Refuse To Be A
Victim - Secure Your Home Wireless Network:
By: William P. Flinn
(Oh No – You Mean My Wireless Home Network is At Risk?)
Part of what we teach as part of the NRA's "Refuse to Be a Victim" program is online security to keep you safe while on the Internet. The most common type of home network these days is a wireless network. Wireless networking allows for much easier setup without all that cable installation that we had to do to set up our home networks back in the day. But wireless networking brings with it some added security concerns that you may want to consider. From where I sit in my office on the second floor of my house, for example, I can detect at least five wireless networks from here. And not all of them are secured networks. Practically anyone can join an unsecured wireless network and surf to their heart's content. This article is intended to give you some ideas on how you can make your wireless network a little more secure.
WARNING: There is a lot of "geek-speak" in this article. If it doesn't make sense, just email me and I will explain it to you.
So now that your wireless network is all set up, no worries, right? I mean so what if someone in the ‘hood' steals a little of your signal, connects to your network and surfs for themselves. The cable company won’t know and the bandwidth they steal probably won’t affect you! Well – here’s the deal with that: If anyone can get on your network and surf the web, then that means that they can also get to the files on your computer(s) if they are smart enough – and these days it doesn’t take much to hack into an unprotected system. They are completely bypassing your firewall and they are now on the inside. Inside and free to get to all of your personal information, tax records, personal letters, email files, you name it.
But so what if they aren’t after your stuff, but rather just want an Internet connection so that they can surf for free – or worse, like doing illegal things – gambling, porn, child exploitation, download some copyrighted movies…. And it isn’t just your neighbors – it’s those nasty little WAR drivers, driving around with laptops and programs like Net Stumbler or AirSnort, scoping you out so they can come back later and steal your signal or hack your systems. Then they can make maps of where all the wireless networks are located and share with their buddies.
Small business owners, you should really listen up here – there are liability issues: Guess who get’s tagged when someone decides to crack down on illegal Internet activities through your service provider’s records or other means. You do! Current legislation limits the ISP's liability for illegal activities, and the account owner becomes the responsible party since your name is on the account. There may be no evidence on your computer, because you weren’t doing anything wrong. But all they know from their investigations it that the suspicious traffic came to and from the connection into your network. And after you get your computer back (after months of forensic investigation) you will be in the clear. But can you do without your computer for that long? Worse yet, can you do without your data for that long? Stealing your signal for free Internet access is one thing. Using your network for illegal purposes is another – and since you have no idea what the attacker’s real intentions are, you really should be just keeping unauthorized users off in the first place. So, let’s just nip this little problem in the bud and protect ourselves by using some of the built in features of the wireless equipment and our own common sense.
Your New Router/Wireless Access Point:
You have just purchased that new combo router/access point and pulled it out of the box. They are all configured the same, meaning that they all have the same default settings for administrative passwords, router name, IP address ranges, and network broadcast names (more on SSIDs in a bit). Immediately change those factory settings. Every bad guy in the world knows that the default password for a Linksys router is “Admin” and the default SSID – the network name that it broadcasts is “Linksys.” These settings change slightly depending on manufacturer, but they are similar, and more importantly, they are all well known. In other words, if you have a router/access point right out of the box and you don’t change anything before placing it in service in your network, all the little WAR drivers will know it, and they already know the information they need to log in to your router and change its settings to accommodate their needs.
At a minimum:
Change the default password
Restrict which addresses can access your network
Encrypt to make your network a secured network
Change the default wireless network SSID
Disable wireless router management
Give your router a name
If they can’t get an address, they can’t surf:
Two addresses are important: The MAC address (physical address), and the IP address (logical address). The easiest of the two addresses to restrict on your wireless address is the MAC address, by the way. The MAC (Media Access Control) address is an address that is hard coded into the network card on your computer. This is often referred to as the physical address. You can configure your wireless access point so that only the MAC addresses in your approved list will be able to connect to your network. MAC addresses can be very easily spoofed, however, but the attackers have to know the exact MAC address(es) listed in your access point authorized list in order to spoof the right one. This isn’t fool proof by any means, but at least it will give you something a bit more secure than no restrictions at all.
The IP (Internet Protocol) address is the "192.168.1.6" type address that computers use to communicate - often referred to as the "logical" address. All computers on a network have an IP address if they want to communicate, especially if they want to communicate with your router to get to the Internet. The IP address can be given to you automatically by what is known as a DHCP server (dynamic), or it can be hard coded (static) address. If you use a router, by default your router is using its DHCP feature to configure these addresses on your computer for you. If you are letting your router dish out addresses to your computers, then that means that they are likely to be available to anyone with a computer who can see your wireless network and “ask” for one. This is simple – just don’t make any available! Hard code all of your IP addresses into your computers, and tell your router not to make DHCP addresses available. I set all of the addresses on my computers statically. But one of the reasons this is a more complicated address to restrict is because using this method requires you to know something about IP addressing, subnet masks, DNS services, and default gateways. Because of this complexity, many people do not use this method, but I'm a geek, so.....
If you do this also, you can go one step further and make the subnet mask for your network non-standard. For example, many people at home use the private IP address range of 192.168.1.x. The default subnet mask for this range is 255.255.255.0. If you only have a few computers in your network, you can change your subnet mask to something like 255.255.255.240. That mask will allow you enough address space for fourteen computers. If you want more addresses, or need fewer addresses, you can adjust the mask you are using. The added benefit is that even if the attacker hard codes in their own address to fit the range you are using, they have to guess the right mask or they won’t connect.
