Basic Wireless Security Tips

It seems like when ever I get called out to set up a wireless network for someone there is usually two
or three other access points i see in the area around where i'm working especially apartment complexes.

A lot of times these access points are unsecured to where anyone can use them for free internet access
which is usually harmless enough unless they are downloading large files over P2P all the time or doing
other more severe illegal things.

So in order to help you make your wireless network more secure here are some help full tips.




The four easiest steps you can take to insure a more secure network are:

1. Change the default SSID

2. Change the default IP address

3. Change the default user name and password for Administrator access

4. Enable at least WEP level Encryption


What is SSID:


Service Set Identifier - This is usually set to the manufacturers name which is broadcast
from the access point and when a hacker knows what type of access point you have then
it makes it easier to break into that access point and gain control over the network devices.



Some advise to turn off this feature all together but i disagree it is help full to have you access
point broadcast a name just not the factory name i change the name to something else the
client chooses this way it is easier to know which access point you are connecting to in the
case of multiple access points broadcasting also it does aide in setting up multiple devices
across the network and keep them communicating correctly when they are set to look for
a certain SSID.




Change the default IP address:

All access points are accessed by an IP address typed into a browser address bar example
192.168.1.1 now hackers will usually try to get access to an access point by first trying the
easy methods using default IP addresses for various brands so by changing the default IP
address to something like 192.168.6.1 would make it a bit more difficult to gain access
just make sure that if you change this to write it down in case you need to log back into the
access point later to make changes.




What is the default Administrator user name and password about:

Every access point has a user name and password set by manufacture which is needed
to log in to the main configuration screen of the access point so you can manipulate the
settings. A hacker trying to gain access to an access point is going to try various default
user names and passwords to try to gain access by changing this it will make it more difficult
to gain access just make sure you right it down in case you need to go back later to make changes.


What is WEP:

Wired Equivalent Privacy by default WEP is usually disabled on almost all access points by
enabling it implements a basic level of encryption on the network by requiring a pass "key"
there are different levels of encryption from 64 bit to 128 bit on most access points. 64 bit will
encryption will require a pass key of ten characters and 128 bit will require a 26 character
pass key the higher level of encryption the harder it is to hack.

There are stronger levels of security such as WPA or WPA2 some older equipment may not
have those choices but should at least have WEP make sure to right down the key you use
you will need it to connect a device to you network.


By using the approach outlined above will not ensure that your network does not get "hacked"
but it will make it much harder to do and is much smarter than to have your network completely
unprotected and remember write down the settings you choose to use or if you have someone do
it for you make sure they write it down and give it to you I run into this all the time where i have to
reconnect a device to a network but the owner has no clue any of the settings or pass keys.


What kind of router should i get?


I have always preferred Linksys products by Cisco but basically any brand will work just make sure
you get something with external antennas the bigger the better and preferably ones that are replaceable
in case they get broke or you need extra range and want to change the antenna type all together. The
models without external antennas usually don't perform very well.

Also i would not get pushed by a sales person to buy the "N" type router which claim greater range won't
do any good if you are connecting to a B/G device and i just don't really see the "N" equipment catching on
it's more expensive and hasn't really proved it's claimed performance.

Here is another tip for the firewall section of your router make sure that "Block Anonymous Internet Requests" is checked as well as "Filter Ident" this is usually on by default but check...

Another thing you could do is to enable Mac Address Filtering. What this does is checks the MAC address of the device that is trying to connect to the wireless network against a list of MAC ID’s that you allow to connect. This feature is normally turned off because of the steps you have to go through to set it up but I think it isn’t that hard and will improve the security of your wi-fi router.

To setup Mac address filtering first you need to get the MAC ID’s of all the devices that you want to connect to the wireless network.

PC
The easiest way to find it for your pc is to use command prompt. To do this click run in your start menu and enter “cmd”. Once you are in type “ipconfig /all”. This will bring up the info of all your network connections. Then look for your wireless network connection and the Physical Address is your computers Mac Address.



Apple Mac
Open system preferences then click on network. Select Airport then click advanced. Then look for where is says Airport ID and that is you MAC Address.

When you have a list of the address for all the devices you wish to connect you then enter those addresses into the configuration screen of the wireless access point or router. Finally, switch on the filtering option.

Once enabled, whenever the wireless access point or router receives a request to join with the WLAN, it compares the MAC address of that client against the administrator's list. Clients on the list authenticate as normal but clients not on the list are denied any access to the WLAN.

The good thing about enabling MAC address filtering is that most wireless adapters have their MAC ID physically implanted so it cannot be changed and is unique to that adapter. But there are some adapters that do allow there address to be changed so it is still possible for a determined hacker to break into your WLAN by configuring their client to spoof one of your MAC addresses. Although MAC address filtering isn't bulletproof, it still remains a helpful additional layer of defence that improves overall Wi-Fi network security.

i still think noobs will be lost call a pro

Not all people will be lost this will still help a lot of people to make their wireless networks more secure.

You forgot one important thing to help secure the wireless router:
Stop Broadcasting
If a hacker or whoever was looking for a site, they can't find it if they can't see it. (at least, not easily).

You might also add in to use only MAC addresses listed.

As a footnote, I use a D-Link DIR-825 Wireless.

jebuchanan wrote:

You forgot one important thing to help secure the wireless router:
Stop Broadcasting
If a hacker or whoever was looking for a site, they can't find it if they can't see it. (at least, not easily).

I usually don't turn off broadcasting SSID in order to help with seeing the correct access point to connect to a lot of people have trouble even when I name the access point and tell them this is you connect to this one the next time I get called out with I can't connect to the internet they are trying to connect to every access point except theirs lol.....

On the GF's laptop, I tell it to connect to this network even if it can't be seen (then I stop broadcasting). No issues seen to date with this arrangement.
There are 5 networks in this building alone. One just recently changed to secured, as it was broadcasting an open/unsecured channel connection.

yes that is a good setup for us folks that understand more than the noobs lol....