(You may think you want to leave your network open for other to use. If so, just keep in mind that anything done on-line by another person will be tracked back to your access point or router. So, if they do something illegal you may be the one that is liable.)
Here are the basic things that should be done:
- Never ever use the default settings or password that the manufacturer provided with the equipment.
- Disable remote administration on your router.
- Change the default password for accessing the routers configuration page.
- Turn off the broadcasting of the SSID. (Not a real security measure but it may help keep the neighbors from accidentally using your wireless)
- change the default channel. (Not security but reduces interference from all your neighbors on channel 6)
- Change your default subnet.
- Reduce your key renewal time limit to be less than 12 minutes. I use about 10 minutes (600 seconds).
- MAC Address Filtering - This is the unique identifier that all networking devices have and is assigned by the manufacturer.
On the surface the idea of filtering access to your network by limiting it to your hardware devices seems like a great idea. However it turns out that all the communication between devices sends the MAC and IP address of the source and destination as part of the unencrypted header. So all anyone has to do is use any one of the many freely downloadable network sniffing tools to view the traffic from your wireless network and they have at least 2 MAC addresses and the IP range that is in use based on the 2 IP addresses. If someone is looking for networks to break into they will have one of these sniffer programs. Using this feature will help keep casual or accidental connections from your neighbors or passers buy from happening.
- DHCP Server - Most routers and access points have the ability to act as a DHCP server. A DHCP server dynamically assigns IP addresses to each device that announces it's self to your network. Some may think that disabling the DHCP server option and manually assigning addresses to your devices will keep an attacker from being able to guess you r IP range. As noted above this doesn't really even slow down an attacker. This information is broadcast in the unencrypted header of each message block.
- SSID Broadcasting - Disabling the broadcasting of your SSID or network name to hide your network really only helps keep casual or accidental connections from happening. An attacker will be able to see this information just like the MAC and IP address info mentioned earlier. Using this feature will help keep casual or accidental connections from your neighbors or passers buy from happening.
- WEP Encryption - WEP Encryption was broken from the beginning. It was designed by a group of engineers with out consulting security experts so it has many features that sound good but have been implemented poorly leaving WEP open to easy cracking with in minutes. I could write out everything that is wrong with the implementation but I'll refer you to Gibson Research's web site grc.com where thy provide the audio from a weekly radio show on security that Steve Gibson does with "This Week in Tech" called SecurityNow!. Check out episode 11 "Bad WiFi Security"
- WPA Certification - WPA has been designed much better. It uses TKIP (Temporal Key Integrity Protocol) to manage the keys and RC4 to encrypt the data. WPA is an early implementation of the 802.11i specification before it has been finalized, AES while offered on most hardware may not be properly implemented in this version of WPA. Episode #13 from the SecurityNow! show from grc.com "Unbreakable WiFi Security" discusses this in detail. Essentially TKIP uses RC4 encryption the correct way and dynamically rotates the keys based on a master key generated from your pass phrase. On my Linksys router I have the option of TKIP+AES so it can use the AES encryption rather than the RC4 and have the keys dynamically rotated. Either encryption will work and work well. AES is stronger but it also requires more processing power and some older hardware may not support it. WPA is susceptible to a dictionary attack on the passphrase you use, so using a strong passphrase is important. Steve Gibson has created a web page on his site that securely generates very good random strings of characters you can use.
- WPA2 Certification - is the better choice since it is actually based on the finalized 802.11i specification. In this version AES is officially implemented in a standards based way across hardware. Do not use TKIP even if it is still an option on your hardware with this version of WPA.
Remember to save the passphrase to a file on your computer or on a memory stick so you can just copy and paste it in when configuring devices. You don't want to have to type it in manually and possibly make mistakes. The first part of Steve Gibsons Security Now! episode #14 "Virtual Private Networks (VPN): Theory" talks about the crackability of WPA passphrases.
I'll update this as things change, as they constantly are, in this industry. Updates will be indicated in italic.
Also see these articles at ars The ABCs fo securing your wireless network & Wireless Security Blackpaper.
No comments:
Post a Comment