Securing your home wireless network - Tilted Forum Project Discussion Community

Mephisto2 · 12-05-2004, 08:01 PM

Someone asked me for a brief explanation of WPA and the steps required to secure your home wireless network. I decided to repost this guide as a result.

Quote:

The following is a list of steps you should undertake to secure your home wireless network. These tips are suitable for home networks only, as enterprise deployments have their own, considerably more complex, methods.

1 - Enable WPA if at all possible
Background
WPA (WiFi Protected Access) greatly increases WLAN security. It introduces several new enhancements, including TKIP (Temporal Key Integrity Protocol) that mitigates against so-called AirSnort or Wardriving attacks, and MIC (Message Integrity Check) that protects against Man in the Middle attacks. It also increases the WEP Initialization Vector from 24bits to 48bits, which is a huge improvement, as this makes the statistical likelihood of a weak IV being captured much lower. Finally, WPA introduces a dynamic key management feature, which allows for regular and automatic regeneration of WEP keys.
Implementation
WPA for most home wireless kit will run in WPA-PSK mode. The PSK stands for Pre Shared Key. This is effectively a password that you enter in your Access Point and your client that is used to independently generate new WEP keys on a regular basis. Ensure your passphrase is at least 20 characters long!
Caveats
Not all Access Points support WPA. This is unfortunate, but is not the end of the world. However...
"What happens if my Access Point doesn't support WPA?!!!"
Well, you can still follow the steps below. And you should manually setup a WEP key on your Access Point and your client devices. This is a pain, but ABSOLUTELY NECESSARY. You should also change this regularly; at least once every few months.

2 - Change default SSID
Background
SSID (Service Set Identifier) can be considered analogous to a network name. All Access Points come "out of the box" with a default SSID. Every hacker worth his salt will know the most common SSIDs. Common examples are "Linksys" (for Linksys kit), "Netgear" (for Netgear kit), "Tsunami" (for Cisco kit) etc.
Implementation
Change the SSID to something more appropriate to you. Your name, favourite band, pet... whatever. Just don't use the default.
Caveats
None. There is no reason this should not be done.

3 - Disable SSID Broadcast
Background
SSID (Service Set Identifier) can be considered analogous to a network name. Most Access Points "broadcast" this by default. That is, they advertise the SSID to any listening client devices. This is fine for enterprise networks or "hotspots", but there is no reason to advertise your network to your neighbours. You will know the SSID anyway (see above), so you don't need to broadcast it.
Implementation
Different for all manufactures, but it should be pretty obvious. Just look for "SSID Broadcast" and disable it.
Caveats
This should not be considered a security improvement, as it's still possible to ascertain the SSID of a network that is not broadcasting, but it IS best practice. Just do it.

4 - Enable MAC filtering
Background
All Ethernet devices, including WLAN interfaces, have a MAC address. This is a 6-byte hexadecimal address that a manufacturer assigns to the Ethernet controller for a port. MAC addresses are "lower level" that IP addresses and are used on the Data layer. You can setup your Access Point to only allow certain MAC addresses (ie, certain devices) use your WLAN. In other words, you configure it to only allow your computer (laptop, sister/brother's etc) to associate to the WLAN. This will prevent unwanted visitors from hitching a free ride...
Implementation
Search for MAC Filter in your Access Point config guide. You will have to go to each computer you will use on your WLAN and note down their MAC address. Make sure you note down the WIRELESS adaptor, and not the wired network card! It's a bit tedious (as a MAC address is a long sting of hex), but it's worth it.
Caveats
Not entirely foolproof, as experienced hackers can spoof MAC addresses. But it certainly adds greatly to security.

5 - Turn down transmit power
Background
Most Access Points can transmit at up to 100mW; some even more. Why bother covering more area that you need? There's no point is offering temptation to the people across the street, so you should turn down your transmit power to the lowest level that sufficiently covers your house/apartment.
Implementation
Different for every manufacturer. Check your user guide.
Caveats
You may need some tweaking to get it right. If you do, then congratulations. You just carried out what is called a "Site Survey" in the industry. Soon, you'll be doing this for a living!

