Securing Wireless Networks

By | 2008-07-20

Wireless networking has experienced a huge increase in popularity over the last couple of years. The necessary hardware is widely available to consumers, it is very affordable, and relatively easy to install and configure. Gateway devices, common called “routers” or “firewalls” by consumers, that allow users to share a broadband connection with and protect multiple computers on a home network have been around for a while. The addition of wireless capabilities to these gateway devices gives the user the convenience of taking a computer anywhere in the house, and not have to worry about running wires through walls and crawl spaces and attics to connect computers in various parts of the house. Industrial-strength high-performance versions have been around even longer in company environments, allowing employees to roam between offices, cubes, and conference rooms with laptops without ever losing connectivity.

It is a great technology that offers many benefits. As the saying goes, however, with privilege comes responsibility. A responsibility that is unfortunately much too often ignored by the person implementing it. A wireless network needs to be properly secured as it poses a number of extremely serious risks and dangers if left wide open and exposed, which many users are unaware of.

Why secure a wireless network?

If you are thinking right now that you have nothing important on your network and that you have no need to secure your wireless network, I guarantee you that you will reconsider your opinion after reading the next few paragraphs. Consider the following dangers of having an unsecured wireless network.

Bandwidth Parasite

In a “best” case scenario, all the intruder does is use the victim”s broadband connection to get online without paying. Maybe just to surf the web, maybe to download pirated music or software. This does not cause any direct harm to the compromised network, but it can slow down Internet or network access for the victim, the legitimate user of the network, if an intruder leeches off his bandwidth. This could mean substantial additional ISP cost for the victim if the ISP meters used bandwidth and charges for actual usage.

Masking criminal activity

An unauthorized user could abuse the victim”s connection for malicious purposes like hacking, launching a DoS attack, or distributing illegal material. Since the intruder is a part of the private network and sits behind its gateway device, any traffic between him and the Internet will appear to be coming from the public IP address the ISP assigned to the victim. The ISP has no idea how many computers are behind the gateway, who they belong to, and what they are used for. If the criminal activity is discovered and investigated, the origin of the attack will be traced back to the victim”s broadband account. It is a pretty safe bet that nobody wants to be accused of and go to jail for distributing child pornography or hacking into restricted company or government networks (just to mention a few examples) if the crime was in reality committed by a cracker from behind an innocent victim”s network. Reviewing ISP”s Terms of Service usually reveals a clause that not only allows the ISP to reveal customer information to the authorities to assist with legitimate criminal investigations, but also holds the customer responsible for any activities the connection is (ab)used for.

Free access to private data

A wireless network is also a direct backdoor into the victim”s private network – literally. Instead of intruding from the public side of the gateway device, the intruder connects directly to the network on the private side of the gateway device, completely bypassing any hardware firewall between the private network and the broadband modem. Most people assume that since they are behind a gateway device with a built-in firewall their private network is safe, hence letting down their guard, sharing drives, and being generally careless. The intruder can completely take advantage of this by snooping around undisturbed and getting access to confidential data. This could be in form of personal information such as financial data, tax records, wills, and more that can be abused for identity theft for example, or in form of work-related information such as confidential specs, development information, trade secrets, and more that the victim has brought home from the office. By employing a sniffer an intruder can even sniff email or FTP user names and passwords because they are usually transmitted in cleartext, and use that information to gain unauthorized access to email accounts or web servers without the victim”s knowledge.

Backdoor into corporate networks

In addition, a wireless network could also be an indirect backdoor into a corporate network. An intruder can specifically target an employee of a company whose confidential information is valuable to him for monetary or competitive reasons. If that employee establishes a VPN connection either permanently from his gateway or from a machine behind his gateway to the company network, the intruder can then piggyback on the VPN tunnel and gain unauthorized access to company resources, a serious security breach and every network administrator”s nightmare.

By now the danger should be pretty clear: Unsecured wireless networks are unacceptable due to the extremely high risks involved. Yet there are countless unsecured wireless networks out there. A train ride through the Silicon Valley East Bay area revealed about 60 wireless networks, 40 of them wide open and insecure. A drive around a residential neighborhood covering just a few blocks revealed over 30 wireless networks, 20 of them wide open and insecure.

What is even scarier is that it does not take any skill to discover and gain unauthorized access to wireless networks. One does not have to be a programmer, Linux expert, or network specialist. All it takes is a laptop with a wireless network card, and some software (also available for Windows) that can be easily downloaded for free from the Internet. Armed with these basic tools anybody can drive around, detect open wireless networks, and connect to them. With a Linux machine, additional software, some advanced knowledge, and some time and patience it is even possible to break into wireless networks that use encryption.

Now that it is obvious why a wireless network has to be secured, it is time to find out how.

The following steps will only take a few minutes each, but will make a big difference. The results will fend off all but the most determined and skillful crackers.

