MarkoDaGeek's Learning Experience, Simple steps in creating a secure wireless network.

I think we can all agree that network security is important, however it seems few agree on how much work should be put into securing your home or small office wireless network.

What many people don't know is that there are some very basic measures you can take that require very little time to create a wireless network secure enough for residential and small office use.

I rarely get to show off my specialty here on Dream in Code so in this Learning Experience I will show you how to easily add various layers of security to your wireless network.

The wireless router I will presenting examples from is a Belkin Wireless G Plus Router - Firmware 4.03.04 However most wireless routers use similar terminology so you will be able to perform many of the same tasks and find some useful information from this Learning Experience even if you don't use this Belkin router.

I'll break this Learning Experience down into the following two sessions -

+ Basic security measures and simple settings modifications. [Posted]
To visit Session 1 - http://forums.dreamincode.net/index.php?s=...st&p=166070

+ Advanced settings modifications and encryption methods. [Posted]
To Visit Session 2 - http://forums.dreamincode.net/index.php?s=...st&p=166070

Both sessions will be done in this thread since it's going to be a fairly short Learning Experience, it will be complete with screenshots and extra info on why the measures and such should be taken.

Check back to this thread for updates and feel free to make suggestions on what content I should include, ask any questions or engage in discussion about what I've presented.

Very cool, I'm looking forward to it.

I'm going to link my brother in law to it - he used a belkin router and I've had to set up his network countless times! Good choice Marko.

SESSION 1 - BASIC SECURITY MEASURES AND SIMPLE SETTINGS MODIFICATIONS.


Why should I have a secure wireless network?

The problem is wireless access points and routers use radio waves. By using such a universal technology it makes the devices open to deviants who try to access sensitive information or foil the operation of the network. Wireless routers arrive from the manufacturer as very insecure devices and don't require a lot of effort to "hack" or otherwise use maliciously. Even more alarming is that if you don't encrypt or protect the data that you send and receive, a person within range could use software called a "packet sniffer" to watch the websites you visit, the email you send and receive, or in some cases password and financial information that is sent to various websites.

But, isn't spread spectrum technology supposed to be secure out of the box?
Most of the 802.11 wireless LAN (WLAN) standards use spread spectrum, a modulation technique developed during World War II to keep the enemy from jamming radio communications. When WLANs first began to appear in the early 1990's, vendors touted the inherent security of WLANs because of the use of spread spectrum technology. Some WLAN hardware manufactures today still advertise the security that spread spectrum provides.

Spread spectrum in general is capable of changing the "spreading codes" in a secretive way, which makes it nearly impossible for someone to decipher the signal's intelligence unless they were to know the code. However the problem is that the 802.11 standard clearly describes the spreading codes publicly so that companies can design interoperable or compatable 802.11 components. As a result, a deviant only needs an 802.11 compliant wireless NIC as the basis for connectivity, which completely obliterates the security benefits of spread spectrum.


Here are a few Basic steps you can take to help minimize the threat, or to draw less attention to your wireless network. Keep in mind that the key words were to draw less attention to your network, the following measures in this session only provide minimal security.


Step 1 - Access Point Location
The problem is that there will always be a tradeoff between security and convenience. However a good idea is to position your wireless router in your home so that it is only strong enough to reach the wireless devices that you want to connect. If you put your wireless router in a place like say... a basement, it is less likely that your neighbor or someone trying to connect outside the home will be within range of the signal. Try doing some testing of distances and make sure to plan for future expansion when doing this.

Step 2 - Ditch The Defaults
An easy measure you can take to at least secure your router's configuration settings is to change the default administration password. Open your web browser and go to your router's administration console, with a Belkin router the default IP address to access this will be 192.168.2.1, with Cisco / Linksys it's 192.168.1.1. As shown in the screenshot below, click on 'System Settings' then type in the current password and the new one you wish to use, the current password with Belkin is blank, with Cisco / Linksys depending on your firmware will also be blank, or 'admin', you can refer to This Website or your router's user guide for the correct default password.



