5.7 Guidelines for Securing a Wireless Network

Though your new wireless network allows you to have the freedom to surf the Internet anywhere in your house, it also is good news to your neighbors. With your newly set up wireless network, your neighbor can now surf the Internet for free!

Sharing Your Internet Connection with Your Neighbors

Many ISPs prohibit this, and there have been cases of ISPs sending cease-and-desist orders to customers who shared their network access in a large metro area. Another concern is liability: if a malicious hacker uses your Internet connection to attack another site, you'll be among the first people who have to answer questions about the attack. On the other hand, if you want to leave your access point open (such as in a coffee shop), I suggest you give your wireless network a nice friendly SSID and perhaps even put the appropriate Warchalking (http://www.warchalking.org/) symbol outside your house!

Unlike a wired network, where you need to have physical access to a network access point, wireless networks extend beyond the four walls of your house.

Most wireless access points and routers provide a web-based configuration program for configuring the wireless access point. The following are some guidelines for securing your wireless network:

Disable SSID broadcast

By default, most wireless access points will broadcast the SSID to all wireless devices. Anyone with a wireless network card can detect the SSID you use and gain access to your network. This brings us to the next point.

Change the default SSID

Most people don't even bother to change the default SSID provided by a wireless access point. If your neighbor knows that you are using a Linksys wireless access point (say, by seeing the boxes you throw away), they could easily try the default SSID. Change it to something less obvious. Note that with some patience and the right tools, discovering an SSID is not difficult. However, changing the default SSID is one step forward in securing your wireless network.

Use MAC address filtering

If you have a small number of users in your wireless network (which is usually the case), you can use MAC address filtering. With MAC address filtering, you find the MAC address of your network card and manually enter this number into your wireless access point. Only MAC addresses that have been registered with the wireless access point are able to gain access to your network. You can usually locate the MAC address of your network card on the device itself.

Change the username and password for the access point's web interface

It is too easy for people to find the default username and password used in wireless access points by consulting a user manual or manufacturer's web site.

Turn off DHCP

If the number of users on the network is small, it is good to turn off DHCP (use static IP addresses instead). Turning off DHCP prevents uninvited users from getting an automatic IP address when they connect to your wireless network. You could instead use static DHCP assignments, where you map an IP address to a specific MAC address. This eliminates the need to do client configuration (giving you all the benefits of the static IP address with configuration centralized on the access point).

Refrain from using the default IP subnet

Most wireless routers use the default network. It is easy for people to guess the IP addresses used and illegally gain access to the network. Also, refrain from using the network address range, since Windows uses this for the private networks it creates with Internet Connection Sharing (ICS).

Use WEP for encryption of packets

If you are concerned about the confidentiality of information transmitted by your wireless network, you may wish to enable WEP encryption. Though WEP has been proven to be nonsecure, it still acts as a deterrent against packet sniffing.

Use something better than WEP

Use a wireless access point that supports something stronger than WEP, such as 802.1X or WPA.

Chapter 4 discusses Wi-Fi security, including 802.1X, in more detail.