Wed
30
Apr 08
How to Secure Your Wireless Network
During my recent vacation I was asked to configure the wireless LAN of a friend. I complied and did as I was asked. At the same time I thought I’d share a few of the most basic things with you. Since the most commonly used routers on the market today are 802.11g/802.11 draft-n routers, I will focus on them. Most of the following information should be applicable to older models (802.11b or 802.11a routers) as well, provided the manufacturer has made the appropriate firmware available. That said, let’s get started.
First thing you should do is to look for a firmware update, especially if you own an older model. After having installed the latest firmware, you should change your default router password which is almost always something along the lines of “admin”, “password”, “changeme”, “public”, “private”, or “1234″. A more comprehensive list of default router passwords can be found at Default Router Passwords. Additionally, most routers come pre-configured with an IP address of 192.168.x.y, where x stands for “0″, “1″, “2″, “8″, “11″, or “15″, and y mostly stands for “1″ or “2″. Note that some routers have an IP address of 10.0.0.z where z often enough stands for “1″ or “2″. A strong password doesn’t really protect your network but it should ensure that nobody will mess with your settings.
Next, forget about hiding the SSID (Service Set Identifier). This is an identification code broadcast by a wireless router. That really doesn’t help you at all. You should change the SSID though, just to make it easier for you to identify your network and for that reason alone. There are many people out there who tell you to disable DHCP (Dynamic Host Configuration Protocol) because it prevents hackers from from entering your network. That is not true. DHCP will make your life easier, particularly if you do have guests a few with notebooks or other MIDs (Mobile Internet Devices).
Filtering MAC addresses is a good idea. In Theory. Truth is, that these addresses are easily detected and faked by anyone using the appropriate software. In addition, it requires you to maintain the list meaning that if you or any of your friends change the NIC (Network Interface Card) or the MID, you will also have to update the MAC address. Sure, you could make sure that the new MAC address is changed to the old and known one but that’s not very convenient.
That means, there’s only one ting left: Encryption. There are quite a few Protocols available for you, so here’s how to pick the one best suited for your purposes. The first wireless security protocol was WEP (Wireless Equivalent Privacy). Unfortunately, WEP is old and not safe. It can be cracked in a few minutes so you shouldn’t even bother using it. Of course, WEP is better than no encryption at all. WEP2 is more secure than WEP, but it doesn’t really improve on any of the inherent weaknesses of the WEP model. If you’ve got no other choice, WEP2 is better than WEP.
WPA (Wi-Fi Protected Access) is the way to go. It’s a much better security protocol than WEP. There is WPA and then there is WPA2. As with the predecessor the suffix “2″ indicates a better security. Problem is, that WPA2 wasn’t really designed with backwards compatibility in mind, so it might not work on your router. If you have the choice though, you should go with WPA2. WPA2 is the implementation of the approved IEEE 802.11i amendment. Both WPA and WPA2 feature two security levels: WPA Personal (aka WPA-PSK) and WPA Enterprise. You don’t need to bother with the Enterprise solution. Choose WPA(2) Personal and then select the encryption standard (TKIP or AES) supported by your devices. AES is better than TKIP.
That’s it. Quite easy, I’d say. WPA2 (AES) is the best encryption method available right know and you should make use of it if you can. Hiding the SSID, maintaining a filtering list for MAC addresses, or disabling DHCP won’t help you in that regard. These methods only serve to make your life more difficult than it has to be.
