Wireless Security

The numbers of wireless networks have increased dramatically in recent years, especially with falling prices in wireless enabled laptops and cheap wireless routers/access points. Wireless networks however are innately less secure then your typical wired counterparts since the transmission medium is shared and accessible by anyone within range. This requires a lot of extra security measures in order to prevent against active attacks such as unauthorized connections (someone connecting to your wireless router from across the street and using your internet account) and passive attacks such as sniffing (someone with a receiver monitoring your internet activity and discovering passwords, credit-card numbers, private details).

Insecure by Default: Unfortunately, most cheap wireless routers intended for home use come with all wireless security features disabled by default for ease of installation (take the router out of the box, plug in all the cables, turn your computer on and hey what do you know, it works!). While this may make life easier for some people (and helps marketing departments come up with cool “easy as 1, 2, 3″ slogans) it also leaves them completely vulnerable and exposed. Anyone within range with a wireless network card can effortlessly connect to their network unchallenged and unauthorized, use their internet connection (possibly for illegal activities or simply consuming download quota) and even access files/printers on the LAN.

Daunting Details: There’s a lot of information out on the internet describing how to secure a wireless network via things like static IP allocation, disabling SSID broadcast, MAC filtering, encryption, changing default subnets, etc. These may seem very daunting for a non-technical person who doesn’t even know what an IP is, let alone DHCP vs Static allocation or MAC addresses. Fortunately though, in my opinion, most of these measures create unnecessary administration complexity while providing little to no value in terms of actual security. You shouldn’t need a computer science degree to secure your network, and you certainly shouldn’t be spending one hour trying to add a new device to your network when a friend drops by during the weekend, etc!

Security Essentials: The following are essential in securing your wireless network:
  • Enable Encryption: This is by far the strongest security feature you can enable and is an absolute must! Use the strongest encryption supported by your router and operating system/NIC drivers. While WEP, especially 64bit (40bit key + 20bit clear IV) can be broken within hours (update: possibly faster now) given the right tools and under the right circumstances, WPA, WPA2 or higher are still very strong and unlikely to be broken by any war-driver or bored neighbor out for quick thrills. Pick a long encryption key that’s hard to guess and enter it in your router and on every device you want to connect with.
  • Change Default Router Password: The default passwords for most routers are extremely week (’default’, ”, ‘admin’, ‘password’, ‘netgear’). If someone manages to connect to your router’s web interface and login, they can change all your settings and lock you out of your own router leaving you with a nice $100 brick! Well…not really, you can usually reset-to-factory-defaults by pressing and holding the hidden little reset button for 5 to 20 seconds (check your manual), but you don’t want someone messing with your router in the fisrt place. Without the encryption key defined above though, the attacker is unable to connect to the router’s interface and login in the first place but s/he may get in through other means (e.g. if remote administration is enabled then they can log in via the internet from anywhere).
That’s it! That’s all you need to have a reasonably secure wireless home network. Takes less then 5 minutes, doesn’t require in-depth networking knowledge and won’t give you a migraine trying to troubleshoot conectivity issues later.

Non-Essentials: The following add little to no security and may be ignored without compromise:
  • Change Default SSID: I don’t believe this adds much to security but you may as well do it since it’s easy takes almost no time. A war-driver (someone driving around with a laptop scanning for insecure networks) is more likely to pay attention to a network called ‘Default’ or ‘NETGEAR’ then ‘rs29g7qLP’. This is not a security measure though
  • Disable SSID Broadcast: I recommend against this one. Disabling SSID may in fact hinder network performance while adding very little to security and increasing configuration difficulty for inexperienced users. The theory goes that by disabling SSID broadcast someone scanning for networks will be unable to detect yours and hence will be unable to attack it. This is a myth. The reality is that your network’s SSID is still easily detectable using more advanced scanning tools and by disabling it your network needs to compensate with additional management traffic. Read this for more info.
  • Enable MAC Filtering: MAC filtering allows you to set up a list of all MAC addresses you want to allow to connect. MAC addresses are very hard to guess so this seems like a strong security feature at first, but it’s not. An attacker may easily circumvent this scheme by sniffing your network and capturing just one packet with an ‘authorized’ MAC since the MAC is always sent in clear-text (802.11 frame header is not encrypted). Once a valid MAC is found (this may only take a few seconds) the attacker then forges the MAC of his own wireless card to the newly discovered valid MAC (again, this only takes seconds). MAC filtering thus offers very little in terms of security while adding considerably to administrative overheads. I definitely think people shouldn’t bother with this one. I don’t.
  • Change Subnet, Disable DHCP, etc: Some recommend taking all sorts of steps like changing the default IP of the router, changing the default subnet or IP range, disabling DHCP and using static IPs, etc. While all these steps may throw off a very inexperienced war-driver for a short while they do nothing for you against a skilled attacker. Security by obscurity is rarely a good idea. Also, unless you’re experienced at networking, willing to learn or have other reasons for making these changes, these steps are likely to give you nothing but headaches (manually assigning IPs, default gateways, DNS entries, etc).
Bang for Buck: The argument for enabling all of the above features, even though most provide very little to no security, is that the more layers an attacker has to break through the better. Technically this may be true, however I believe the added administrative complexity due to these extra steps is unjustifiable for most users when looking at the security benefits provided. Think about it this way - if an attacker has enough skill, patience and resources to spend hours/days cracking your WEP/WPA key, then what makes you think they’ll stop when it comes to breaking MAC filtering or SSID broadcasting (something that takes seconds)? As for the inexperienced war-driver, nosy neighbor or anybody else unable to break MAC/SSID will be just as unable to break WEP/WPA.

Enabling the strongest encryption scheme available and changing the default password on your router is all that’s required to secure your wireless network. All other features add very little to no security, add to administrative complexity and may even hinder network performance.


Popular posts from this blog

Wkhtmltopdf font and sizing issues

Import Google Contacts to Nokia PC Suite

Can't delete last blank page from Word