Wireless connectivity is changing the way we access the Internet. Many of you probably have a wireless router in your home, and it is not hard to find Wifi connections just about anywhere you go. Many of these connection are owned and secured by businesses that operate a wireless local area network (WLAN). In other words, they are not meant for public access. Some connections you will find are meant for public access, but are secured so that you cannot access them unless you purchase something and the proprietor give you an access key, and others are secured by redirecting your browser to a login page where you enter a user name and password. This type of wireless access pont (WAP) usually requires some kind of subscription (AT&T Hotspots use this type of security protocol). You will even come across completely open (and free to use) WAPs in places like libraries and even some bars, coffee shops, and other types of businesses.
That being said, if you do have a WAP in your home you should take measures to secure it. For two reasons. The first is that it will prevent your neighbors from stealing your bandwidth. This is a relatively common and mild offense. In fact you might not even care if your neighbor uses your Wifi connection. If this is the case you should still secure your WAP, then give an access key to the neighbors that you want to share with. If all your neighbors are using your Wifi you will experience significant slow down in your Internet speed. So securing your WAP and giving a passkey to only those you want to have access will preserve your bandwidth so that everyone on the network has an optimum speed when accessing the Internet.
The second, and most important reason to secure your WAP is to protect you from malicious individuals. With an open Wifi router a malicious individual can use your connection to "disguise" themselves while they perform illegal activities. For example, many commercial websites like Amazon.com record IP addresses during credit card transaction. They do this to help the authorities catch people committing credit card fraud. If someone reports to them that they have a charge on their card for a purchase that they did not make, Amazon can look up that purchase and turn the IP address of the purchaser over to the authorities. Your IP address uniquely identifies your connection on the Internet. Much information can be learned from simply having someone's IP address such as the city and the Internet service provider supplying the IP address. This is more than enough information for authorities to pinpoint the location of the illegal transaction. If your WAP is open and someone uses it for such a purpose you are going to have some explaining to do when the authorities come knocking on your door.
Malicious individuals are not limited to using your open WAP to disguise themselves either. Delving in to other computers on an open WAP is fairly easy with the right software and knowledge. I can get into any computer connected to a WAP usually in under ten minutes. I, of course, only do this for testing security and would never do it without the owner's permission, and I would never do anything illegal after gaining entry in this way. However, others are not as honest as me, and once they have acces to you or your neighbor's computer there are any number of things they could do to make your lives miserable. They could delete or steal files; install viruses, trojans, key-loggers, or any other malware; steal your identity, and that is just the tip of the iceberg. So as you can see, you definitely want to secure your WAP.
There are several security protocol available to use that may or may not be available for your brand and model of wireless router. I'm not going to hit on every one. There are three primary protocols that nearly all routers have; Wired Equivalency Privacy (WEP), Wifi Protected Access (WPA), and Wifi Protected Access version 2 (WPA2).
At minimum you should have your WAP secured using the WEP protocol. I am not going to explain how to set your WAP for WEP protection though for two reasons. One is that it is very easy and you can probably figure it out on your own after you know how to set up WPA. The second reason is because I do not recommend this type of protect because it is not very effective.
The Wireless Equivalent Privacy (WEP) algorithm was designed in the 1990s and was purposely weak, to remain within the confines of existing US export regulations. In fact, if you Google cracking WEP you will find a multitude of free tools that you can use to break a WEP key. That being the case, it is amazing to me that more than 50% (based on my experience) of those wireless signals at the coffee shops and other public places are, in fact, WEP setups. Remember, a lot of these are business networks.
This being the case WPA and WPA2 are better (stronger) methods of securing your Wifi. WPA and WPA2 are nearly the same except that WPA2 is stronger because it allows for longer passphrases. That being said, WPA2 can be cracked with brute force (this a method that involves trying every possible combination in a password or other type of security key) (http://securityandthe.net/2008/10/12/russian-researchers-achieve-100-fold-increase-in-wpa2-cracking-speed/). This does not mean that WPA2 is of no use. The researchers in the linked article had to use a homemade super computer to do it. So it's possible, but not probable. It is still a very good encryption method. In fact, when used in combination with other security measures, you can create a wireless network that is invulnerable to all but the most dedicated and skilled hacker. I am going to show you haw to do this. Keep in mind, what I am about to show you will make your WAP like Fort Knox. This is not always necessary. For example, if you live in a rural area, it is unlikely that you will encounter anyone with the skills or desire to break into your network (these types of people like to hang out where there is better fishing so to speak), so the strongest security measures are not perhaps necessary in this scenario (perhaps just one of the tips would be good enough for this instance). if you live in an area with a lot of traffic (both vehicle and wireless network) you will want a more secure network, but not necessarily as strong as using all three tips (maybe just two are good enough for you). However, if you have a business with a WLAN or you keep a lot of sensitive information on your computer, you'd do best to follow all three of these tips.
The tips I will show you apply to Linksys brand routers. If you have a different router the steps outlined in each tip still apply, but you may have to poke around or consult your user's manual to find the proper settings pages. So without further ado, here's how to easily create the most secure wireless network possible (other than unplugging it).
