Safeguarding your wireless network

It seems like every few months I have to set up a wireless network for someone. And while it's certainly an easy task I am fairly sure that the security choices people make in the process are probably not the most iron-clad.

Whether by design or by default, every company and, now, most homes have a wireless network. Unless you understand, control, and manage this network, you are creating vulnerabilities that threaten network security. As more and more companies begin using wireless as a primary medium for data services, including VoIP and video, preventive measures should be taken to better safeguard your Wi-Fi.

I spoke with Jay Botelho, director of product management at WildPackets, who provided three tips to safeguard a wireless network:

1. Ad-hoc mode: Turn it off--forever.
I'm amazed how often I continue to see laptops in public places, like airports, coffee shops and trade shows, that are configured with ad-hoc mode enabled. Just "view available wireless networks" next time you're in a public place and I'm sure you'll find a neighbor or two with ad-hoc mode enabled. If they're a colleague of yours, do them a favor and tell them to disable ad-hoc mode--forever. There's nothing it can do for them, except create a possible security breach. And whatever you do, don't connect to an unknown ad-hoc network. You may just be taking someone else's bait.

2. Use WPA-2.
The word has been out for awhile, but usage of sub-standard wireless authentication/encryption, including WEP, is still prevalent. There's no reason to be using anything except WPA-2. Every wireless adapter and every AP for sale today supports WPA-2. Some of your gear is 4-plus years old and doesn't support WPA-2? Replace it! I'm sure there are some killer deals at your local electronics store. And the risk far, far outweighs the expense. You don't have to look far to find evidence of this--remember TJ Maxx?

3. Establish firm security policies.
The above concrete actions are just examples of what is truly needed: a complete security policy for your organization. The policy must tie overall network security with wireless security. It's all one network--it needs a single unified policy that incorporates all levels of network access. Wireless is only one of them.

Follow me on Twitter @daveofdoom

[Brent212]

I just turn mac filtering on, so only mine and my roommate's computers can connect. If I want to add a machine or someone happens to come over with a laptop (these things might only happen like twice a year), I just turn the filtering off until they connect, add their mac address to the list, and turn the filter back on. I've never really looked into wifi security since I'm assuming this is pretty secure. I like to hear feedback if it's not.

[Weeji]

That's what I do, and what the company I work at does as well. I remember reading a while back that this was actually the most secure method. I'm guessing that this article assumes most people would rather pass out a password than jump on a computer and allow each computer that needs access individually.

[wp-jay]

I agree this is a good alternative. It's just that many users, especially less savvy home users, don't even know what a MAC address is, so assuming they'll use MAC filtering is really a stretch.

[pburkeiii]

completely agree, this is exactly what i do, better yet completely disable network broadcasting so it can not even be seen, it is a lot more secure because you are the only one who can access it when you are the only one who knows the network name

[odubtaig]

As pointed out below, MAC addresses can easily be spoofed and turning off the SSID broadcast is no guarantee as it's still contained in packets between the router/AP and clients and is easily detected.

Yes, lock down by MAC. Yes, switch off SSID broadcast. Just don't think they're any substitute for having an ancrypted connection. The moment you're broadcasting everything in the clear (and unlike with ethernet you _are_ broadcasting) you might as well just hand the crackers all your passwords, access to your servers, the company accounts...

Not that encryption can't be cracked but not having encryption because it's not perfect is like not having a lock on your front door because they can be drilled.

[zo6freak]

Is it relatively easy to hack a wireless network that is WPA secured??

[wp-jay]

No, it's really not easy to hack a wireless network secured with WPA, especially if other good practices are followed, like using very secure passwords. There's lots of good information out there on the Internet. A quick search will turn up many artlicles, blog entries and even videos. My only point is that WPA-2 is better and readily available in all equipment today, but WPA is certainly still a viable alternative, and much more secure than WEP.

[zo6freak]

i dont want to know how, im just wondering how secure my network really is...

[tipoo_]

I stick to WPA, WPA2 seems to bog down the router noticeably more.

[tikoro]

If you're really paranoid (like me) You use wpa2 with mac filtering, with as long a password as you can manage in to the interface of the router. I don't trust anyone, not even my wife can get in to the router interfaces (either hardwired or the wap). I've seen a lot of networks that use mac filtering and then leave the default or a blank password on the admin console. All it takes is about 30 seconds to nab a mac address if you're somewhat familiar with the equipment's interface...and you can certainly spoof a mac address easily enough. They don't have both mac filtering AND encryption schemas in there as a pick and choose which one, they're both there to be used. Another note would be to always make sure that remote management is turned off on the WAP unless there's some DIRE need that you be able to administer it.

[axioms]

I'm paraniod like you. I have wpa2 (AES) + Mac filtering + 22 character password for my wpa key and a 16 character pass for my router.

[peco412]

How easy is it to break WEP encryption, anyway?

[odubtaig]

On a scale of 1 to 10? Hilariously.

http://wirelessdefence.org/Contents/Aircrack-ng_WinMain.htm

Just remember, the tools used for cracking are usually the same ones used for securing.