6 - Change the admin password
Background
All Access Points come with an Admin account and password. You would be surprised at how many people leave these as the default ("Admin" and "Admin" for Linksys kit for example). You should change the password to something only you know as soon as you can.
Implementation
There shouldn't be any problem doing this. Just look for the Admin or Account Management section on your configuration page.
Caveats
Make sure you note down what you change the Admin password to!!

7 - Change default IP address
Background
Most access points come with the default RFC1918 IP address of 192.168.1.1. Most hackers know this. Bad combination. Try changing the IP address to 192.168.x.1, where x is a random number between 2 and 254.
Implementation
Different for every manufacturer. You should be able to do this from the Admin web-page for your access point quite easily.
Caveats
Remember than when you change the IP address of the router, you will have to remember the new one when you access it again via a web-browser!! Of course, that's the whole point, but just dont' forget it. Chances are, once you make the change, the current web session will no longer work and you'll have to start another session; you just changed the address after all.

8 - Reduce the size of your DHCP
Background
DHCP (Dynamic Host Configuration Protocol) is a system that dynamically provides your clients (ie computers) with an IP address every time they join a network. In simple terms, your computer gets an IP address from your access point, and you don't have to worry about messing around with esoteric network settings. IP addresses are assigned from a "pool" of available addresses. The AP has to ensure it doesn't give the same address to two computers, or there would be problems. This "pool" of addresses often has up to 254 addresses available. Most home networks have only a handful of computers. By reducing the number of addresses in the DHCP pool to exactly the number of computers you have, you reduce the liklihood of a hacker gaining access to your network. They simply won't get an IP address in the first place.
Implementation
Again, this is different for every manufacturer. It is usually in a "Network" or "DHCP" section on your AP configuration web-page.
Caveats
None really. Just make sure you have enough IP addresses left in your pool for your computers. Remember that reducing the pool to the exact number of computers you have means that "friends" as well as hackers and freeloaders won't be able to use your network either. If you have visitors that come to your home to use the network often, then this may not be suitable.

I hope this is of some help. Any further questions, just ask.

Mr Mephisto

theFez · 12-05-2004, 09:39 PM

I personally disable dhcp and statically assign ip addresses for my machines and only allow the assigned addresses to connect.

And also if you disable SSID broadcast it seems like Windows will glom onto any broadcasting AP before it will use your non-broadcasting network. so if you neighbors are like mine and have wide open networks cheerfully broadcasting away, you may not be able to access your AP.

Mephisto2 · 12-05-2004, 09:49 PM

Quote:

Originally Posted by theFez

I personally disable dhcp and statically assign ip addresses for my machines and only allow the assigned addresses to connect.

And also if you disable SSID broadcast it seems like Windows will glom onto any broadcasting AP before it will use your non-broadcasting network. so if you neighbors are like mine and have wide open networks cheerfully broadcasting away, you may not be able to access your AP.

You can if you setup your own wireless network, and make sure it's higher up in the priority list.

Either that, or disable WZC entirely.

Mr Mephisto

lk_3000 · 12-05-2004, 10:33 PM

If i disable dhcp, and use static ips for each computer would i need to add the other network numbers?

mikec · 12-06-2004, 03:45 PM

good stuff mr. mephisto!

vox_rox · 12-06-2004, 04:02 PM

Quote:

Originally Posted by lk_3000

If i disable dhcp, and use static ips for each computer would i need to add the other network numbers?

Disabling DHCP does not, by itself, make anything more secure. As was mentioned in several of the sections of the most excellent post above, hackers do not need to have specific access righs,MAC addresses IP addresses etc, they just need to know if one exists on your network, and then they can spoof that.