Another default setting you can get rid of is the Service Set Identifier or SSID, in the section below I will explain a more secure method of SSID security but you could do this as well. You can change your default SSID by clicking on 'Channel and SSID' as seen in the screenshot below. Choose a custom name that is somewhat original and won't draw attention to your network, again deviants often times are looking for an SSID that appears to be the default for the router.




SSIDs Are Useless
The 802.11 standard specifies the SSID as a form of password for a user's NIC to join a particular WLAN. 802.11 require that the user's NIC have the same SSID as the access point to enable communications. The SSID is the only "security" mechanism that the access point requires to enable association in the absence of activating optional security features.
However the use of SSIDs is a fairly weak form of security. Most access points broadcast the SSID multiple times within the body of each beacon frame. A deviant can easily use an 802.11 analysis tool (such as AirMagnet or Netstumbler) to identify the SSID. In addition, the Windows OS does a great job of "sniffing" the SSID in use by the network and automatically configures the NIC for connection.

Step 3 - Disable SSID Broadcast
When you disable the SSID broadcast, you have to manually type in the SSID on each machine that wishes to connect to the network. Disabling the default channel is another way to make your device more difficult to find for someone attempting to use it maliciously. These are very easy settings to modify and should be done at a bare minimum to secure your wireless network.
With the Belkin router you can disable the SSID broadcast and change the default channel in the same page as changing the SSID itself. Refer to the above screenshot for an example.

DHCP Isn't Good For Security
Even if an intruder is capable of associating with an access point by using the correct SSID, they must often have an applicable IP address before they can directly access resources on the network. Many WLANs use Dynamic Host Configuration Protocol (DHCP) to automatically assign IP addresses to users as they become active. With DHCP enabled, a deviant receives an applicable IP address just as other legitimate users do.

Step 4 - Switch to Static IP Addresses
This is another situation where it's a tradeoff between security and convenience. Obviously it's going to be more convenient to have the router automatically assign each client an IP address rather then giving each computer it's own manually, but if you want to be truly secure this is another measure you can take.
It's relatively easy to disable DHCP on the Belkin router, just click on 'LAN Settings' and select to have the DHCP turned off as shown in the screenshot below.




I guess you could consider this last step to be a borderline advanced setting, in my next session I will get into more advanced settings and setting up various levels of encryption on the network. If you want to run a wireless network without encryption the above methods along with a couple I'll mention in the next session will be about as secure as you can get.


Check back for session 2 'Advanced settings modifications and encryption methods.' As it will be posted in the next couple days, And again feel free to make suggestions on what content I should include, ask any questions or engage in discussion about what I've presented.

SESSION 2 - ADVANCED SETTINGS MODIFICATIONS AND ENCRYPTION METHODS

Continuing where I left off last, I'll jump into the other available wireless security methods, which should and maybe should not be used and why.

Why MAC Address Filtering Doesn't Work Well.
Most modern wireless routers have a feature called 'MAC Address Filtering'. MAC (Short for Media Access Control) Address Filtering enables the user to get the MAC address of all the various wireless devices that they want to allow to connect to their access point. If this filtering is turned on, only clients with that MAC address, in theory, will be able to log into the access point.

The problem with MAC Address Filtering is that at the front of every packet that's sent, the packet announces what MAC address it's coming from and where it going. Any deviant with simple packet sniffing software could easily come across a few MAC addresses that are permitted within the router. Once that information is discovered the MAC address can easily be spoofed.

How easy? Some WLAN hardware manufactures actually enable the user to specify a custom MAC address to use on their network with included software. Additionally, there isn't anything to prevent duplicate MAC addresses to be used on a network, so an active MAC address could easily be used while the same MAC address is being used by it's original owner.

