Wireless Networking and Security

Yesterday, I did put the last touch to my home wireless network. Thanks to my D-LINK DI-624 and a G650 card, I have been enjoying a 108Mbps link. They do this through a proprietary extension called "Super G".

During the configuration of the network, the Wireless Zero Configuration Service scanned all available networks and I was surprised to see that among the 4 networks found (not including mine) only 2 were secured so maybe this is a good time to remember owners of wireless networks that a minimum of security should be setup. I am not a network security expert so take the following list as a starting point for further discussion: I'd be happy if you can suggest more best practices.

  • Change the default password and IP address of the router. The bad guys know the defaults of every equipment so you will make it harder to access critical points (router, administration page...) by changing the defaults,

  • Disable remote administration of the router (on the WAN side), especially over wireless links, if possible. This way, only somebody wired to the router from within your home network can administer the router,
  • Enable MAC address filtering to allow only the computers you know and control to connect. It is trivial to find the MAC address of an active wireless card and many wireless cards allow you to change their MAC address but MAC address filtering puts a severe speed bump on the way of a potential attacker,

  • Disable DHCP and assign static IP addresses. If someone manages to get in, it will be harder to get an IP, DNS servers...,

  • Enable encryption. I suggest WAP-PSK (AES) if your hardware supports it. If not, perhaps WAP-PSK (TKIP). Ensure that you enter a string pass phrase (63 characters which do not contain words in English or any other language to slow down dictionary attacks). Use WEP with a 128bits key only if you cannot enable WPA. WEP should never be used with key < 128 bits. There are WEP keys generators on the web (https://www.wireless.org.au/~jhecker/wepgen/index.php for instance),

  • Configure your wireless clients to connect only to Access Points, not to other wireless clients. Two wireless clients can communicate directly, bypassing the access point station,

  • Configure your clients to not automatically connect to available networks,

  • Disable SSID broadcast. While it is possible to discover SSIDs of networks when the Access Point does not broadcast it, disabling it will make you invisible to casual inspection in your neighborhood,

  • Turn your router's firewall on if it provides one. Also, if your operating system provides a firewall,. you want to turn it on. Most OS vendors offer a firewall: Windows XP SP2, Mac OS X, Linux ...),

  • Turn off DMZ on your router, if this is possible. DMZ (De Militarized Zone) allows you to run servers visible from the Internet),

  • Turn off 802.1b compatibility if all your components run with "g",

  • Drop ping packets coming from the WAN. Attackers will ping your system to analyze it,

  • Disable SNMP if your wireless access point offers it. SNMP (Simple Network Management Protocol) has had several security issues in the past,

  • Run NetStumbler against your own network to assess its security.

There should be no surprise with this list: everything is pretty standard. Most of these are designed to slow down a potential attack rather than preventing intrusion. However, with all these speed bumps in place, it is likely that attackers will shift their attentions to less protected networks. Can anyone think about something I missed?

Comments (6)

  1. The static IP address thing goes two ways. You give yourself a static IP so if somebody wanted to attack your system, it is vastly easier if they know your IP than if they don’t

    As for the ping disablement, it is reasonable if you aren’t a server of anything, but there have been many times when I wanted to know if it was the actual server down or DNS that was down and ping responses were disabled which makes this hard..

  2. Gilles says:

    Brant: If you are running a server, it should be on the DMZ anyway, not on the private network. So you can configure the firewall to get pings from WAN accepted for the DMZ and dropped elsewhere.

  3. William Luu says:

    Yeah the 108 Wireless Routers are good. I have the Netgear WGT624.

    I set mine to only accept wireless connections at ‘Super G’ speed, because i’ve only got 108 devices.

    One day I was driving home (well, ok, I wasn’t the driver on this occassion) and left my laptop on with NetStumbler running and it had found about 6 or 7 insecure networks [out of 14].

    Great post!

Skip to main content