Yesterday, I did put the last touch to my home wireless network. Thanks to my D-LINK DI-624 and a G650 card, I have been enjoying a 108Mbps link. They do this through a proprietary extension called "Super G".
During the configuration of the network, the Wireless Zero Configuration Service scanned all available networks and I was surprised to see that among the 4 networks found (not including mine) only 2 were secured so maybe this is a good time to remember owners of wireless networks that a minimum of security should be setup. I am not a network security expert so take the following list as a starting point for further discussion: I'd be happy if you can suggest more best practices.
- Change the default password and IP address of the router. The bad guys know the defaults of every equipment so you will make it harder to access critical points (router, administration page...) by changing the defaults,
- Disable remote administration of the router (on the WAN side), especially over wireless links, if possible. This way, only somebody wired to the router from within your home network can administer the router,
- Enable MAC address filtering to allow only the computers you know and control to connect. It is trivial to find the MAC address of an active wireless card and many wireless cards allow you to change their MAC address but MAC address filtering puts a severe speed bump on the way of a potential attacker,
- Disable DHCP and assign static IP addresses. If someone manages to get in, it will be harder to get an IP, DNS servers...,
- Enable encryption. I suggest WAP-PSK (AES) if your hardware supports it. If not, perhaps WAP-PSK (TKIP). Ensure that you enter a string pass phrase (63 characters which do not contain words in English or any other language to slow down dictionary attacks). Use WEP with a 128bits key only if you cannot enable WPA. WEP should never be used with key < 128 bits. There are WEP keys generators on the web (https://www.wireless.org.au/~jhecker/wepgen/index.php for instance),
- Configure your wireless clients to connect only to Access Points, not to other wireless clients. Two wireless clients can communicate directly, bypassing the access point station,
- Configure your clients to not automatically connect to available networks,
- Disable SSID broadcast. While it is possible to discover SSIDs of networks when the Access Point does not broadcast it, disabling it will make you invisible to casual inspection in your neighborhood,
- Turn your router's firewall on if it provides one. Also, if your operating system provides a firewall,. you want to turn it on. Most OS vendors offer a firewall: Windows XP SP2, Mac OS X, Linux ...),
- Turn off DMZ on your router, if this is possible. DMZ (De Militarized Zone) allows you to run servers visible from the Internet),
- Turn off 802.1b compatibility if all your components run with "g",
- Drop ping packets coming from the WAN. Attackers will ping your system to analyze it,
- Disable SNMP if your wireless access point offers it. SNMP (Simple Network Management Protocol) has had several security issues in the past,
- Run NetStumbler against your own network to assess its security.
There should be no surprise with this list: everything is pretty standard. Most of these are designed to slow down a potential attack rather than preventing intrusion. However, with all these speed bumps in place, it is likely that attackers will shift their attentions to less protected networks. Can anyone think about something I missed?