Change the default password

Almost all wireless devices can be managed via a web interface that can be accessed by simply typing its IP address in a browser”s address field. While the admin interface is password protected, the default password set by the manufacturer is always the same. Any wireless network sniffer program will easily discover the manufacturer of the wireless device because it willingly broadcasts that information. Anybody can download the manual from the manufacturer”s website, and get the default password to that manufacturer”s devices in seconds. As a result, an intruder can type in the default IP address of the wireless gateway to get to the admin interface, and try the default password to log in and access the device settings. Knowing the manufacturer of the device gives the intruder the additional benefit of being able to employ cracks or exploit vulnerabilities specific to that manufacturer.

Disable SSID Broadcast

The SSID is the name of the wireless network. In order to connect to a wireless network, its name needs to be known. By default, wireless gateways happily broadcast the SSID to be picked up by any wireless network device for easy configuration. Hiding the SSID by disabling SSID broadcast will make it much harder for an intruder because he will have to start guessing. It has to be mentioned that while most wireless gateway devices offer the option to disable SSID broadcast, some devices require a firmware upgrade, and some devices do not offer that option at all.

Change the SSID

Disabling SSID broadcast doesn”t help much if the SSID remains the manufacturer”s default, which is just as easily found in the manual as the default admin password. The SSID should be changed to a custom phrase that is difficult to guess. The use of non-dictionary words as well as numbers and special characters for the new SSID is encouraged.

Enable encryption

Wireless devices support the wireless encryption protocol (WEP) with either 64-bit or 128-bit encryption. 64-bit encryption has been proven to be very weak and easily broken, 128-bit encryption is recommended because it is a lot more difficult to break (though far from impossible). Some devices might require a firmware upgrade to support 128-bit encryption. Encryption works by entering the encryption key on the wireless gateway as well as on the PC with the wireless card. All transmitted data is encrypted for the transfer between the two devices. If the encryption key does not match, the wireless gateway will not communicate. Enabling encryption will usually discourage the casual lazy cracker and send him off to find an easier target.

Disable DHCP

Most gateway devices by default have DHCP enabled. This means that any new host on a network that makes its presence known and broadcasts a request for an IP address and TCP/IP configuration information will be automatically provided this information without questioning. This is very convenient for the legitimate user because it means real plug-and-play (minus the “plug” part since it”s wireless). However, it also makes it very easy for the intruder to connect to a wireless network. By simply setting his laptop to use DHCP it will immediately receive all TCP/IP configuration information he needs to connect to the network.

While it is an inconvenience and requires more maintenance from the legitimate user, disabling DHCP and manually assigning static IP addresses creates another hurdle for the intruder. It requires him to manually configure his laptop with what he thinks are the correct TCP/IP properties to be able to connect to the network.

Change the default subnet

Disabling DHCP doesn”t help much if the subnet remains the manufacturer”s default, which is just easily found in the manual as the default admin password or SSID. Most devices use the common default subnet of 192.168.0.0 with a subnet mask of 255.255.255.0. The subnet should be changed to another private subnet. There are a number of non-routable IP address ranges that are reserved exclusively for use on private networks. These ranges are 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, and 192.168.0.0-192.168.255.255 – plenty to choose from. This will prevent the intruder from assigning himself a static IP address and TCP/IP configuration information based on the manufacturer”s default subnet.

Use MAC address filtering

Each network adapter has a unique hardware address also called MAC address. The first half of the MAC address identifies the manufacturer of the network adapter, the second half identifies the network adapter. This hardware address is unique (more or less) for each network card. Most wireless gateway devices support MAC address filtering. The way this works is that the legitimate user creates a list and enters only the MAC addresses for network cards that he is aware of and that he wants to be able to access the wireless network. Any network adapter with a MAC address that doesn”t match a MAC address in the approved list will be automatically denied access. Only machines with an authorized MAC address are allowed to participate in the network. MAC addresses can be spoofed by a savvy intruder, but using MAC filtering is another good deterrent.

Practice safe computing

Even though the network is private and hidden behind a gateway device with a firewall, common sense precautions still need to be used, including but not limited to:

  • Use safe passwords for all user accounts. Use non-dictionary words, include numbers, special characters, upper and lower case letters. Use passwords longer than 8 characters. Change passwords every month.
  • Password-protect any network shares
  • Require a user login for all computers, disable the guest account
  • Install Antivirus software on all computers and keep it current
  • Install software firewalls on all computers
  • Monitor log files such as event logs, firewall logs, antivirus logs, etc. for unusual activity

Conclusion

As documented in this article, there are many very valid reasons why all wireless networks should be secured. It is extremely easy to do so with not much effort and little time. Armed with this knowledge, it would be foolish not to take the necessary precautions and secure that wireless network. A few minutes of reading the manual and a few minutes of changing settings could prevent a boatload of trouble in the future.

Author: dwirch

Derek Wirch is a seasoned IT professional with an impressive career dating back to 1986. He brings a wealth of knowledge and hands-on experience that is invaluable to those embarking on their journey in the tech industry.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.