Wi-Fi Security tips for Home networks
Top 10 Security Tips for Home Wi-Fi Networks
- Change your router’s access name and password.
- Don’t let users piggyback onto your Wi-Fi net — turn off peer-to-peer connections.
- Stop broadcasting your router’s network ID.
- Approve all wireless network users in advance.
- Turn on wireless data encryption.
- Periodically check router logs for rogue users.
- Use a strong firewall.
- Password-protect your computers and files.
- Put your wireless network on its own subnet.
- Turn off wireless cards and routers when not in use.
1. Change your router’s name and password. This is always the first line of defense. It’s easy for attackers to find out what the default name and password are for various manufacturers. Many also default to using the standard 192.168.1 or 2 subnet internally and give the router itself the IP address of 192.168.1.1 or 188.8.131.52. You should make sure you rename the router, assign a strong password for accessing the router configuration software, and consider changing the IP addressing to a different internal subnet like 192.168.12 or 192.168.83 (you can use any number from 1 to 254 in most cases).
2. Enable infrastructure mode only on all access points and clients on the network. Disable the “ad-hoc” mode, which lets clients set up peer-to-peer networks and could allow rogue users to connect to your network through a legitimate wireless client.
3. Disable SSID broadcast. The SSID (Service Set Identifier) is essentially the network name for the wireless portion. A wireless access point (AP) or router in open network mode will periodically broadcast a beacon signal (usually about 10 times each second) which announces to the world that the network is live and ready to go. The beacon also includes data such as the signal strength and functional capabilities of the AP as well as the SSID. With broadcasting off, wireless clients must first know the SSID before they can connect.
For home networks, this broadcast information is not necessary. You can simply type in the SSID in your wireless client’s setup dialog once, and it will be remembered in future connections. Experienced hackers can still find such “closed” networks, but at least you will not be openly inviting them.
In public-access hotspots or large company Wi-Fi nets, it may be still be necessary to broadcast the SSID so that as wireless clients enter the network they are automatically notified of what the SSID is so they can try to establish a connection. There are other precautions to take in these cases, as we’ll see later on.
4. Turn on the MAC addressing filter in your wireless router. Most Wi-Fi gateways let you restrict access to known MAC (Media Access Control) addresses. Each network device (such as a computer, Wi-Fi card, or printer) has a unique MAC address, and by allowing access only to pre-defined MAC addresses you greatly reduce the risk of rogue clients connecting with or perusing your network resources. This takes the closed network concept a step further.
Sound foolproof? Not quite. Even if your SSID isn’t broadcast and you restrict access to known MAC addresses, your wireless network may still be detected and compromised. Hackers can capture the wireless data packets as they travel from your access point to your wireless client or vice versa. The captured packets may reveal both the SSID and the MAC addresses of client devices communicating with the network. Once a MAC address is known a malicious user can “spoof” the MAC address of the attacking system to make a computer look like it’s one of the accepted systems and allow it to connect. So you should still take additional precautions.
5. Enable WEP (Wired Equivalent Privacy) or WPA (Wi-Fi Protected Access) encryption. Encryption is the next step in the wireless security ladder. WEP is the original Wi-Fi encryption scheme, and comes in several flavors — 40-, 64-, and 128-bit. However, its underlying algorithm is flawed and subject to relatively easy cracking. Without going into the gory technical details, if you want to test your WEP connection to see how easy it is to capture packets and decode the key, you can use a tool like AirSnort. The longer 128-bit encryption keys require transmitting more data, but don’t offer significantly better protection than 40- or 64-bit encryption, and significantly reduce performance.
Taking all of that into consideration, WEP is still better than nothing. The lock on your front door is also fairly easy for a professional thief to pick but it doesn’t stop you from turning the key when you leave the house. Even flawed security will keep out opportunistic hackers (the kind who look for cars with keys in the ignition), so it’s worth adding that extra layer of protection.
After the weaknesses of WEP were uncovered wireless equipment manufacturers rushed to create WPA, which improves upon WEP while also being compatible with most older equipment so that customers could upgrade via a firmware update.
WPA builds on WEP encryption by scrambling the key and integrity-checking it to ensure it hasn’t been tampered with. Additionally, it allows authentication using public key infrastructure (PKI) encryption, rather than relying on MAC address filtering. As we’ve already mentioned, MAC address filtering can be easily bypassed by sniffing the wireless traffic and picking MAC addresses up from the packets.
Late last year, a third encryption standard, WPA2, was released, conforming to the 802.11i standard. WPA2 is basically similar to WPA, with the added security of the strong AES encryption protocol, required by some businesses and government agencies.
WPA and WPA2 place an even bigger drag on wireless performance than WEP, and requires that ALL devices on the wireless net be set to WPA — clients, the wireless router or access point, and any other relays or access points in between.
