Wireless networks are less secure than
wired ones because the wireless connection that enables you to access
the network from afar can also enable an intruder from outside your
home or office to access the network. In particular, wardriving
is an activity in which a person drives through various neighborhoods
with a portable computer or another device set up to look for available
wireless networks. If the person finds a nonsecured network, he uses it
for free Internet access or to cause mischief with shared network
resources.
Note
If you don’t believe that your wireless signals
extend beyond your home or office, you can prove it to yourself. Unplug
any wireless-enabled notebook and take it outside for a walk in the
vicinity of your house. View the available wireless networks as you go,
and you’ll probably find that you can travel a fair distance (several
houses, at least) away from your wireless access point and still see
your network.
Here are a few tips and techniques you can easily implement to enhance the security of your wireless network:
Enable encryption—
First and foremost, enable encryption for wireless data so that an
outside user who picks up your network packets can’t decipher them. Be
sure to use the strongest encryption that your equipment supports. For
most home routers, this is Wi-Fi Protected Access (WPA), particularly WPA2, which is more secure than regular WPA. Note
If you change your access point encryption method as
described in the previous tip, you also need to update each wireless
client to use the same form of encryption. In the Network Connections
window, right-click your wireless network connection, and then click
Properties. Display the Wireless Networks tab, click your network in
the list, and then click Properties. Change the following three
settings, and then click OK:
Network Authentication— Select WPA-PSK. Data Encryption— Select TKIP. Network Key— Type your shared key here and in the Confirm Network Key text box.
Disable network broadcasting—
Windows sees your wireless network because the access point broadcasts
the network’s security set identifier (SSID). However, Windows
remembers the wireless networks that you have successfully connected
to. Therefore, after all your computers have accessed the wireless
network at least once, you no longer need to broadcast the network’s
SSID. Therefore, you should use your AP setup program to disable
broadcasting and prevent others from seeing your network. Caution
You
disable SSID broadcasting by accessing the wireless access point’s
configuration page and deactivating the broadcast setting. (Exactly how
you do that varies depending on the manufacturer; see your
documentation or just poke around in the settings page.) However, when
previously authorized devices attempt to connect to a nonbroadcasting
network, they include the network’s SSID as part of the probe requests
they send out to see whether the network is within range. The SSID is
sent in unencrypted text, so it would be easy for a snoop with the
right software (easily obtained from the Internet) to learn the SSID.
If the SSID is not broadcasting to try to hide a network that is
unsecure or uses an easily breakable encryption protocol, such as Wired
Equivalent Privacy (WEP), hiding the SSID in this way actually makes
the network less secure.
Change the default SSID—
Even if you disable broadcasting of your network’s SSID, users can
still attempt to connect to your network by guessing the SSID. All
wireless access points come with a predefined name, such as linksys or default,
and a would-be intruder will attempt these standard names first.
Therefore, you can increase the security of your network by changing
the SSID to a new name that is difficult to guess. Change the access point username and password— Any person within range of your wireless access point can open the device’s setup page by entering http://192.168.1.1 or http://192.168.0.1 into a web browser. The person must log on with a username and password, but the default logon values (usually admin)
are common knowledge among wardrivers. To prevent access to the setup
program, be sure to change the access point’s default username and
password. Consider static IP addresses— Dynamic Host Configuration Protocol (DHCP) makes it easy to manage IP addresses, but it also gives an IP address to anyone
who accesses the network. To prevent this, turn off DHCP in the access
point and assign static IP addresses to each of your computers. Enable MAC (Media Access Control) address filtering— The MAC address
is the physical address of a network adapter. This is unique to each
adapter, so you can enhance security by setting up your access point to
allow connections from only specified MAC addresses. (Unfortunately,
MAC address filtering isn’t a particularly robust form of security. The
problem is that wireless network packets use a nonencrypted header that
includes the MAC address of the device sending the packet! So any
reasonably sophisticated cracker can sniff your network packets,
determine the MAC address of one of your wireless devices, and then use
special software to spoof that address so that the AP thinks the
hacker’s packets are coming from an authorized device.) Note
To find out the MAC address of your wireless network adapter, open a Command Prompt session and enter the following command:
Find the data for the wireless adapter and look for the Physical Address value. (Alternatively, right-click the wireless connection, click Status, display the Support tab, and click Details.)
Avoid windows—
When positioning your access point within your home or office, don’t
place it near a window, if possible; otherwise, the access point sends
a strong signal out of the building. Try to position the access point
close to the center of your house or building.
|
