The best way to ensure the security of your wireless network by far is to perform your own regular security audits. Far from being a complex task, performing an audit involves taking many of the same steps that a hacker might use to try and compromise your network, and using common “tools of the trade” like Network Stumbler and AirSnort. To perform an audit, grab a Wi-Fi equipped laptop or PDA, and then take a walk. Literally position yourself in different areas within and around your home or office, and then try to connect to your network. Keep in mind that Wi-Fi signals can often extend to ranges of up to 1000 feet, so a trip to your parking lot or different floors of your building may be in order.
Your best bet when performing an audit it to start off by configuring the wireless network card in your laptop of PDA with the default security settings, which usually means that no security settings (like WEP or WPA) are enabled. Then, try to associate with different access points on your network. Install and use Network Stumbler to determine whether your network is visible, and how many of your network’s settings this tool can obtain.
Many of the client utilities included with wireless network adapter cards include the ability to scan for additional networks in a manner similar to Network Stumbler. You may be surprised at how many networks you find in your vicinity that you never even knew existed. If you do come across other networks whose owners you recognize (by their SSID value, for example), be sure to let them know of the potential security risks they face. Another benefit of doing so is that you might find that a “neighbour” is using the same wireless channels on their network as you are, which would provide the opportunity for you both to move to a distinct channel, potentially reducing interference and improving performance.
Most access point hardware includes a built-in DHCP server to automatically allocate IP addresses to your wireless clients. In many cases, this range is the same as the range used for other Internet-sharing services, such as Windows ICS. Because of this, you’ll need to be careful of conflicts, since multiple devices (including other access points) may be handing out duplicate IP addresses on your network. Be sure to limit DHCP functionality to a single device by disabling the service on either your access point or other internal servers. If you’re using ICS to share an Internet connection, the DHCP component cannot be disabled, so keep this in mind.
Some folks recommend changing the IP address range used by your DHCP server if possible. Most access points will hand out addresses in the 192.168.0.x range, another well-known fact. Unfortunately, simply disabling DHCP will not solve the problem, since rogue users will commonly configure themselves with a static address in this range as an educated guess. To combat this issue, consider changing the gateway IP address of your access point from the default value (typically 192.168.0.1), and use static addressing for wireless clients instead. If anything, this will make things harder to guess, but realize that anyone using a packet capture utility on a network not using WEP or WPA would still be able to determine the range in use with relative ease via a utility like AirSnort. This is just another reason why implementing MAC address security is critical as a method of limiting which systems can connect to your network.
The fact that numerous security issues with WEP have been brought to light hasn’t gone unnoticed in the eyes of vendors that manufacturer Wi-Fi equipment. Although not yet officially standardized by the IEEE (the same folks that (standardized) the 802.11 Wi-Fi standards, the industry has come together in support of a new wireless encryption method known as Wi-Fi Protected Access, or WPA. WPA addresses many of the shortcomings of WEP by including a facility for dynamically changing the encryption keys used between wireless access points and clients on a regular basis.
Unfortunately, only the newest Wi-Fi equipment currently ships with WPA capabilities, although many vendors are providing firmware updates for existing access points and network cards, so check the vendor’s website for your particular equipment. If your equipment already supports WPA, you’ll need to download an update to get it working with Windows XP clients – see this KB article for more information on how WPA functions, and to download the update (Service Pack 2 for XP also adds WPA capabilities).
Because Wi-Fi networks use radio signals for communication, the packets transferred between wireless clients and access points are literally floating in thin air, for the entire world to see. Even without the ability to associate with an access point, any user running a wireless packet capture utility like AirSnort can literally capture packets and view their contents. To the untrained eye, these packets might seem to contain a fairly useless hodge-podge of information such as an address of a URL being visited by a wireless user. To a potential hacker, however, the information contained within these packets is exceptionally useful. Not only will they provide information such as the IP address range in use on the network, they will also include the network SSID and more. Armed with this information, a hacker looking to connect has already removed a great deal of the guesswork associated with accessing the network.