Tip 1. Use WPA (at minimum) or WPA2 (preferred) encryption. This allows you to enter a passphrase between 8 and 63 characters. Use a passphrase that is at least 20 characters, but if you want maximum protection use 63 random extended ASCII characters. That just means to include special symbols like the British pound symbol or the trade mark sign. If you are interested in seeing what symbols are included in the extended ASCII characters, go here: http://www.ascii-code.com/. Something like, \mkKTj?&u`f-y";oHtOf))8W-oOcXdh52('c1SZVn_25Cb'Lf.TDpwS*pt:j4+ would be quite secure. Furthermore, change the passphrase regularly. If you change the passphrase once a week, even Russian researchers (the ones from the link above) would have a hard time breaching your security. Here is how to setup WPA2 on a Linksys wireless router:
a) First connect your computer directly to your router through one of the LAN ports in the back. You cannot change router settings over the air. You have to be directly connected.
b) Connect the modem to the WAN port on the back if it is not already.
c) Open Internet Explorer (other browsers can work too, but I have had problems with some Mozilla based browsers, IE will for sure not give you problems) and ensure that you are connected to the Internet by going to a known website like www.google.com. Then enter http://192.168.1.1 and hit enter.
d) It will ask you for a username and password. Enter it. If you don't know your username and password, you probably have not changed it from the default. If this is the case, enter admin for both the username and password (on some Linksys routers you leave the username blank and enter admin as the password, so if admin in both fields doesn't work try admin in the password field only), then click Ok. This takes you to the router setup page.
e) Click on the "WIreless" tab at the top of the screen.
f) Under that tab click "Wireless Security".
g) You will see a drop-down box next to "Security mode:". Click the arrow to the right of the box and select "WPA2 Personal" (or WPA or WEP, if you prefer).
h) Choose one of the WPA algorithms (AES should be fine, but I prefer TKIP).
i) In the "WPA Shared Key" box enter a passphrase of your choosing, but keeping mind that it must be between 8 and 63 (exactly 10 for WEP and 8 to 32 for WPA) characters in length (the longer the better, try for at least 20), and don't use real words. Passphrases that use actual words are much easier to break. Try to use random (or apparently random) numbers, letters, and symbols (see my example above). In a future post I will teach you how to create very strong passwords that you can easily remember.
j) Click the "Save Changes" button and then the "Continue" button after that and your router is secure.
k) Disconnect your computer from the router (unless of course it is a wired computer) and establish a connection to the router by entering the passphrase you entered. You should be good to go.
Tip 2. Hide your SSID. Most routers are set by default to broadcast the SSID. Disable this. You know what your SSID is so you shouldn't need to broadcast it. Many people leave their router set to broadcast because it makes it easier to connect new devices, but unless you are running business that offers free wifi, this is not a good idea. An average hacker can still sniff out your SSID over the airwaves, but it does prevent the average Joe from just jumping on your network even if it's wide open. Plus it creates just another annoying step that someone has to take to breech your security. The more hurdles that you can put in the way of an intruder the better. Also, if you have not changed your SSID from the default (for Linksys routers default is linksys), now is the time to change it. Here is how to change and hide your SSID.
a) Go through the same process outlined above to get to your router settings page.
b) Once on the Setup page click the "Wireless" tab.
c) Where it says "Wireless SSID Broadcast:" click the disable radio button then click Save Settings and then click continue in the next window.
d) Now where it says, "Wireless Network Name (SSID)", delete the default name and enter a name of your choosing. It does not have to be like the passphrase, but you want it to be something that would not be easy for someone to guess but you can easily remember and type (STi.Boy@Wireless is an example).
e) Save your settings and exit the settings settings page.
f) Now you will not see your network listed in the network selection window so you will have to click "Select Another Network" and enter your new SSID.
g) You will then be prompted for your passphrase. Enter that and tell the computer to remember this network and you should be able to connect to your newly secured WAP automatically. Remember: you have to connect all devices on the network in the same manner, so additional computers and phones that access your Wifi need to have the new SSID and passphrase entered as well. And don't forget your neighbor.
Tip 3. Enable MAC filtering. This is a little trickier, but as always, I'll make it painless for you. What MAC filtering does is it makes it so that only the devices that you define can connect to your router. Good hackers can spoof a MAC address, but again, it's just another obstacle. Having MAC filtering enabled is like having a butler answering the door at a party. If the guest is not on the list, he can't come in. The same principal applies to MAC filtering. If a device's MAC address is not on your list, it cannot access your router. If you don't know how to do this it is not to hard to explain. Before messing with your router settings you need to make a list of the MAC addresses of all the devices you want to allow on the network. I'm going to outline how to find the MAC address of your computers. If you have other devices that you need to connect to your WAP and you don't know how to find it's MAC address, a comment and I'll see what I can do. So here's what you do to find your computer's MAC address:
a) Click Start. Go to the run box and type cmd then click ok.
b) You will see a black screen with white font. This is the command prompt. In the command prompt type ipconfig/all and hit enter
c) The Mac address of the computer you do this on is listed in the set of numbers to the right of Physical Address (should be 6 pairs of alpha-numeric digits separated ny dashes like this: 00-B0-D0-86-BB-F7).
d) Right this down.
e) Repeat this process for all computers that need access to the router. (Note: if any of your computers have Windows XP, instead of typing ipconfig/all in the command prompt, type getmac and it will return only the MAC address for you)
f) Now that you have your list of MAC addresses, go to the router settings page (I'm going to assume that you know how to do this by now).
g) Once again click the "Wireless" tab.
h) Under the tab you should see a button labeled "Wireless MAC Filter". Click it (if you don't see this look under "Wireless Connection Control").
i) Click the "Enabled" and "Allow only following MAC Addresses to connect to wireless Network" radio buttons.
j) Click "Wireless Client List" you will get a list of all empty mac-addresses as (00:00:00:00:00:00). Now all you have to do is enter the MAC addresses on your list.
k) Save your settings and close the browser.
If you do these three things, you will have the most secure wireless network possible. It would be extremely difficult to breach a wireless network secured in this way.
No comments:
Post a Comment