Sunday, April 26, 2009

Home Wireless Security Settings Tips

  1. ENABLE WIRELESS ENCRYPTION

Enabling Wireless encryption is essential otherwise every one within your Radio Frequency (RF) range (and remember the Wireless network world record distance is 125 miles!), at best can capture your traffic compromising surfing habits, gathering usernames and passwords and at worst sharing illegal images or hacking over your Wireless network for which you are legally responsible.

DO NOT USE WEP (WEP is trivially broken)

DO NOT USE A DICTIONARY BASED WORD FOR YOUR WPA/WPA2 PSK

DO USE WPA2 (BEST) or WPA (NEXT BEST) WITH A NON-DICTIONARY PSK

Note: Use AES encryption where you can, it's the strongest available.

  1. DISABLE SSID BROADCAST

Ensure you disable the SSID broadcast on you Access Point this will hide your Wireless access point from casual WARDRIVERS. While it is still trivial for a proficient WARDRIVER to determine the SSID it makes him/her work that little bit harder and there may be easier targets in the neighbourhood.

  1. ENABLE MAC FILTERING

Ensure you configure your MAC filters, this will tie your access point down to only those devices with the MAC addresses you specify.

CONS: MAC addresses can be spoofed fairly trivially in both Windows and Linux.

  1. UPDATE FIRMWARE

It is essential to keep you Access Points firmware up to date. Vulnerabilities are discovered daily and it could just happen that your Access Point is compromised through a newly discovered exploit this is not restricted to Wireless attacks and may even occur via a wired interface

  1. ENABLE SECURITY FEATURES

    While this may seem obvious ensure all of you Access Points security features have been enabled, many Access Points security settings default to non-enabled for functionality purposes.

  1. CHANGE DEFAULT PASSWORD

The default password for your Access Point should be changed at the earliest opportunity, to a strong non-dictionary based word to ensure no attackers are able to reconfigure settings.

  1. ENABLE HTTPS

Management of the access point should be carried out via HTTPS (which is encrypted) in preference to HTTP (which passes traffic in clear text) to prevent your Access Point management username and password from being compromised.

  1. LOGGING

Ensure that logging is enabled (it is too often disabled by default) on your Access Point and check those logs regularly. Logs will hopefully give you an indication of whether or not you have an unwelcome visitor.

PARANOID?

We believe that the 7 settings already discussed (if carried out as described) will make your Access Point more than reasonably secure. For the truly paranoid (and we count ourselves among them) however, we have 2 more.

  1. DISABLE THE DHCP SERVER

Rather than have the Access Point's DHCP server issue wireless clients (which could include a wireless attacker) with all the configuration necessary to join the network (and thus the Internet) we prefer to statically configure these settings on the client. We also prefer to use a IP range that is not easily guessed (i.e. not 192.168.0.X or 192.168.1.X etc.) whist still in the private address range.

  1. POWER OFF WHEN NOT IN USE

If you're going away for the weekend or on holiday, turn off that Access Point. If its not active, it's not going to be compromised.

Disabling wireless client machines when not is use is equally important. For example an Access Point with no clients can make discovering a hidden SSID truly challenging.

The images displayed are taken from a Linksys WRT54G Wireless Access point and are included as a rough guide as to the settings discussed.

GLOSSARY

DHCP

Dynamic Host Configuration Protocol (in this instance) is used to issue wireless clients with their IP address, subnet mask, default gateway and DNS server settings (Basically all the configuration settings that clients require to access the Internet).

Private Address Range

Private IP addresses provide a basic form of security, it is not possible for the outside world (Internet) to establish a connection directly to a host using these addresses:

10.0.0.0 through 10.255.255.255

172.16.0.0 through 172.31.255.255

192.168.0.0 through 192.168.255.255

PSK

PRE-SHARED KEY also known as a PASSWORD or PASSPHRASE

SSID

A Service Set Identifier (SSID) is essentially a wireless network name that identifies a wireless network, it must be configured on all wireless devices what which to use the network.

WARDRIVER

"Someone that takes part in Wardriving, an activity consisting of driving around with a laptop in one's vehicle, detecting Wireless networks. It is similar to using a scanner for radio. Most Wardrivers will use GPS devices to find the exact location of the network found and log it on a website. For better range, antennas are built or bought, and vary from omni-directional to fully directional. Software for Wardriving is freely available on the internet, notably, NetStumbler." -Wikipedia

No comments: