Simple steps in creating a secure wireless network.

Simple steps in creating a secure wireless network.

Page 1 of 1

11 Replies - 29272 Views - Last Post: 30 October 2011 - 11:43 AM

#1 MarkoDaGeek  Icon User is offline

  • Dirty Technophile
  • member icon

Reputation: 11
  • View blog
  • Posts: 11,158
  • Joined: 13-October 01

Simple steps in creating a secure wireless network.

Post icon  Posted 08 August 2006 - 02:33 PM

MarkoDaGeek's Learning Experience, Simple steps in creating a secure wireless network.

I think we can all agree that network security is important, however it seems few agree on how much work should be put into securing your home or small office wireless network.

What many people don't know is that there are some very basic measures you can take that require very little time to create a wireless network secure enough for residential and small office use.

I rarely get to show off my specialty here on Dream in Code so in this Learning Experience I will show you how to easily add various layers of security to your wireless network.

The wireless router I will presenting examples from is a Belkin Wireless G Plus Router - Firmware 4.03.04 However most wireless routers use similar terminology so you will be able to perform many of the same tasks and find some useful information from this Learning Experience even if you don't use this Belkin router.

I'll break this Learning Experience down into the following two sessions -

+ Basic security measures and simple settings modifications. [Posted]
To visit Session 1 - http://forums.dreami...=...st&p=166070

+ Advanced settings modifications and encryption methods. [Posted]
To Visit Session 2 - http://forums.dreami...=...st&p=166070

Both sessions will be done in this thread since it's going to be a fairly short Learning Experience, it will be complete with screenshots and extra info on why the measures and such should be taken.

Check back to this thread for updates and feel free to make suggestions on what content I should include, ask any questions or engage in discussion about what I've presented.

Is This A Good Question/Topic? 0
  • +

Replies To: Simple steps in creating a secure wireless network.

#2 eLliDKraM  Icon User is offline

  • Pepè Le Pewn
  • member icon

Reputation: 6
  • View blog
  • Posts: 6,565
  • Joined: 13-August 05

Re: Simple steps in creating a secure wireless network.

Posted 08 August 2006 - 02:41 PM

Very cool, I'm looking forward to it.
Was This Post Helpful? 0
  • +
  • -

#3 Amadeus  Icon User is offline

  • g+ + -o drink whiskey.cpp
  • member icon

Reputation: 248
  • View blog
  • Posts: 13,507
  • Joined: 12-July 02

Re: Simple steps in creating a secure wireless network.

Posted 08 August 2006 - 05:28 PM

I'm going to link my brother in law to it - he used a belkin router and I've had to set up his network countless times! :) Good choice Marko.
Was This Post Helpful? 0
  • +
  • -

#4 MarkoDaGeek  Icon User is offline

  • Dirty Technophile
  • member icon

Reputation: 11
  • View blog
  • Posts: 11,158
  • Joined: 13-October 01

Re: Simple steps in creating a secure wireless network.

Posted 09 August 2006 - 11:18 AM

SESSION 1 - BASIC SECURITY MEASURES AND SIMPLE SETTINGS MODIFICATIONS.


Why should I have a secure wireless network?

The problem is wireless access points and routers use radio waves. By using such a universal technology it makes the devices open to deviants who try to access sensitive information or foil the operation of the network. Wireless routers arrive from the manufacturer as very insecure devices and don't require a lot of effort to "hack" or otherwise use maliciously. Even more alarming is that if you don't encrypt or protect the data that you send and receive, a person within range could use software called a "packet sniffer" to watch the websites you visit, the email you send and receive, or in some cases password and financial information that is sent to various websites.

But, isn't spread spectrum technology supposed to be secure out of the box?
Most of the 802.11 wireless LAN (WLAN) standards use spread spectrum, a modulation technique developed during World War II to keep the enemy from jamming radio communications. When WLANs first began to appear in the early 1990's, vendors touted the inherent security of WLANs because of the use of spread spectrum technology. Some WLAN hardware manufactures today still advertise the security that spread spectrum provides.

Spread spectrum in general is capable of changing the "spreading codes" in a secretive way, which makes it nearly impossible for someone to decipher the signal's intelligence unless they were to know the code. However the problem is that the 802.11 standard clearly describes the spreading codes publicly so that companies can design interoperable or compatable 802.11 components. As a result, a deviant only needs an 802.11 compliant wireless NIC as the basis for connectivity, which completely obliterates the security benefits of spread spectrum.


Here are a few Basic steps you can take to help minimize the threat, or to draw less attention to your wireless network. Keep in mind that the key words were to draw less attention to your network, the following measures in this session only provide minimal security.


Step 1 - Access Point Location
The problem is that there will always be a tradeoff between security and convenience. However a good idea is to position your wireless router in your home so that it is only strong enough to reach the wireless devices that you want to connect. If you put your wireless router in a place like say... a basement, it is less likely that your neighbor or someone trying to connect outside the home will be within range of the signal. Try doing some testing of distances and make sure to plan for future expansion when doing this.

Step 2 - Ditch The Defaults
An easy measure you can take to at least secure your router's configuration settings is to change the default administration password. Open your web browser and go to your router's administration console, with a Belkin router the default IP address to access this will be 192.168.2.1, with Cisco / Linksys it's 192.168.1.1. As shown in the screenshot below, click on 'System Settings' then type in the current password and the new one you wish to use, the current password with Belkin is blank, with Cisco / Linksys depending on your firmware will also be blank, or 'admin', you can refer to This Website or your router's user guide for the correct default password.

Posted Image

Another default setting you can get rid of is the Service Set Identifier or SSID, in the section below I will explain a more secure method of SSID security but you could do this as well. You can change your default SSID by clicking on 'Channel and SSID' as seen in the screenshot below. Choose a custom name that is somewhat original and won't draw attention to your network, again deviants often times are looking for an SSID that appears to be the default for the router.


Posted Image

SSIDs Are Useless
The 802.11 standard specifies the SSID as a form of password for a user's NIC to join a particular WLAN. 802.11 require that the user's NIC have the same SSID as the access point to enable communications. The SSID is the only "security" mechanism that the access point requires to enable association in the absence of activating optional security features.
However the use of SSIDs is a fairly weak form of security. Most access points broadcast the SSID multiple times within the body of each beacon frame. A deviant can easily use an 802.11 analysis tool (such as AirMagnet or Netstumbler) to identify the SSID. In addition, the Windows OS does a great job of "sniffing" the SSID in use by the network and automatically configures the NIC for connection.

Step 3 - Disable SSID Broadcast
When you disable the SSID broadcast, you have to manually type in the SSID on each machine that wishes to connect to the network. Disabling the default channel is another way to make your device more difficult to find for someone attempting to use it maliciously. These are very easy settings to modify and should be done at a bare minimum to secure your wireless network.
With the Belkin router you can disable the SSID broadcast and change the default channel in the same page as changing the SSID itself. Refer to the above screenshot for an example.

DHCP Isn't Good For Security
Even if an intruder is capable of associating with an access point by using the correct SSID, they must often have an applicable IP address before they can directly access resources on the network. Many WLANs use Dynamic Host Configuration Protocol (DHCP) to automatically assign IP addresses to users as they become active. With DHCP enabled, a deviant receives an applicable IP address just as other legitimate users do.

Step 4 - Switch to Static IP Addresses
This is another situation where it's a tradeoff between security and convenience. Obviously it's going to be more convenient to have the router automatically assign each client an IP address rather then giving each computer it's own manually, but if you want to be truly secure this is another measure you can take.
It's relatively easy to disable DHCP on the Belkin router, just click on 'LAN Settings' and select to have the DHCP turned off as shown in the screenshot below.


Posted Image

I guess you could consider this last step to be a borderline advanced setting, in my next session I will get into more advanced settings and setting up various levels of encryption on the network. If you want to run a wireless network without encryption the above methods along with a couple I'll mention in the next session will be about as secure as you can get.


Check back for session 2 'Advanced settings modifications and encryption methods.' As it will be posted in the next couple days, And again feel free to make suggestions on what content I should include, ask any questions or engage in discussion about what I've presented.
Was This Post Helpful? 0
  • +
  • -

#5 MarkoDaGeek  Icon User is offline

  • Dirty Technophile
  • member icon

Reputation: 11
  • View blog
  • Posts: 11,158
  • Joined: 13-October 01

Re: Simple steps in creating a secure wireless network.

Posted 15 August 2006 - 08:55 PM

SESSION 2 - ADVANCED SETTINGS MODIFICATIONS AND ENCRYPTION METHODS

Continuing where I left off last, I'll jump into the other available wireless security methods, which should and maybe should not be used and why.

Why MAC Address Filtering Doesn't Work Well.
Most modern wireless routers have a feature called 'MAC Address Filtering'. MAC (Short for Media Access Control) Address Filtering enables the user to get the MAC address of all the various wireless devices that they want to allow to connect to their access point. If this filtering is turned on, only clients with that MAC address, in theory, will be able to log into the access point.

