Jim’s Guide to Wireless Security

My Dad has a saying about padlocks: “they only keep the honest people out“. His point, of course, is that honest people will see a padlock and keep walking, while a hardcore thief will simply smash the hasp, take the hinges off the door, or shatter a window to break into your house and steal your stuff. I’m sometimes asked what the best way is to secure a wireless network, and when I think about the subject I often think of Dad’s wisdom. Most of the “security measures” in wireless networking only keep the honest people out. Dedicated hackers can find a way to hack in to your network if they choose. So here’s my complete guide to securing a wireless network:

Pick WPA security, and choose a very complex password for it.

Yep, that’s it. My entire guide to wireless security. But since you might ask about some of the other security features available on wireless routers, here’s a point-by-point rebuttal on each one:

Disabling the SSID: Every wireless router has the ability to broadcast its name, or SSID (Service Set IDentifier). Disabling SSID broadcasting means that your wireless network won’t appear in the list of “Available Wireless Networks” on any nearby computer. Theoretically, this makes your network more secure. Since your neighbors won’t be able to see your network, how could they connect to it? Unfortunately, disabling the SSID does nothing to hide your wireless network from hackers using programs that scan the airwaves for wireless networks. In fact, it makes it look like you’ve got something to hide, much like putting an expensive purchase in the back of a hatchback and covering it with a blanket does. Additionally, disabling SSID broadcasting makes it harder to troubleshoot connection problems, and also makes it difficult for your guests to connect to your wireless network. Using WPA with a complex password means your neighbors can see your network, but they can’t access it. And hackers will find your network one way or the other, so let them find yours easily, try to hack it and fail, and move on to the next network.

Changing the SSID: This is actually a good one to do. Most wireless routers have their manufacturer’s name as the SSID by default. If you’ve ever used a wireless network, you’ve almost certainly seen a wireless network called “linksys” at some point or the other. Changing the SSID to something nondescript tells hackers that you’ve at least thought about security enough to do this step. Much like how the automobile security device The Club worked simply by making car thieves move on to another car, changing your SSID just might be enough to make hackers move on to the “linksys” networks.

Enabling MAC filtering: Every networked device – wireless or not – has a unique serial number called a Media Access Control (MAC) address. Most wireless routers have a feature that allows you to enter the MAC addresses of every device you want to connect to the wireless network. So, in theory, only devices that you explicitly approve can connect to your wireless network. The reality is that any hacker that scans your network can find the MAC address of one (or all) of your devices. He or she can then “spoof” the MAC address on their own computer and get full access to your network. Filtering MAC addresses also means that you’ll have to obtain the 12-digit MAC address from any guest that wants to use your network, then enter it into your router’s configuration page. Which is no fun, especially when there’s almost zero payoff from this “security measure” in the first place. Seriously folks – MAC sniffing and spoofing is so easy to do that it’s almost laughable.

WEP is better than nothing: The first encryption protocol developed for wireless networks was WEP. WEP was amazingly easy to crack, and soon “point-and-click” tools were developed that allowed a even a neophyte hacker to break in to WEP-protected networks. A new protocol, WAP, was quickly rushed through, and this one has proven to be a bit more robust. Although it’s true that WEP is better than nothing, it’s still not much compared to WAP. If you have some need to use WEP instead of WAP, go ahead and use that… but know that you’re not much more secure than you would be if you just left your network open to the whole world.

Disabling DHCP: Most home routers have the ability to issue local IP addresses for both wired and wireless computers on their networks. If you have your router set up this way, you will have set up a range of addresses (such as 192.168.1.20 – 192.168.1.100) that the router will give out to any device that connects to your network. By disabling DHCP and using static IP addresses, you can (theoretically) keep snoopers out be denying them an IP address. Yet again, the hackers can easily defeat this. Packet sniffing software will reveal the local IP address(es) of any computers on your network. Within seconds, a hacker would know that the IP address of your wireless laptop is 192.168.1.22 – and he or she can set up their own computer with a static IP address of 192.168.1.23… and all that security has gone out the window!

Disable Remote Administration: Many routers have an option to allow people on the Internet side of the network to make changes to the router’s configuration. A company with several remote offices, for example, may want to enable this so that an IT guy can administer the routers from a central location. If you’re never going to use this feature, it’s a good idea to disable it (it is disabled by default in every router that I’ve ever seen). But the thing is, while this is a good thing to do, it applies to wired routers (and other devices) as much as it does wireless routers.

Ignore All Of The Above Advice If You Are A Business: Lots of businesses may be subject to “compliance laws”, such as HIPPAA, which require that client information be kept secure. If you own a business, don’t go through and change your wireless security settings to match what I’ve said in this guide without first talking about it with a lawyer or at least an IT person that is knowledgeable in the area of security compliance. If someone were to steal confidential data, not only might your company be hurt financially, they might also be subject to lawsuits and fines over lack of compliance!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.