Wireless Network Defense (Part 2)

by Don Parker [Published on 28 Sept. 2006 / Last Updated on 28 Sept. 2006]

The series continues by discussing how to properly set up a wireless router.

If you missed the first part of this article series please read Wireless Network Defense (Part 1).

In part I of this article series on WiFi security we looked at various initial configuration variables. We shall now continue with the proper setup of your wireless router.

WiFi Security Part II

In Part I of this article series on WiFi security we looked at a couple of settings as seen via the web interface of your wireless router. The proper configuration of your wireless router is crucial to the security of your WiFi network. The absolutely worst thing that you could do is simply plug it in and start surfing the Internet wireless style. You would be wide open to having your network connection hijacked by someone of malicious intent. This is why it is so important to take the time to properly configure your wireless router. Well on that note let’s pick up where we left off in Part I. We can see in the screenshot below that we are now at the “Wireless” section.


Figure 1

In Part I we did the “Setup” portion of this wireless router’s configuration, and now find ourselves at the “Wireless” part. First up is “Wireless Network Mode”. Now unless you have older 802.11b technology in your laptop or desktops, you would be better off to simply change this “Mixed” default setting to “G-Only”. After that is your “Wireless Network Name”. By default this one is called linksys. You should call this something else other then the factory default. Now we have the “Wireless Channel” and this is one value that you can leave at its factory setting. Up next is “Wireless SSID Broadcast”. This is a value that should be toggled to “Disable”. What this does is broadcast the Service Set Identifier (SSID) value (linksys as seen in the above screenshot) to all those within range of your WiFi network. Not a good thing as this is a piece of information that the malicious hacker wants in order to connect to your wireless network. That is why you want to, not only change the SSID name from the factory setting, but also call it something else that would not easily be associated to you. Think of this SSID value as a password. Make it long and difficult. Better yet, also change it on a regular basis.

The meat of it

We can see in the below noted screenshot that this is where we control the encryption that the wireless router will use. By default the router will typically go with WEP as seen in the screenshot. There are several other options that you will see if you toggle that window. These options are pretty much all the same on the SoHo WiFi routers out there on the market today. That said, if you are running an older wireless router make sure that you upgrade to the latest firmware version available! That really is very important as it will afford you the latest advances in security for your WiFi router.


Figure 2

I just got back from a reverse engineering conference and one of the talks was about how to break WEP (which is old news), but more so on how to break WEP considerably faster. This was all done through the use of FPGA’s. Even with the use of these hardware devices to accelerate the cracking of a WEP key, it took some time. That is not to mention the knowledge it takes to implement such a hardware solution, and then in turn program the FPGA itself. To sum up, while there are many calls that WEP is dead, and that WPA is also finished, you really need to put these statements into context. These FPGA’s are indeed capable of cracking 128 bit WEP and also WPA, but it does however take time, and a good deal of effort to do so.

Well with anecdote aside let’s carry on with configuring our wireless router. At this present time you are able to get SoHo routers with 256 bit WEP enabled. That key strength is presently unbreakable and provides a truly excellent method of security. This is why it is very important to upgrade your firmware, and barring an issue with a firmware upgrade, simply buy a new wireless router. They are really quite affordable. Back to the screenshot above for now. You need to enable the highest WEP available to you and then make sure you save those settings. This is also followed by entering a passphrase. This passphrase should once again be treated as a password. In other words, make it long and difficult and lastly, not something easily associated with you ie: if you are a soccer coach don’t name it “soccerdad”. So once you have chosen the highest WEP setting, leave the “Default Transmit Key” to its factory setting, enter a passphrase, and click on the “Generate” button. Once done you are good to save these settings and move on.


Figure 3

Next up, as seen in the screenshot above, is the “Wireless MAC filter” setting. This is something that you want to have enabled. This is much along the same lines as disabling the DHCP service. As a sys admin you may have to configure a couple of laptops for your colleagues who need one. Simply open a cmd.exe and issue an “ipconfig /all” to get the MAC address of the laptop in question. Once you have accounted for all MAC addresses for the laptops you simply enter them here under the “Edit MAC Filter List”. It really is rather painless. What this does is bar anyone else’s laptop or desktop for that matter, from accessing your WiFi network. While this will not stop a determined attacker it will deter the less skilled one.  


Figure 4

We are now at the final stage of configuring our wireless router’s security settings. Seen above are a variety of settings I would advise you to leave at their factory defaults. Unless you wish to do some “light reading” on what all of those variables actually do, you would be well advised to leave well enough alone. None of these values will make or break your wireless security steps taken thus far. With that in mind we are done configuring our wireless routers security settings. That wasn’t too difficult now was it? It really isn’t, but for those sys admins who have never done or thought of WiFi security issues, it can be a confusing task.

Wrapup

This article series dealt with the setting up of a SoHo wireless router in either a SoHo or medium enterprise network. This is a task that will always fall upon the sys admin seeing as they are the IT brains of the organization. Knowing how to properly configure the wireless router is key to the success of keeping the WiFi network protected. You should never rush through such a configuration, and if there is something that is confusing to you, then ask for help. Ignorance may be bliss to some, however it could also result in your being fired as well. Not a good thing. Well on that note I will break the article at this point. Till next time!

If you missed the first part of this article series please read Wireless Network Defense (Part 1).

See Also


The Author — Don Parker

Don Parker specializes in matters of intrusion detection, and incident handling. He has also enjoyed a role as guest speaker at various network security conferences, and writing for various online and print media on matters of computer security.