address that a manufacturer assigns to the Ethernet controller for a port. MAC addresses are "lower level" that IP addresses and are used on the Data layer. You can setup your Access Point to only allow certain MAC addresses (ie, certain devices) use your WLAN. In other words, you configure it to only allow your computer (laptop, sister/brother's etc) to associate to the WLAN. This will prevent unwanted visitors from hitching a free ride...
Implementation
Search for MAC Filter in your Access Point config guide. You will have to go to each computer you will use on your WLAN and note down their MAC address. Make sure you note down the WIRELESS adaptor, and not the wired network card! It's a bit tedious (as a MAC address is a long sting of hex), but it's worth it.
Caveats
Not entirely foolproof, as experienced hackers can spoof MAC addresses. But it certainly adds greatly to security.



5 - Turn down transmit power
Background
Most Access Points can transmit at up to 100mW; some even more. Why bother covering more area that you need? There's no point is offering temptation to the people across the street, so you should turn down your transmit power to the lowest level that sufficiently covers your house/apartment.
Implementation
Different for every manufacturer. Check your user guide.
Caveats
You may need some tweaking to get it right. If you do, then congratulations. You just carried out what is called a "Site Survey" in the industry. Soon, you'll be doing this for a living!



6 - Change the admin password
Background
All Access Points come with an Admin account and password. You would be surprised at how many people leave these as the default ("Admin" and "Admin" for Linksys kit for example). You should change the password to something only you know as soon as you can.
Implementation
There shouldn't be any problem doing this. Just look for the Admin or Account Management section on your configuration page.
Caveats
Make sure you note down what you change the Admin password to!!



7 - Change default IP address
Background
Most access points come with the default RFC1918 IP address of 192.168.1.1. Most hackers know this. Bad combination. Try changing the IP address to 192.168.x.1, where x is a random number between 2 and 254.
Implementation
Different for every manufacturer. You should be able to do this from the Admin web-page for your access point quite easily.
Caveats
Remember than when you change the IP address of the router, you will have to remember the new one when you access it again via a web-browser!! Of course, that's the whole point, but just dont' forget it. Chances are, once you make the change, the current web session will no longer work and you'll have to start another session; you just changed the address after all.



8 - Reduce the size of your DHCP
Background
DHCP (Dynamic Host Configuration Protocol) is a system that dynamically provides your clients (ie computers) with an IP address every time they join a network. In simple terms, your computer gets an IP address from your access point, and you don't have to worry about messing around with esoteric network settings. IP addresses are assigned from a "pool" of available addresses. The AP has to ensure it doesn't give the same address to two computers, or there would be problems. This "pool" of addresses often has up to 254 addresses available. Most home networks have only a handful of computers. By reducing the number of addresses in the DHCP pool to exactly the number of computers you have, you reduce the liklihood of a hacker gaining access to your network. They simply won't get an IP address in the first place.
Implementation
Again, this is different for every manufacturer. It is usually in a "Network" or "DHCP" section on your AP configuration web-page.
Caveats
None really. Just make sure you have enough IP addresses left in your pool for your computers. Remember that reducing the pool to the exact number of computers you have means that "friends" as well as hackers and freeloaders won't be able to use your network either. If you have visitors that come to your home to use the network often, then this may not be suitable.
And here's an overview of some of the wireless gobbledigook you may hear.

Quote:
BACKGROUND

Wireless LANs (or WLANS) are based upon the 802.11 series of standards ratified by the IEEE. There are currently 3 common standards for WLAN networking and 1 standard for PAN (Personal Area Networking)

WLANs can be setup in infrastructure mode, or Ad Hoc mode.

In Infrastructure mode, you use an Access Point (think of it like a radio station) and several clients (ie, PCs or laptops with WLAN network cards). The Access Point transmits radio signals and the clients (the PCs or laptops) receive and transmit to the Access Point. It is exactly like a cell-phone network. Your computers are the phones and the Access Point is the cellular network base station.

In Ad Hoc mode, you simply have two or more PCs or laptops talking to each other directly, without an Access Point. Using the same phone analogy, it's like having two walkie-talkies, transmitting to each other, instead of a cellphone that uses a centralized base station to talk to another cellphone. Ad hoc mode is cheaper (because you don't need an Access Point), but slower and only useful for direct PC to PC connectivity.

All WLANs are 'contention based'. This basically means they are like "wireless hubs". When one station is transmitting, no one eles can. They are NOT switched! This means that the actual real-life throughput of WLANS is less than the advertised bandwidth. The most common 802.11b network standard offers 11Mb/s bandwidth, but in reality you will only get around 6Mbs throughput. For the record, this is just like wired Ethernet. You never get the full bandwidth in any advertised network standard.