While you may not be able to control the air over which radio signals travel, you can take steps to control the information that is made visible during wireless transmissions. Just about every access point and wireless network card sold today supports an encryption standard known as Wired Equivalent Privacy, more commonly referred to as WEP. At the most basic level, WEP settings must be configured on both access points and on client systems in order to encrypt the traffic that passes between them. This is usually as simple as turning the setting on in the properties of each, and then configuring what is known as a “shared secret” on all systems. The value chosen for a shared secret should be given the same consideration as any network password – it should be complex, and changed fairly regularly. For example, on a corporate wireless network, you should consider changing this value on all systems at least once every month or two.
Unfortunately, WEP is not quite the security standard it was once envisioned to be. Although it is typically made available in both 64- and 128-bit encryption versions, a number of known flaws in the way that WEP encryption keys are stored have led hackers to create a variety of utilities to get past the security that WEP was meant to provide. For example, utilities like AirSnort can often compromise WEP keys in a matter of minutes, and in many cases much less time. For this reason, many experts claim that it may not be worth implementing WEP at all, since it provides only a low barrier to entry for the experienced hacker. However, since WEP is the only real encryption facility provided with most wireless equipment currently on the market, you should still consider implementing it on your network. It’s simply a case of some security being better than none, and to that end, it still provides enough of a barrier to keep inexperienced users at bay.
If you do decide to implement WEP on your network, one additional note of caution from a performance standpoint – the speed of your wireless network will almost certainly take a hit. With WEP configured, performance degradation of anywhere between 15 and 50% is generally considered normal (lower-end access points tend to fare worse) based on the overhead associated with encrypting each packet.
In much the same way that a traditional Windows network is identified by a workgroup or domain name, wireless networks are “named” using what is known as a Service Set Identifier, or SSID. The default SSID configured on an access point varies between manufacturers, but is always set to a default value in a manner similar to administrator passwords. In the absence of security features like MAC address security, knowing the SSID to a wireless network is typically all that is necessary to form an association with an access point. The SSID values associated with popular access points are also well documents, so you’ll want to be sure to change the SSID for your network. For example, a default SSID of “linksys” should be changed to a unique value for your network.
Hopefully you’re well aware of the difference between a good and a bad password. Some of the same principles should be applied to SSID names. For example, never set the SSID value to something that explicitly identifies you or your organization, such as a proper name or address – this will only make your network easier to locate or identify. Instead, change the SSID value to something a little more obscure.
Another unfortunate default security setting of most wireless access points is that they have a setting known as “Broadcast SSID” enabled by default. What this means is that an access point will broadcast out its configured SSID value for the entire world to see if left unchanged. When systems with a wireless network card come within range of an access point broadcasting its SSID, that network is then listed as an available network (in the wireless network card properties of XP, for example), making it very easy to connect. As a best practice, disable the broadcasting of SSID information if your access point supports it (most do). Understand, however, that if you do disable SSID broadcast, all wireless clients will need to be explicitly configured with the SSID value for the network or they will be unable to form an association.
One of the easiest ways to improve the security of your access points is to implement MAC address security. Available on even entry-level wireless access points and routers, this feature allows you to control exactly which wireless clients can associate with an access point according to their Media Access Control (MAC) address. If this feature is enabled and the MAC address of the client is not present in the configuration, that client with not be able to form the association necessary to access the wireless network.