The problem with MAC Address Filtering is that at the front of every packet that's sent, the packet announces what MAC address it's coming from and where it going. Any deviant with simple packet sniffing software could easily come across a few MAC addresses that are permitted within the router. Once that information is discovered the MAC address can easily be spoofed.

How easy? Some WLAN hardware manufactures actually enable the user to specify a custom MAC address to use on their network with included software. Additionally, there isn't anything to prevent duplicate MAC addresses to be used on a network, so an active MAC address could easily be used while the same MAC address is being used by it's original owner.

MAC Address Filtering could be enabled as a low level security measure, mainly to prevent a casual user from mistakenly using your access point. However if a deviant wants to use the network bad enough. It could easily be overcome.

Step 5 - Encryption, Real security.

On a modern 802.11 WLAN you get a couple options when it comes to encryption, WEP and WPA.

WEP Is Muh.
Wired Equivalent Privacy (WEP) uses a simple algorithm to encrypt the body of each frame. WEP encryption was supposed to keep deviants from accessing information on your network. However with modern decryption methods and software the WEP technology has been made obsolete.

Rather then getting too technical this time, Think of WEP encryption as closing the door to your home, but not locking it. Sure it looks secure, but the door can be opened. Certain doors may be more likely then others to be opened, just as more effort may be put into cracking into some networks over others.

My personal belief is that WEP is better then having no encryption, it's not making the user completely safe but your not wide open either. WEP Encryption used with some of the other security measures I've mentioned would make a network fairly secure, but not bulletproof.

Want the technical version on learn how WEP can be cracked? I suggest listening to This Episode of Security Now! A Podcast that features security expert Steve Gibson and technology evangelist Leo Leporte. They go over a lot of the points I'm mentioning in this Learning Experience and go more in depth on this issue.

WPA Is Better.
WiFi Protected Access (WPA) is the newer security standard adopted by the WiFi Alliance consortium. WPA delivers a level of security way beyond anything that WEP can offer; it bridges the gap between WEP and 802.11i networks, and has the advantage that the firmware in older equipment may be upgradeable.

WPA uses Temporal Key Integrity Protocol (TKIP). This technology dynamically generates a new key for every packet of data the network sends, and generates different sets of keys for each client, unlike WEP encryption which uses a single static key for everything. TKIP is designed to allow WEP to be upgraded. This means that all the main building blocks of WEP are present, but measures have been added to address security problems with the original WEP technology.

In order to use WPA encryption, your hardware must support it. Most wireless hardware manufacturers include WPA capability into all of the new routers and adapters, and some have made WPA updates available for older equipment. Make sure you check your documentation to ensure your equipment is compatible before proceeding.

To enable WPA or WEP encryption on the Belkin router click on 'Security' on the left, then as seen in the below screenshots you will want to select which encryption method you wish to use. The WEP options will look something like -

Posted Image

And WPA will look more like -

Posted Image

Your passphrase can contain up to 63 characters. When choosing a passphrase or key try not to use any common words or phrases, or simple character sequences (such as repeating a single number or letter). For extra security, you many want to change the passphrase or key periodically especially when using WEP encryption.

The Bottom Line
Well there you have it, in reality as you can see there is no 'one size fits all' for wireless network security in the home or small office. Most people will find that this takes too much time and energy when they can just bring their new router home and it "just works."

Nevertheless, it is important that you understand the security risks by operating an unencrypted network. With various software and very little know-how a deviant within range of an in-secure network can see everything; your email, Instant Messages, the websites you visit, information that's submitted, in some cases financial information such as credit card numbers and bank account information etc.

Although it's unlikely, with this day and age you can never be too careful because it does happen. So decide for yourself based on the factors above, how secure you want to make your wireless network.

Again, feel free to ask any questions or engage in discussion about what I've presented.
Was This Post Helpful? 0
  • +
  • -

#6 max302  Icon User is offline

  • Proud supporter of the lulz
  • member icon

Reputation: 2
  • View blog
  • Posts: 1,281
  • Joined: 05-March 06

Re: Simple steps in creating a secure wireless network.

Posted 01 September 2006 - 02:29 PM

Great stuff, this tut roxors.

However, I disagree with what was said by that Leo guy on the podcast you reccomended. I think that MAC filter is to a certain level effective, as it alone can very well discourage runescape playing noobs with laptops who are like "I'm a 1337 haxorizationator and I don't need no MAC adresse because I'm on PC" and that don't know shit about packetsniffing or networking in general, kind of person which is abundant in my neighborhood. I only have 128 bit WEP and even if some young'uns in my place are bright enough to install and run Aircrack, which I doubt, the MAC filter acts as back-up and should f them up properly.
Was This Post Helpful? 0
  • +
  • -

#7 MarkoDaGeek  Icon User is offline

  • Dirty Technophile
  • member icon

Reputation: 11
  • View blog
  • Posts: 11,158
  • Joined: 13-October 01

Re: Simple steps in creating a secure wireless network.

