Home Wireless Security Settings Tips
ENABLE WIRELESS ENCRYPTION
Enabling Wireless encryption is
essential otherwise every one within your Radio Frequency (RF) range (and
remember the Wireless network world record distance is
125 miles!), at
best can capture your traffic compromising surfing habits, gathering usernames
and passwords and at worst sharing illegal images or hacking over your
Wireless network for which you are legally responsible.
DO NOT USE WEP (WEP is
DO NOT USE A
DICTIONARY BASED WORD FOR YOUR WPA/WPA2 PSK
DO USE WPA2 (BEST) or WPA (NEXT
BEST) WITH A NON-DICTIONARY PSK
Note: Use AES encryption where you
can, it's the strongest available.
DISABLE SSID BROADCAST
Ensure you disable
the SSID broadcast on you Access Point this will hide
your Wireless access point from casual WARDRIVERS.
While it is still trivial for a proficient WARDRIVER to determine the SSID it
makes him/her work that little bit harder and there may be easier targets in
ENABLE MAC FILTERING
Ensure you configure
your MAC filters, this will tie your access point down to only those devices
with the MAC addresses you specify.
addresses can be spoofed fairly trivially in both Windows and Linux.
It is essential to
keep you Access Points firmware up to date. Vulnerabilities are
discovered daily and it could just happen that your Access Point is
compromised through a newly discovered exploit this is not restricted to
Wireless attacks and may even occur via a wired interface
ENABLE SECURITY FEATURES
this may seem obvious ensure all of you Access Points security features have
been enabled, many Access Points security settings default to non-enabled for
CHANGE DEFAULT PASSWORD
default password for your Access Point should be changed at the earliest
opportunity, to a strong non-dictionary based word to ensure no attackers are
able to reconfigure settings.
Management of the
access point should be carried out via HTTPS (which is encrypted) in
preference to HTTP (which passes traffic in clear text) to prevent your Access
Point management username and password from being compromised.
logging is enabled (it is too often disabled by default) on your Access Point
and check those logs regularly. Logs will hopefully give you an
indication of whether or not you have an unwelcome visitor.
We believe that
the 7 settings already discussed (if carried out as described) will make your
Access Point more than reasonably secure. For the truly paranoid (and we
count ourselves among them) however, we have 2 more.
DISABLE THE DHCP SERVER
Rather than have
the Access Point's DHCP server issue wireless clients
(which could include a wireless attacker) with all the configuration necessary
to join the network (and thus the Internet) we prefer to statically configure
these settings on the client. We also prefer to use a IP range that is
not easily guessed (i.e. not 192.168.0.X or 192.168.1.X etc.)
whist still in the private address range.
POWER OFF WHEN NOT IN USE
If you're going
away for the weekend or on holiday, turn off that Access Point. If its
not active, it's not going to be compromised.
client machines when not is use is equally important. For example an
Access Point with no clients can make discovering a hidden
SSID truly challenging.
The images displayed are taken from a Linksys WRT54G Wireless Access
point and are included as a rough guide as to the settings discussed.
Configuration Protocol (in this instance) is used to issue wireless clients
with their IP address, subnet mask, default gateway and DNS server settings
(Basically all the configuration settings that clients require to access the
Private Address Range
Private IP addresses provide a
basic form of security, it is not possible for the outside world (Internet) to
establish a connection directly to a host using these addresses:
PRE-SHARED KEY also known as a
PASSWORD or PASSPHRASE
A Service Set Identifier
(SSID) is essentially a wireless network name that identifies a wireless
network, it must be configured on all wireless devices what which to use the
"Someone that takes
part in Wardriving, an activity consisting of driving around with a laptop in
one's vehicle, detecting Wireless networks. It is similar to using a
scanner for radio. Most Wardrivers will use GPS devices to find the exact
location of the network found and log it on a website. For better range,
antennas are built or bought, and vary from omni-directional to fully
directional. Software for Wardriving is freely available on the internet,