Leaving your wireless network gear at its default settings can expose your systems to attack

By David J. Green – www.netgreenconsulting.com

We often focus on the dangers that lurk “Out There” in the Great Unwashed Internet (yet another meaning for the acronym “GUI”). In this article, I’d like to move the “Out There” a little closer to home – in fact, right into your home or business if you have a wireless network setup there.

The Problem: Many people plug in wireless network gear and fail to change any settings from their default “wide open” values. As long as it works, everything must be OK, right? NOPE!

The Result: Unwanted intruders could gain access to devices or information on your home or business network. Some folks like to go "wardriving" – literally driving around with wireless-equipped laptops in their vehicles looking for open wireless access points. Although some do it as a game or contest – seeing how many they can identify in a given time period – others are looking for wireless networks for free Internet access or as a means to break into your computer systems.

If you live in a densely populated area, especially an apartment building, chances are that your “wide open” wireless network will be discovered and used by your neighbors, sometimes by accident.

While we were renting a condo for two months last winter, I setup my wireless LAN to use the cable modem service in our unit. Within a week, some neighboring vacationers with wireless laptops found and began using my wireless LAN to access the Internet. The tipoff – the WLAN activity LED on my router was flashing even though my laptop was powered off!

While this was not a big deal to me, I wouldn’t want to be running a business with a “come one, come all” wireless network set up – unless you really intend to have your customers utilize your network as a wireless hot spot.

Unauthorized wireless network access is illegal in many jurisdictions, even if all someone does is simply use your wireless network to access the Internet. Recent examples of wireless network intrusions include:

Man pleads guilty to wireless hack into stores (an attempt to steal credit card numbers at a Michigan Lowe’s store via their wireless network).

Man arrested for hopping on to home Wi-Fi network (a Florida man is arrested for using a homeowner’s wireless LAN from a car parked across the street).

Tightening your wireless security belt
There are several security measures that you should take once your wireless LAN is up and running. Before you start, however, make sure that you can connect to your wireless LAN and access the Internet successfully from all of your PCs, laptops, and PDAs that will be using it. You want to start working from a “known good configuration” before making any changes to enhance your wireless network security.

Make sure you refer to your router’s user manual as your primary source of information on how best to secure your network. Then connect to your wireless router’s configuration web page – which is usually accessed via a private IP address like 192.168.0.1 – to make these changes. I’ve listed them in order of priority here; start with the first one, make sure everything still works, then go on to the next one that you think is appropriate for your environment.
1) Change the default user account and password on the wireless router.
Many routers default to ‘admin’ for both the userid and password. Anybody who can connect to your router could login, make some configuration changes, and then change the password and lock you out of administering your own wireless network!
2) Change your Service Set Identifier (SSID) and disable its broadcast.
The SSID is the network name that normally gets broadcast by the wireless router so that wireless systems can easily find it and use its Wi-Fi network. Default SSIDs are typically words like “DEFAULT” or the manufacturer’s name – easily guessable even if you’ve disabled SSID broadcasts. And don’t change it to your name, phone number, or encryption passphrase (see #4 below) – that makes it even easier to locate your wireless network and break into it. If you do want to let a visitor or neighbor use your wireless network, you can still provide your network’s SSID to them, even if its broadcast is disabled.
3) Disable remote access and/or wireless access to the router’s configuration page.
Since wireless routers also have wired Ethernet ports, connect to yours via a wired port, make the appropriate configuration changes, and then set the router to disallow any configuration attempts from the Internet (WAN) side; you may even want to disable configuration access from your wireless network itself. Once this is done, you’ll be able to use the wireless network for Internet access or internal network file sharing between systems, but no one from outside can access your router’s configuration.
4) Enable encryption on all wireless devices.
Enable either “WEP” (Wired Equivalent Privacy) or preferably the newer “WPA” (Wi-Fi Protected Access) with a passphrase using the highest number of bits that all of your wireless gear can support (e.g., 128-bit WPA). This will encrypt all of your wireless traffic so it can’t be easily “sniffed” by wireless network analyzers. Make sure that you memorize or record the encryption passphrase so that new systems can be added to your wireless network in the future!
5) Enable MAC (Media Access Control) address filtering.
MAC addresses are the unique 12-digit hexadecimal addresses assigned by the manufacturer of every network card or device in the world. Enabling MAC address filtering involves recording a list of allowed addresses on your router so that it will deny access to any unlisted address. You can view the list of currently connected systems via your router’s configuration web page and then add those as allowed addresses. You can also run the ‘ipconfig /all’ command from your PC’s command prompt to see its physical address, which will look something like this: 00-B6-D0-57-6E-1B.
6) Review your router’s logs occasionally.
You may find some “interesting” activity recorded in the logs such as addresses of systems trying to connect to your router, login attempts (with successes and failures), router resets or reboots, etc. It could tip you off to some unauthorized access being made to your wireless network systems.
7) Limit assignment of IP addresses via DHCP.
If you only have a few systems that use the wireless network in your home or business, configure your wireless router to only allocate enough IP address for the number of computers you have. You could also configure static IP addresses that are permanently assigned to specific MAC addresses.

How many of these security measures you implement depends on your tolerance for “unauthorized” access to your wireless network. I would recommend that you implement at least the first two and two or more of the other suggestions. This will help make your wireless network a “safe haven” for your systems.

About The Author:
David Green has wrassled with networking gear for 19 years and has so far managed to retain both his hair and his faith (more of the latter, though). He has a B.A. in English and an M.A. in Theology, which of course prepared him well for a career as a network engineer and Internet marketing consultant (ever prayed that a server would resurrect?) He is the founder and president of NetGreen Consulting, Inc. (www.netgreenconsulting.com), which provides "self-service" websites, network analysis, and Internet security consulting services, including Common Criteria Certification documentation. He can be reached at david@netgreenconsulting.com.