Posted 01 September 2006 - 06:21 PM

I defiantly agree, MAC address filtering will keep honest people honest, when combined with even basic WEP security it can be a powerful backup measure.
Was This Post Helpful? 0
  • +
  • -

#8 captainhampton  Icon User is offline

  • Jawsome++;
  • member icon

Reputation: 13
  • View blog
  • Posts: 548
  • Joined: 17-October 07

Re: Simple steps in creating a secure wireless network.

Posted 16 July 2008 - 06:41 AM

Awesome, terrific content.
Was This Post Helpful? 0
  • +
  • -

#9 nutcracker53  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 2
  • Joined: 14-January 10

Re: Simple steps in creating a secure wireless network.

Posted 15 January 2010 - 01:49 AM

View Postcaptainhampton, on 16 Jul, 2008 - 05:41 AM, said:

Awesome, terrific content.


You can also disable your wireless device from responding to ping request.
Other devices also have a feature to Prevent DoS attacks.
Was This Post Helpful? 0
  • +
  • -

#10 tuck  Icon User is offline

  • New D.I.C Head

Reputation: 2
  • View blog
  • Posts: 16
  • Joined: 11-January 10

Re: Simple steps in creating a secure wireless network.

Posted 29 January 2010 - 10:28 PM

Well done MarkoDaGeek!

I would add that you should use WPA2 if your router has the capability with TKIP+AES algorithms. Then create an ungodly long key with uppercase, lowercase and numeric characters. Mine is currently 25+ characters long. If your router does not have WPA2, at least use 128 bit encryption.

I run a older, not ancient but not the newest either, Linksys router, WRT54G. I use WPA2, with TKIP+AES, an ungodly long shared key, MAC address filter (permit only on list) and I do not broadcast my SSID.

tuck

This post has been edited by tuck: 29 January 2010 - 10:31 PM

Was This Post Helpful? 0
  • +
  • -

#11 data recovery  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 1
  • Joined: 11-July 10

Re: Simple steps in creating a secure wireless network.

Posted 11 July 2010 - 10:46 PM

The wireless network has made it so easy for you to use the computer, portable media player, mobile phones, video game consoles and other wireless devices anywhere in the house without the clutter of cables. Now it is not very hard to make wireless network secure which will both prevent others from stealing internet and will also prevent hackers from taking control of computers through own wireless network. Thanks for providing these steps for wireless network security.
Regards
data recovery software
http://www.datadoctor.biz
Was This Post Helpful? 0
  • +
  • -

#12 RexGrammer  Icon User is offline

  • Coding Dynamo
  • member icon

Reputation: 182
  • View blog
  • Posts: 783
  • Joined: 27-October 11

Re: Simple steps in creating a secure wireless network.

Posted 30 October 2011 - 11:43 AM

In my experience the ONLY way to provide some protection is to use WPA2/AES protection/encription.
Hidden SSIDs are useless. To reveal the ssid all that is needed is for someone to connect to that network while the hacker is sniffing that network.
Mac Filtering originated from the world of LAN where MAC address are private. In WLAN they are public and can be easily spoofed (that is anyone can take any address that he likes).
The only perk of WPA over WEP is that someone needs to be connected to the WPA network for the password to be cracked while someone could hack WEP even if there aren't connected users it can be hacked.

Note: This is a quick primer in WLAN security. Skip this if you want (It's a little boring)
WLAN consists of sending data back and forth between the client and the network host (mostly the router is connected to the network host).
The data is grouped into packets.
There are 3 types of packets. These are: management, control and data.
All of these have subtypes. The important ones are: beacon frames (management), association request(management), association response(management), authentication request(management), authentication response(management).

Hackers usually steal this packets and from them they extract the password.
So important pointers:
1. To connect to a network you must know it's SSID. By sending the packet into the air you search for that network. The network that responds to you has the SSID sent by you (in the packed). So there goes the "protection" that hidden SSIDs offer.
2. You can have any MAC Address you want so MAC address filtering falls off.
3. WEP can be hacked at any time.
4. Only WPA offers some protection in the sense that someone has to be connected for it to be hacked.
5. WPA can be hacked only by using a wordlist.

Hope you weren't too much bored by this.

Use WPA and try to make the password a word that can't be in any wordlist. Something personal or so.

Sorry for the double post. I need to mention that this is all for the 802.11 standards.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1