Finally, all current WLANs also opperate in unlicensed spectrum. This means that no license is required, so anyone can setup a transmitter or receiver. This is exactly what you are doing when you buy an Access Point and a wireless network card! The advantage of this is obvious. No licence, no paper work, no hassle. The disadvantage is that anyone can do it, so someone next door might setup a WLAN too, and there may be some intereference.



WLAN STANDARDS

802.11b (aka WiFi)
Max speed: 11Mb/s
Spectrum: 2.4Ghz

This is by far the most common standard. Most of the WLAN kit you can buy today uses 802.11b. It is cheap and well understood. It opperates in the 2.4Ghz spectrum. Note that this is the same frequency used by older analogue cordless phones and by microwave ovens! Your WLAN will not fry you though, as maximum power is usually around 100mW. Microwave ovens zap things at around 800Watts. It should be noted however, that microwave ovens and older cordless phones can cause interference when they are "on".

802.11b offers 11Mb/s through-put. However, in reality users can expect 6Mb/s maximum bandwidth due to collisions, contention etc.

Within the 2.4Ghz spectrum range used by 802.11b, there are 11 (eleven) channels that can be used. Think of these as "slots" in the 2.4Ghz range. Channel 1 is actually 2.412 GHz, all the way up to Channel 11 which is 2.462 GHz. Note how each channel has a small, but significant change in the actual frequency used (though they are still all in the 2.4Ghz range). Multiple channels are only used when you have multiple Access Points all in or near the same location! They allow you to deploy adjacent cells without causing interference. Most WLANs are setup using channels 1, 6, 11.

Consider four cells side by side. If they used the exact same frequency, you would have lots of interference. But by using seperate, non-overlapping channels, you can place the cells beside each other with no interference. See the following diagram of four radio cells, sitting side by side.

Code:
  -----    -----    ------   -----
 { Ch1 }  { Ch6 }  { Ch11 } { Ch1 } {etc...}
  -----    -----    ------   -----
Each cell is adjacent (or even overlapping a bit), but is using different channels. This means they do not interefere with each other.

For reference, the channels are:

Code:
1	2.412 GHz
2	2.417 GHz
3	2.422 GHz
4	2.427 GHz
5	2.432 GHz
6	2.437 GHz
7	2.442 GHz
8	2.447 GHz
9	2.452 GHz
10	2.457 GHz
11	2.462 GHz
There are some additional channels (12, 13 and 14) available for use outside of the US and Australia. Don't worry about them.

802.11a (aka WiFi-5)
Max speed: 54Mb/s
Spectrum: 5Ghz

This is a newer standard and it offers much higher bandwidth. The equipment is expensive and it is unlikely you shall see it in "retail" or "home network" devices. It has many advantages for enterprise companies who have lots of money. For example, you can use up to 8 non-overlapping channels. This is great if you are a company trying to install lots of APs (Access Points), as you can pack the cells in tighter, but is of little interest to home networkers.


802.11g
Max speed: 54Mb/s
Spectrum: 2.4Ghz

802.11g uses the same frequency as 802.11b but offers speeds of up to 54Mb/s. This is achieved by using different multiplexing (which I won't go into here). One of the major benefits of 802.11g is that it is backwards compatible with 802.11b. What does this mean? Basically, an 802.11g network can support both 802.11b clients and 802.11g clients. Remember, they both use the same frequency of 2.4Ghz. The only disadvantage with this is that the 802.11g Access Point will "drop down" to the slower speed for the entire cell. This means even one 802.11b (11Mbs) client will bring down the speed of the entire 802.11g (54Mbs) cell. Pretty obvious when you think about it.

802.11g cards and Access Points are readily available, and are slightly more expensive than 802.11b ones. It should be noted that only the very newest ones will be compliant with the standard, as it was only ratified in June 2003. The "pre ratification" versions out there already can probably be upgraded via firmware/PROM flashing.


802.15 (aka BlueTooth)
Max speed: 10Mb/s
Spectrum: 2.4Ghz

BlueTooth is known as a PAN or Personal Area Networking. It is not really a WLAN standard and I only include it here for completeness. BlueTooth operates in the same frequency as 802.11b and 802.11g (2.4Ghz) and can cause service degradation. It won't "knock out" your WLAN, but if two transmitting devices are close together (say a WLAN card and a BlueTooth dongle on your PC), you will see a significant impact upon your WLAN performance. Keep BlueTooth devices at least 25cm from 802.11b or 802.11g cards if possible.



SECURITY

Security in 802.11 wireless networks is based upon the WEP encryption protocol. WEP stands for Wired Equivalency Protocol, but don't be fooled. Native WEP on it's own is not as secure as a wired LAN.

Originally WEP was based upon 48bit keys, but almost everyone now uses the much stronger 128bit keys (some manufacturers even offer 256bit versions). This is still hackable, if the hacker captures between 1,000,000 and 4,000,000 packets. It should be noted that, for a normal home network, this would mean HOURS of someone surreptitiously hiding nearby, their laptop in hand and actively "listening" to your network traffic. Afterwards, they then need to run their capture through a cryptographic tool to get your key. A lot of work to hack into someone's home network, but possible none-the-less.