MAC Address Filtering could be enabled as a low level security measure, mainly to prevent a casual user from mistakenly using your access point. However if a deviant wants to use the network bad enough. It could easily be overcome.

Step 5 - Encryption, Real security.

On a modern 802.11 WLAN you get a couple options when it comes to encryption, WEP and WPA.

WEP Is Muh.
Wired Equivalent Privacy (WEP) uses a simple algorithm to encrypt the body of each frame. WEP encryption was supposed to keep deviants from accessing information on your network. However with modern decryption methods and software the WEP technology has been made obsolete.

Rather then getting too technical this time, Think of WEP encryption as closing the door to your home, but not locking it. Sure it looks secure, but the door can be opened. Certain doors may be more likely then others to be opened, just as more effort may be put into cracking into some networks over others.

My personal belief is that WEP is better then having no encryption, it's not making the user completely safe but your not wide open either. WEP Encryption used with some of the other security measures I've mentioned would make a network fairly secure, but not bulletproof.

Want the technical version on learn how WEP can be cracked? I suggest listening to This Episode of Security Now! A Podcast that features security expert Steve Gibson and technology evangelist Leo Leporte. They go over a lot of the points I'm mentioning in this Learning Experience and go more in depth on this issue.

WPA Is Better.
WiFi Protected Access (WPA) is the newer security standard adopted by the WiFi Alliance consortium. WPA delivers a level of security way beyond anything that WEP can offer; it bridges the gap between WEP and 802.11i networks, and has the advantage that the firmware in older equipment may be upgradeable.

WPA uses Temporal Key Integrity Protocol (TKIP). This technology dynamically generates a new key for every packet of data the network sends, and generates different sets of keys for each client, unlike WEP encryption which uses a single static key for everything. TKIP is designed to allow WEP to be upgraded. This means that all the main building blocks of WEP are present, but measures have been added to address security problems with the original WEP technology.

In order to use WPA encryption, your hardware must support it. Most wireless hardware manufacturers include WPA capability into all of the new routers and adapters, and some have made WPA updates available for older equipment. Make sure you check your documentation to ensure your equipment is compatible before proceeding.

To enable WPA or WEP encryption on the Belkin router click on 'Security' on the left, then as seen in the below screenshots you will want to select which encryption method you wish to use. The WEP options will look something like -



And WPA will look more like -



Your passphrase can contain up to 63 characters. When choosing a passphrase or key try not to use any common words or phrases, or simple character sequences (such as repeating a single number or letter). For extra security, you many want to change the passphrase or key periodically especially when using WEP encryption.

The Bottom Line
Well there you have it, in reality as you can see there is no 'one size fits all' for wireless network security in the home or small office. Most people will find that this takes too much time and energy when they can just bring their new router home and it "just works."

Nevertheless, it is important that you understand the security risks by operating an unencrypted network. With various software and very little know-how a deviant within range of an in-secure network can see everything; your email, Instant Messages, the websites you visit, information that's submitted, in some cases financial information such as credit card numbers and bank account information etc.

Although it's unlikely, with this day and age you can never be too careful because it does happen. So decide for yourself based on the factors above, how secure you want to make your wireless network.

Again, feel free to ask any questions or engage in discussion about what I've presented.

Great stuff, this tut roxors.

However, I disagree with what was said by that Leo guy on the podcast you reccomended. I think that MAC filter is to a certain level effective, as it alone can very well discourage runescape playing noobs with laptops who are like "I'm a 1337 haxorizationator and I don't need no MAC adresse because I'm on PC" and that don't know shit about packetsniffing or networking in general, kind of person which is abundant in my neighborhood. I only have 128 bit WEP and even if some young'uns in my place are bright enough to install and run Aircrack, which I doubt, the MAC filter acts as back-up and should f them up properly.

I defiantly agree, MAC address filtering will keep honest people honest, when combined with even basic WEP security it can be a powerful backup measure.

Awesome, terrific content.