Encrypt your wireless traffic:
One way that eavesdroppers can find out things like passwords and other things that you would like to keep private is that they can “sniff” the traffic on your network and see it in plain text. There are a variety of free tools out there, such as Ethereal, that allow people to see network traffic and get information right out of the very packets traveling across the network. If you encrypt the traffic, however, it comes across as gibberish and they can’t see this information. There are a couple of popular encryption schemes built in to home and small business wireless devices – WEP, WPA, and WPA2. WEP, which stands for Wireless Encryption Privacy, is a slightly older and somewhat unsophisticated encryption scheme. It is static, which means it never changes its encryption keys. You would have to periodically define new keys or pass-phrases. WEP is minimal security at best, but again it is better than nothing. A newer wireless encryption for home users, WPA and WPA2 (Wi-Fi Protected Access) is a more dynamic encryption scheme, and is more secure than WEP. The keys are dynamically changed during system operation, making it more difficult for someone to sniff your traffic and find out the pass-phrase used. Not knowing the correct WEP or WPA keys and pass-phrases to enter into their computers makes even connecting to your network more difficult for the attackers as well.
The other thing that needs to be encrypted is your traffic between you and your router/access point management console. In most home and small business routers, you simply use a web browser to log into and manage your router’s configuration. The Linksys models (and most others) include the ability to select HTTPS (port 443) traffic between you and your router using an SSL certificate. This will provide security in that eaves-droppers cannot see your router administrative password in plain text if they are using a program like Wireshark to “sniff” your traffic from afar. Don’t confuse encryption with blocking access, however. Anyone who types in the correct address for your router will be offered an SSL certificate, and they can choose to install it. If they know the password, they can still get in. What keeps them out is that they don’t have the correct password, and you don’t want to make it easy for them to obtain it. This type of encryption keeps that password from being sniffed, and makes it more difficult to obtain.
Turn off the SSID broadcast:
The SSID is the network identifier that gets broadcasts by a wireless network access point. As I mentioned earlier, a default setting for a Linksys access point SSID out of the box is “Linsys.” You don’t need the SSID broadcast to connect because you can simply type in the SSID when you configure your computer(s). If configuration gives you a problem, turn on SSID broadcasts, configure your computers, then turn the broadcasts back off. The exception to this is earlier versions of Windows, such as Windows 98 and Windows XP without Service Pack 2. Actually, there was a patch awhile back to ensure that Windows XP SP1 would connect without the SSID broadcast, but SP1 is about to become a non-supported product. You really need SP2 and above (SP3 is the current SP level for Windows XP) to take advantage of the Windows XP security features anyway. But Windows XP is about to be end-of-life (obsolete) for security support, so upgrade if possible. Get Windows Vista or Windows 7 and you can really take advantage of much better security features.
Disable Wireless Management:
Disabling the ability to manage your router from a wireless connection will help ensure that people sitting out in the street stealing your wireless connection can’t get into your router and change settings. You will want to have at least one computer that has a wired connection so you can connect to your router and perform configuration changes. If you only have one computer, and it is a laptop, use the wired connection to connect directly to the router to do maintenance, and the wireless connection to provide your mobility and your normal day-to-day connections.
Additionally, you can ensure that “Remote Access” is turned off. With remote access, you can come into your router from anywhere else that has an Internet connection. I have mine turned on because I travel, and sometimes need to come in and make a change while I’m gone, in case the spouse or kids can’t get connected all of a sudden. But if you don’t need it, the rule of thumb is to just turn it off.
Other Security Measures:
Securing your wireless access points does not relieve you of the need to use other basic security precautions. Just because you have a firewall doesn’t mean that a personal firewall program on each computer won’t do you any good. I have my router locked down pretty well, but my personal firewall still alerts on, and blocks several inbound connection attempts. Antivirus software, anti-malware software, and keeping your computer up to date with the latest patches are still important requirements.
You play an important part in security too – if your personal firewall alerts you to something don’t just blindly say “Yes” to the event and move on, hoping for the best. Question everything! Just say NO! You can look at your router’s logs to find suspicious activity so that you will know what further steps to take. Look at the firewall logs for your personal firewall software also to find out who is trying to attack you, and what methods they are trying to use.
Wrapping it All Up:
Wireless networking provides an easy and extremely flexible medium for setting up your home or small office network. But remember: your network traffic is now traveling through free space, there for the taking for the little WAR drivers and other eaves-droppers. All kinds of things like passwords, personal data, and even access to the files stored on your computer is at risk. Even the inexpensive router/access points give you a number of security measures you can implement to help keep you safe. Nothing is fool-proof.
This article mentioned some simple measures you can take to increase your chances of being safe and protecting your network. Be sure to look into the specific configurations that your router/access point allows, and know what you can do with it. Given enough time and effort, there is nothing that a hacker can’t break into. But by securing your system you will more likely than not discourage a would-be hacker, and they will just move on to the other six networks on your block. Don’t be a target – protect your computers, your network, and your data.
For more information, see:
Special Publication SP800-48: Wireless Network Security
Wireless Network Security for the Home
- PC Magazine:
Steps to a Secure Wireless Network
- Microsoft: How to Set Up Your Home Wireless Network
About The Author: "The Gonz" is an NRA Certified Firearms Instructor (Pistol, PPiTH, RTBAV), US Concealed Carry Association Affiliate Instructor, and an NRA Certified Range Safety Officer. Additionally, he a trained and certified Community Emergency Response Team (CERT) member, with several years of training in the Incident Command System (ICS) procedures and practices.