No matter which encryption type you use, change your key as often as you can. It takes recording a certain amount of traffic to give crackers enough data to decode a key, so many businesses change keys on a regular schedule, presumably thwarting even determined hackers. Also, passwords do get written down and can fall into the wrong hands.
For more on WPA encryption check out NetGear’s excellent primer What’s New in Security: WPA (Wi-Fi Protected Access). The Wi-Fi Alliance also has an information page on WPA2
6. Check frequently for rogue access points or clients attached to the network. Most Wi-Fi gateways have a status screen that shows the MAC addresses of all clients currently connected to the network, and some have logging capabilities that will keep track of wireless connections. If you spot unknown clients attached for lengths of time (not just passing by), change your WEP or WPA code, and scout around for where they might be located.
Another way to monitor your network is with a packet sniffer like the free Ethereal. Packet sniffers show you all the traffic that’s zipping around your net, and you’ll see things like plain text messages and passwords flashing by heedlessly. It shockingly illustrates the weaknesses of common protocols like telnet, ftp, AIM and others. You’ll not only find out if unauthorized people are using your network, you’ll also see what THEY see when they are snooping around.
Rogue clients aren’t the only thing to look for, however. Rogue access points are dangerous as well, although more of a concern in public areas than in the home. Rogue access points are designed to mimic your regular wireless access point, and capture data sent through them. You can use a utility like NetStumbler or iStumbler for Mac to see them. See the page on protecting yourself at Wi-Fi hotspots for more details.
7. Use a strong firewall. The steps we’ve discussed so far focus on securing the wireless network, but once your wireless data reaches the access point, it becomes part of the wired net, and subject to any attacks or snooping that might come in through your broadband gateway (or from other users on your local wired net). Furthermore, WEP and WPA encryption only apply to data in the air, as soon as it passes through the Wi-Fi gateway, data is decrypted.
Most home networking routers come with built-in firewall capabilities. The firewall is usually a basic port-blocking or packet-filtering firewall which lets you permit or deny incoming traffic on certain ports. The typical configuration is to block ALL incoming ports by default and then allow you to open ports for specific purposes. Stateful Packet Inspection (SPI) firewalls take things to a higher level still by actually examining network traffic for suspect activities and reporting attacks and intrusions.
Unless you are running a Web or FTP server you shouldn’t need any of the ports open, but some peer-to-peer file sharing networks and online games require communication over certain ports. Worms like MSBlast and Nachi were aimed at the Windows SMB (Server Message Block) and NetBIOS ports that are intended for directory, file and printer sharing across the network. Having your computer respond to NetBIOS inquiries can also give away valuable information that an attacker may use to gain access to your system or network. It is especially recommended that you block TCP ports 135, 137, 138, 139 and 445 from external access and that you disable NetBIOS over TCP/IP to prevent such attacks or leaks of pertinent information.
You can also use a personal firewall like Zone Alarm Pro or Norton Personal Firewall that runs on your computer in addition to the network firewall. Personal firewalls provide an extra layer of security against outside hackers, as well as safeguard against snooping from within the local network. See the page on protecting yourself at public hotspots for more on personal firewalls.
8. Password your data. Often overlooked in a home environment, passwords provide another layer of security for your private data. You can generally password-protect and/or encrypt your computer, certain folders, or even specific files. Make sure your passwords are not easily guessed or written on a sticky note on the front of your monitor.
Whenever possible, try to place private, confidential or otherwise sensitive documents in special folders that only you or those designated by you have access to. Older OSes like Windows 95 and 98 don’t have password-protection capability built-in, but Windows 2000, Windows XP and Mac OS X all make it a relatively simple matter.
In general, the longer the password the longer it will take someone to find it using password-cracking programs. Use words that aren’t in the dictionary and that contain combinations of lower-case and upper-case letters, numbers and special characters. And change them if you have any reason to suspect they might have been violated, such as by a keystroke-capture program. (Most businesses require changing things like email passwords regularly.) If you are curious to see how easily your password can be cracked, check out tools like @Stake LC4 or Cain & Abel.
9. Separate your wired and wireless nets. If you’re a network pro and have a small office network, consider doing a couple more things: change the default community names that ship with network management tools like SNMP so they can’t be easily guessed; and put wireless access points on separate subnets with firewalls between them and the main network.
10. Turn off wireless devices when not in use. The final word of advice for home wireless networks is “Turn it off!” While it may seem like a pain, you’ll sleep easier knowing that since your gateway, computer, laptop etc. are not turned on, no one can access them. Use a power strip to plug in all your devices, and just flip one switch when you get to work. In multiple-user households, you’ll probably want to leave the broadband gateway on 24/7, but you can still turn off your own PC. A computer that isn’t connected can’t be hacked or compromised from the network. If you rely on dial-up Internet access this is not as big a concern.