WEP is certainly not sufficient for enterprise networks, and a lot of work has been put into improving WLAN security over the past year. But it is fine for home networks. Don't let anyone else convince you otherwise.

This is especially the case when you consider the new enhancements introduced with WPA.


WPA - WiFi Protected Access
This new standard is a set of security hardenings that greatly increase the security of WLANs. Without going into too much technical detail, WPA introduces two major enhancements.

TKIP Temporal Key Integrity Protocol
This basically rehashes the WEP encryption key every packet.

MIC Message Integrity Protocol
This is conceptually like a CRC value.
It protects against "man in the middle" attacks; ie, someone intercepting and changing a packets contents.

WPA effectively mitigates (ie, reduces) all known security weaknesses in WEP based WLAN standards; as long as you use a key of 20 characters or more.

For home deployments, WPA is run in what is called WPA-PSK mode (WPA - Pre Shared Key). Effectively this means you enter a key (think of it as a code) into your Access Point and any clients. The Pre Shared Key is used to generate new WEP keys on a regular basis. Remember WEP keys are what are used to actually encrypt your traffic. The PSK is simply another code (or key) that is used by the AP and clients to generate new WEP keys, without having to transmit them over the air. They both independently calculate the new WEP based upon the PSK and an encryption algorithm. This capability is what is known as "dynamic key management". It should be noted that it is important your PSK (or "shared secret") is as long as possible. I STRONGLY recommend you use at least 20 characters, and don't choose a normal English word (these are easier to guess). Select some random string of characers and numbers.



802.11i
802.11i was recently ratified by the IEEE. The main enhancement is the replacement of WEP with AES (Advanced Encryption Standard). This is the encryption standard that the Pentagon uses. AES is a cipher block encryption standard. As such it is fundamentally more secure than WEP. However, AES is rather processor intensive. Most current wireless cards will not be able to support AES in hardware, and will have to resort to new drivers/software to support it in software. This will have a significant impact upon performance. Most current APs can be flashed to support AES, though with some older models you may be out of luck.

Note that WEP plus WPA (with a 20+ character secret) offers security that is just as strong (for most users and purposes) as 802.11i.


WPA2
WPA2 is an upcoming "standard" defined by the WiFi Alliance. WPA2 is just a rebranding of 802.11i.



EAP
EAP, or Extensible Authentication Protocol is a framework for introducing improved higher level authentication mechanisms to WLANs. It is based upon 802.1x, an ethernet port authentication protocol. EAP does not work alone, but relies upon 3rd parties (ie, Microsoft, Cisco etc) developing "plug ins" (for want of a better term) that provides the specific authentication mechanisms. The most common are LEAP (developed by Cisco), EAP-TLS (primarily Microsoft), PEAP (Cisco, Microsoft) and EAP-TTLS (Funk etc)

EAP is used to manage authentication. This is different from encryption. Authentication is a big issue for large companies that want to ensure only the right people can log onto their networks. This is a seperate problem from worrying about encrypting the actual data that is being transmitted wirelessly. Home users do NOT have to worry about authentication. I include reference to EAP and 802.1x here for completeness only.


802.1x
802.1x is an Ethernet authentication protocol. In very basic terms, it "blocks" access on an ethernet port until the device (PC, printer, IP phone etc) successfully proves its identity. This is an excellent tool for improving network security in enterprise environments but is of no real interest to home users.



OTHER STANDARDS

You may hear reference to the following standards.

802.11a - 54Mbs 5Ghz WLAN standard
802.11b - 11Mbs 2.4Ghz WLAN standard
802.11c - Provided MAC documentation to ISO (don't worry about this - just paperwork for IEEE)
802.11d - Worldmode (ensures worldwide compatibility with cards and Access Points)
802.11e - Qos (Quality of Service; this is needed to improve network reliability for voice applications etc)
802.11f - Inter Access Point Protocol (IAPP); this handles "roaming" from one radio cell to another
802.11g - 54Mbs 2.4Ghz WLAN standard
802.11h - Transmission Power Control (TPC) and Dynamic Frequency Selection (DSF); this is required for use of 5Ghz in Europe
802.11i - Enhanced security based upon US Federal FIPS standards (ie, extremely secure)
802.11j - Japan enhancements (don't ask...)
802.11n - Super-fast new standard under development; two contending proposals (pre-standard products expected in 2005)
802.1x - Ethernet Port Authentication. Not a wireless standard per se, but integral to enterprise class WLAN security.
802.3af - Ethernet Inline Power - A standard for powering access points off the network cable, rather than the mains. Only important for enterprise class deployments.

Any questions, just ask.


Mr Mephisto
Mephisto2 is offline  
 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360