The real keys are enabling every aspect of security that you know how to use, and learn about the ones that you don't. All you need to do to keep war drivers away from your network is to make it difficult for them, because there's always a guy down the street who thinks that the "guru" from Future Shop has taught him everything he needs to know to have a secure wireless network, and he is the perfect target.

All in all, I think if you follow the directions in this post, including doing some reading on aspects that you may not be aware of, you are well on your way.

For me, I simply choose not to go wireless, simply no need to right now in my home. I have a DSL router/firewall, and I keep my home network prety closed up. But that's just me, and I think that hackers may be out to get me.

Paranoid? Yes.
Deranged? Oh, quite possibly.
IS there anyone out to get me? Probably not.

Peace,

Pierre

mosha · 12-06-2004, 05:08 PM

awesome thanks for the great wirte up.

portwineboy · 01-07-2005, 12:49 PM

My Dad finally got broadband and went with Verizon DSL. They sent him a kit with a wireless router (some POS) and the thing was automatically on and broadcasting with absolutely no security and from what I could tell, no documentation from Verizon saying "hey, secure this puppy!"

I wind up keeping a copy of your guide in my Palm, Mephisto. It's come in handy 4-5 times now when I'm at a friend's place and find a WAP...almost always completely open. Thanks!

nine · 01-08-2005, 05:34 AM

Windows 2000 does not support WPA (Windows XP does, with SP2). However, there is a free client that support WPA under Windows 2000 here

http://www.wirelesssecuritycorp.com/...PAAssistant.do

I don't need it - but some might be able to.

bendsley · 01-11-2005, 06:32 AM

Something that I put up to help any of you in trying to figure out secure WEP keys.

WEP generator.
http://www.floabie.com/wep/

12-05-2004, 09:39 PM	#2 (permalink)
theFez Crazy Location: here and there	I personally disable dhcp and statically assign ip addresses for my machines and only allow the assigned addresses to connect. And also if you disable SSID broadcast it seems like Windows will glom onto any broadcasting AP before it will use your non-broadcasting network. so if you neighbors are like mine and have wide open networks cheerfully broadcasting away, you may not be able to access your AP. __________________ # chmod 111 /bin/Laden

12-06-2004, 03:45 PM	#5 (permalink)
mikec I flopped the nutz... Location: Stratford, CT	good stuff mr. mephisto! __________________ Until the 20th century, reality was everything humans could touch, smell, see, and hear. Since the initial publication of the charted electromagnetic spectrum, humans have learned that what they can touch, smell, see, and hear is less than one millionth of reality

01-07-2005, 12:49 PM	#8 (permalink)
portwineboy Master of No Domains Location: WEEhawken, New Joisey	My Dad finally got broadband and went with Verizon DSL. They sent him a kit with a wireless router (some POS) and the thing was automatically on and broadcasting with absolutely no security and from what I could tell, no documentation from Verizon saying "hey, secure this puppy!" I wind up keeping a copy of your guide in my Palm, Mephisto. It's come in handy 4-5 times now when I'm at a friend's place and find a WAP...almost always completely open. Thanks! __________________ If you can read this, thank a teacher. If you can read this in English, thank a veteran.

01-11-2005, 06:32 AM	#10 (permalink)
bendsley Professional Loafer Location: texas	Something that I put up to help any of you in trying to figure out secure WEP keys. WEP generator. http://www.floabie.com/wep/ __________________ "You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane."

12-05-2004, 10:33 PM	#4 (permalink)
lk_3000 Tilted	If i disable dhcp, and use static ips for each computer would i need to add the other network numbers?

12-06-2004, 05:08 PM	#7 (permalink)
mosha Crazy Location: Htown, NJ	awesome thanks for the great wirte up.

01-08-2005, 05:34 AM	#9 (permalink)
nine Crazy Location: Doesn't matter - you wouldn't want to be here	Windows 2000 does not support WPA (Windows XP does, with SP2). However, there is a free client that support WPA under Windows 2000 here http://www.wirelesssecuritycorp.com/...PAAssistant.do I don't need it - but some might be able to.