Although it is possible for MAC addresses to be spoofed, doing so is generally beyond the skill level of most wireless users. Implementing this feature usually involves simply turning it on, and then specifying the MAC addresses of clients that should be allowed to associate with a particular access point. To determine the MAC addresses of client systems, use the ipconfig /all command on Windows ME/2000/XP, or the winipcfg utility on Windows 95/98 systems. Unfortunately, this task can be time consuming on larger networks, where they might be anywhere from tens to hundreds of MAC addresses to enter. It’s also worth noting that on larger networks with more than one access point, the access points will not share the MAC address information that you configure with one another. In other words, on a network with 3 access points, you would need to configure each with all of the MAC addresses of clients that will need to be able to associate. Some higher-end access points allow an administrator to store information about valid MAC addresses on a RADIUS server, and then configure the access point with the IP address of this server. When access points need to authenticate the validity of a wireless client, they can then query the centralized RADIUS server without the need to maintain this information locally.
The first and most important tip towards securing a wireless network is to change the default password of your access point. When vendors ship these hardware devices, the password to allow full administrator access is almost always very basic examples include “admin”, or even the manufacturer’s name in many cases – and are well documented online. For this reason, you should always assume that if you leave the default password as is, anyone can easily access, control, and configure your access point, allowing them unrestricted access to your network. In fact, without changing the default password for your access points, every other tip in this article is a moot point, since external users could easily connect to and undo or revise any security features you might have implemented.
To that end, some access point hardware provides a configurable option that does not allow access to the administrative console of the device from wireless clients. If your access point supports this feature, you should definitely enable it, thus restricting administrative access to wired connections only.
Security in the wired world has typically focused on keeping users from the outside world (the Internet) out of private networks through the implementation of firewalls, both hardware- and software-based. Unfortunately, security issues with wireless networks are much more complex, since it’s typically not users from the Internet who pose the most direct threat. Instead, the biggest risk on a wireless network relates to users within close proximity who can connect to and associated with your internal access points, and from there interact with your network just like any other inside user. In this case, there’s no need for the user to get past any type of firewall – by associating with your access point, they’re already in, connected to the internal network. Scared yet? If not, you should be.
As part of trying to make the implementation and integration of wireless networking equipment as streamlined and straightforward as possible, almost all access point hardware devices ship with the least restrictive security settings possible. In fact, almost all security settings are disabled by default. If the default settings of an access point are left as is, it is exceptionally simple for any external user within range (even with limited know-how) to discover and associate with your access points. Operating systems like Windows XP make it even easier to connect to different wireless networks via their scanning processes by default, any known wireless network within range will be listed as a network that can be connected to, assuming that network hasn’t be properly secured.
Knowing that many wireless networks are not secured, a new pastime has emerged with outside users running specialized software in an attempt to discover said networks. One of the most popular utilities for doing so is a freebie called Network Stumbler (www.networkstumbler.com), a tool that will scan for networks within range, and outline whether security features like encryption are in use on these networks.
A wireless network sniffer called AirSnort can even go as far as to attempt to crack the encryption key used to secure data, and can even be used in conjunction with a GPS to literally map and store the location of the network for future reference. Sometimes referred to as war driving, there are literally users out there in automobiles with laptops, GPS equipment, and external antennas mapping out available wireless networks.
If this wasn’t bad enough, the information often makes its way into a variety of online databases, announcing open networks to the world. Whether the person attempting access to your network is driving around with a laptop or simply in the office or home next to you makes little difference. The critical consideration is that you’ll want to implement the security features available to you, and make it a priority.
Over the course of the past three years, wireless technologies have taken the networking world by storm. Where once a length of Ethernet cable tethered most users, they can now roam freely within most home and office environments, connecting to both internal systems and the Internet from laptops and PDAs with few constraints. While this newfound mobility helps to eliminate many of the inconveniences typically associated with accessing a home or business network, it also brings with it numerous challenges from a security perspective.
While securing a wireless network isn’t terribly difficult, the unfortunate reality is that the majority of wireless networks aren’t properly secured. In a best-case scenario, external users might only use your unsecured wireless network to “borrow” access to the Internet. At worst, these users could end up with completely free reign on your network, with the ability to access sensitive files and information. If you’re currently thinking about implementing a wireless network or already have one installed, properly securing it needs to be a priority.