Securing Your Wireless Network

Newsscan Computer Security Column
Stephen Cobb, CISSP and Chey Cobb, CISSP

Securing Your Wireless Network

For many computer users, wireless networks are the greatest thing since sliced bread. No longer are you tied to a desk; you can compute and browse from the comfort of your living room, your bed, or even while you cook dinner. The ease with which most wireless access points install is astounding, too. No wonder wireless networking has become so hot so quickly.

There's only one problem: by default, most wireless installations offer no security. None. Nil. Zilch.

This means that your next door neighbor or the business in the next office can surf for free off your connection and can probably access some of your hard drives as well. The good news is that this can be fixed. The bad news is that you'll definitely need the user manual as not all wireless access points are the same.

The first thing you'll have to do is to turn off the SSID "broadcasts." The SSID is the Service Set Identifier, otherwise known as the name of the network. By default this name is continually shouted over the airwaves and anyone with a wireless card in their laptop can walk by your office and pick up this broadcast. The default names of the SSIDs are also generally known, so this makes it easier for people to hop on to your network. If you think we're kidding, just visit http://www.pasadena.net/apmap/ - for maps of Southern California showing over 1,500 available wireless networks.

The next thing you need to do is to change the default SSID name. For example, the default SSID for Linksys wireless access points is "linksys" (as though all the imagination was expended on product design, before the time came to choose a name). The new name should be meaningful to you, but not to the potential hacker as they will frequently try to guess names of networks. Frequently used names are "accounting," the business name, or the street address. Remember that you're only obscuring your network from casual viewers right now. You haven't actually done anything to prevent them from finding you and hopping on.

Your next task is to change the default password for maintenance and changes to the wireless access point. Again, the default passwords are widely known in the hacking community and many wireless users to forget this simple change. It's of no use to make other security changes to your wireless network if someone else can simply use an unchanged default password to change everything back to the way it was.

After you've changed the password to something strong and unguessable, you'll want to turn off "remote management" if your system allows it. Frequently the wireless access points will have a Web interface that allows you to log on to the access point from outside of your network. This is set by default for ease of maintenance and a big security vulnerability, but turning off remote management will mean you can only make changes to the access point from inside your own network.

The most difficult task is really not all that difficult, enabling WEP: Wired Equivalent Privacy. This is a weak encryption scheme that scrambles the data passing over the network. It's not perfect by any means, but as long as you're aware that it is not perfect, it's much better than nothing. You'll definitely need your user's manual for this change. The vendors all have different methods of enabling WEP and you'll want to make sure you're doing it correctly. You'll need to either enter a passphrase that will generate a shared key or the keys will be already coded for you. Remember the passphrase because you may need it later.

You'll also want to make WEP "required" for all connections, too. Just because you've enabled it doesn't mean that everyone will need to use it yet. After you've made WEP required, you'll have to go around to all the machines using the wireless connection to make sure that they are WEP enabled. If you have Windows XP, the job is made simpler by using their Wireless Connection Manager.

Part of the problem with wireless security is that the authentication required to get on to the network is very weak. There are a couple of ways to strengthen this weakness.

By filtering on the MAC (Media Access Control) addresses of your computers, you can restrict access to only the MAC addresses you've listed. The MAC address is a unique number associated with the network card and, if you have a small network, it's an easy way to keep outsiders out. You simply enter all the MAC addresses of the computers on your network into the appropriate area of your wireless access point. Again, you'll need your manual to find out how to make these changes. You'll also need to keep the list up to date when you change or add computers. MAC addresses can be spoofed, so this measure isn't foolproof, but it is effective against casual hacks.

If you have a large network, keeping track of MAC addresses might be judged too cumbersome. In that case you may want to upgrade your wireless access points and cards to use EAP, or Enhanced Authentication Protocol. Enabling this will require more work and sophistication on your part because you'll have to have a strong authentication scheme to go along with it. You'll need a server that can handle digital certificates and/or security tokens for authentication. In addition, you'll need to upgrade all the wireless cards to make sure they can handle EAP. This is one protocol that's not backwards compatible and older wireless network cards may not work. All of this represents an outlay of some capital to implement so you should have a serious commitment to it before you begin.

More serious security solutions for wireless networks are coming, and we may even some security included in the default settings before long! Until then, you're on your own, so it's up to you to do the best you can.