I spend my day shift working on wireless local area network (WLAN) security related issues so a “How to secure your wireless network” post has always been on my list of post topics. Instead of creating a list from scratch I decided to survey what was already out there and try to post more of a “Best Of” along with a URL of the online resource.
A quick Google search reveals that this topic has been covered several times. My goal is to select resources that provide good suggestions for securing a wireless network and highlight one or more items from each resource. Instead of repeating suggestions available elsewhere , I’ll start with a few comments on recommendations that at one point in time made sense but are no longer considered valid methods for securing wireless networks.
- SSID hiding – Don’t bother..it tends to hurt more than help security situation (see Window XP Wireless Autoconfiguration link and blurb below).
- MAC filter list – This method has some value and may keep your neighbor off your open network but isn’t a good way to implement wireless security. If you are using MAC filtering make sure you are also using encryption (even if it is WEP).
- Access Point (AP) transmit power – In general, limiting AP transimit and station transmit power to what you need for communications is a good idea but reducing power should not be something used instead of encryption.
- Access Point (AP) position – This recommendation is another way of reducing chance AP signal is transmitted beyond exterior walls like AP transmit power control. Again, limiting AP transimit and station transmit power to what you need for communications is a good idea but if it isn’t a software feature in AP or station don’t stress about AP positioning.
Listed below are my suggestions for securing your home or small office wireless network.
- Getting To Know Windows XP Wireless AutoconfigurationWindows XP has a wireless connection manager that makes it very easy to connect to wireless networks. The problem is that it also makes it too easy to connect to networks you don’t want to connect to! The Microsoft article in the link above is very detailed and may be overkill for most.
Best recommendation for the typical user is to manage your “Preferred Networks” list and routinely delete networks that are not yours. Especially if you travel and connect to hotspot/hotel/guest networks often.
When a computer running Windows XP with SP1 or Windows XP with SP2 is in the proximity of two wireless APs belonging to different wireless networks, and one of the wireless APs is broadcasting its Service Set Identifier (SSID), also known as the wireless network name, but the other is not, the computer always connects to the wireless AP that is broadcasting its SSID. This occurs regardless of the preference order of the wireless networks that are configured on the preferred networks list. The reason for this is that wireless auto configuration first tries to match available networks to preferred networks based on advertised SSIDs. If there is no match, wireless auto configuration then tries to find networks that were not advertised that are in its preferred networks list.
- Windows Vista and Wireless NetworksFor you Windows Vista users….things are improving.
MicrosoftÂ® Windows Vistaâ„¢ includes many improvements for connecting to IEEE 802.11 wireless LAN networks. These improvements include new support for non-broadcasting wireless networks, a new set of dialog boxes to more easily connect to or configure connections to wireless networks, and a new way to configure wireless connections at the command line using the Netsh.exe tool.
- Don’t connect to open networks..including your ownMicrosoft has a several online pages about securing your wireless network. They don’t specifically say don’t connect to your own open network but it is implied. Just because it is your own open network doesn’t mean that others can’t see your wireless traffic.
Don’t connect to unprotected wireless networksâ€”it’s possible for someone to monitor your Internet usage and even record your passwords.
If you do connect to an unprotected wireless network, don’t visit a Web site that requires a password unless the Web site is encrypted. To find out if it’s encrypted, look for a lock symbol in the lower-right corner of your browser.
- Remember that WEP is better than nothingThe link above will take you to a Practically Networked post that is a little dated but many of the suggestions are valid and should be followed. In most cases your neighbor will not know how to crack WEP so using it is pretty safe. In general, security is not always about having the most secure system but implementing just enough security to deter a malicious user. If a malicious person were looking for wireless network to connect to they are more likely to avoid your network if is secured and target your neighbor’s open network instead.
If you have wireless devices only support WEP encryption (this is often the case with non-PC devices like media players, PDAs, and DVRs), avoid the temptation to skip encryption entirely because in spite of it’s flaws, using WEP is still far superior to having no encryption at all. If you do use WEP, don’t use an encryption key that’s easy to guess like a string of the same or consecutive numbers. Also, although it can be a pain, WEP users should change encryption keys often– preferably every week. See this page if you need help getting WEP to work.
- Turn Off the Network During Extended Periods of Non-UseAgain, another common sense suggestion. Most people adjust AC/heating systems and power off select electronic devices before leaving for vacation. It just makes sense to power down your PCs and wireless AP/router too. Not only will your network be more secure, you’ll save a few pennies on your electric bill. It doesn’t happen often but I have heard of access points resetting to default config, which may leave your network wide open for anyone to gain access to your network.
Also, it is good practice to disable/turn off you wireless card radio/network connection when you are away from your PC for an extended period of time or using a wired connection.
The ultimate in security measures, shutting down the network will most certainly prevent outside hackers from breaking in! While impractical to turn off and on the devices frequently, at least consider doing so during travel or extended periods offline. Computer disk drives have been known to suffer from power cycle wear-and-tear, but this is not a concern for broadband modems and routers.
- Disable Ad-Hoc NetworkingThe tip below is from one of the more recent posts. A common trend in newer security best practices is to secure the “end point”. An “end point” is a term security folks use for PCs, PDAs, wireless phones, etc.
If you followed all the recommendations in the lists above your access point and wireless network would be pretty secure against unauthorized access. So, what would a malicious person do? They would target the weakest point…your PC. After all, the PC contains the information they are after not the access point.
Your wireless-enabled computer has two basic modes of communication: infrastructure and ad-hoc networking. In infrastructure mode, all the computers on the network must communicate through the router. So whether you are talking to the Internet or with another computer on the local network, all your communication traffic goes through the router. This is what most people are and should be doing.
In ad-hoc mode, computers can communicate directly with each other without going through a router or any other device. This is great if, for example, you want to share a file with someone quickly. The bad thing is that if you have this mode enabled, those who know what they are doing can get access to all your files, possibly without you even noticing it. To avoid this, we strongly recommend that you disable this function. If you find yourself in a situation where you need to use this feature (such as visiting a friend’s home that only has an ad-hoc network), turn it on for the duration of use and then immediately disable it.
Wireless and security are two of my core blog topics so expect more posts related to securing wireless networks in the near future.