How To Lock Your Network’s Front Door

Posted by on October 20, 2009 · Leave a Comment

Securing your network The following security measures are relatively easy to implement, provided you read the manuals that came with your wireless devices. “The manual?” you ask. Yes, the manual. You know, it’s the thing propping up the short leg on your computer desk. Take it out for now; you’ll only have to deal with the wobble until we’re done. None of the measures described here are particularly dramatic, and there are ways to get around them. But, doing so requires some skill and understanding of networking. In this case, they serve as a sort of “intellectual firewall ” that prevents script kiddies from cracking your network. These steps include the following: 1. Change the default SSID. 2. Disable SSID broadcast. 3. Change the default IP subnet. 4. Consider disabling DHCP. 5. Enable MAC address filtering. 6. Change default administrative passwords. 7. Change default user names. 8. Enable WEP or WPA encryption. 9. Adjust broadcast power. 10. Set minimum connection speeds. 11. Set access times. Change the default SSID The first step toward making a WLAN reasonably secure is changing the default SSID. This is important because anyone using a wireless sniffer can determine what sort of access point you use by looking at the default SSID. Knowing your access point model allows the cracker to guess the rest of the default settings and attack your WLAN that much easier. Don’t change the name to something obvious like your street address (I have actually seen this done) or your name. Consider using random numbers or even changing it to something tike “NOTPUBLIC” or “NOTRESSPASSING” just to make a point. Disable SSID broadcast Wireless access points are set to broadcast the SSID by default. Turn this feature off to make it harder for casual wardrivers to discover your network’s name. It won’t stop a determined cracker from discovering it, though, because wireless NICs always broadcast the SSB3 when communicating with the access point. The procedure for disabling SSID broadcast is different for each manufacturer, so consult your access point’s manual. Once you turn off SSID broadcast, you have to configure each NIC manually and input the new SSID. Change the default IP subnet The next thing you should consider doing is changing the default subnet IP addresses. Each manufacturer has a default IP subnet, and this can make it easy for an attacker to discover the IP address of your access point. Consider also disabling DHCP and assigning static IP addresses. Consider disabling DHCP Most access points support built-in DHCP service. This allows the access point to assign IP addresses dynamically to new computers as they connect to the network and to computers that are reconnecting after a shutdown or reboot. This also allows an intruder to connect to the WLAN and have the access point assign him an IP address, which makes the intruder’s computer a legitimate member of the WLAN. By disabling DHCP, you make this far more difficult. You have to assign permanent (static) IP addresses to each computer on your WLAN and manually configure them. Once again, this is an extra step, but it is well worth the effort. Insider insight : Without DHCP enabled, an intruder has to monitor and analyze network traffic in an attempt to determine the IP subnet and addresses in use He can then assign himself an IP address and attempt to establish a connection. This makes it difficult for casual sniffers and neophyte intruders to access your WLAN. Enable MAC address filtering Another step that you can, and should, take is to enable MAC address filtering. Remember that each network device has a unique MAC address assigned by the manufacturer. Many access points have an option that allows you to restrict access to specific MAC addresses. This should block any MAC addresses that are not on the “allow” list from connecting to the network. This is effective, but it is not perfect. An intruder can monitor network traffic and discover the MAC addresses of legitimate computers on the WLAN. He can then change the MAC address of his NIC, which allows him to masquerade as a member of the network and connect even when filtering is turned on. Change default administrative passwords Change the default administrative passwords on all access points. Once again, these are public knowledge, and, if a cracker knows what type of access point you use, he’ll know the default password. This will aid him in attacking your access point. Caution : Write down the new settings and passwords, and store the list in a secure place. This will be helpful if you forget this information and need it at a later date. Change default user names Likewise, the tips above apply to your username too as these are also common knowledge. Enable WEP or WPA encryption As I mentioned earlier, even though WEP encryption is flawed and vulnerable, you should use it. Enable 128-bit WEP on your WLAN, and use it. With the relatively low traffic on a WLAN in a home, it could take a cracker several hours to collect enough packets to crack your WEP key. Again, each step you perform just adds another piece to the intellectual firewall you’re building. As a whole, these measures with discourage most script kiddies and casual wardrivers. Adjust broadcast power On some access points, you can adjust the broadcast power of the unit. I recommend that you experiment and turn this down as low as you can while still maintaining decent connection speeds between computers on your WLAN. The idea is to keep the signal within the confines of your house rather than having it reach across the street. This makes the signal more difficult to receive for outsiders. Wardrivers can use directional antennas to pick up weak signals at a greater distance, but doing this will at least make it harder for them. Set minimum connection speeds On many access points, you can set a minimum access connection speed. The further away from an access point an intruder is, the weaker the signal will be (both ways). Therefore, if you set the minimum connection speed higher, computers will have to be closer to the access point to connect and stay connected. Once again, this makes it harder for an intruder to access your WLAN because he will have to be closer to connect. Anyone standing on your lawn with a wireless laptop is probably up to no good unless he’s the water meter reader. Set access times Lastly, some access points allow you to configure the times of day to allow access. If it supports this, consider using it. If no-one is home during the day, consider configuring it to block all access between 8:00 a.m. and 5:00 p.m. See original here: How To Lock Your Network’s Front Door