Wi-Fi

10 Wi-Fi security tips


Wireless networking can be kind of scary from a security standpoint. It opens up whole new attack vectors that were not present with wired network infrastructures. That doesn't mean you can't do it securely, however, and I aim to give you some ideas that can help you in that regard.

Many of these tips are likely to be inapplicable to a lot of people. For instance, if you're running a wireless network that has to allow connections from a changing lineup of computers so that the specific computers on the network will not be constant, the point about restricting access by MAC address is unlikely to do much good. As always, you must exercise some common sense when reading through a list of security tips like this. You have to determine what options apply to you, and whether the fact that your plans make a given suggestion unusable means your plans are wrong or the suggestion simply is not relevant in your case.

  1. Use a strong password. As I pointed out in the article A little more about passwords, a sufficiently strong password (on a system with decent password protection) makes the likelihood of cracking the password through brute force attacks effectively impossible. Using a sufficiently weak password, on the other hand, almost guarantees that your system will be compromised at some point.
  2. Don't broadcast your SSID. Serious security crackers who know what they are doing will not be deterred by a hidden SSID -- the "name" you give your wireless network. Configuring your wireless router so it doesn't broadcast your SSID does not provide "real" security, but it does help play the "low hanging fruit" game pretty well. A lot of lower-tier security crackers and mobile malicious code like botnet worms will scan for easily discovered information about networks and computers, and attack those that have characteristics that make them appear easy to compromise. One of those is a broadcast SSID, and you can cut down on the amount of traffic your network gets from people trying to exploit vulnerabilities on random networks by hiding your SSID. Most commercial grade router/firewall devices provide a setting for this.
  3. Use good wireless encryption. WEP is not exactly "good" encryption. With a freely available tool like aircrack, you can sniff wireless traffic protected by WEP and crack security on that network in a matter of minutes. WPA is the current, common encryption standard you should probably be using -- though, of course, you should use something stronger as soon as it becomes available to you. Technology is advancing every day, on both sides of the encryption arms race, after all.
  4. Use another layer of encryption when possible. Don't just rely on wireless encryption to provide all your security on wireless networks. Other forms of encryption can improve the security of the systems on the network, even if someone happens to gain access to the network itself. For instance, OpenSSH is an excellent choice for providing secure communications between computers on the same network, as well as across the Internet. Using encryption to protect your wireless network does not protect any communications that leave the network, so encryption schemes like SSL for dealing with e-commerce Websites is still of critical importance. The fact you're using one type of encryption in no way suggests you should not be using other types of encryption as well.
  5. Restrict access by MAC address. Many will tell you that MAC address restriction doesn't provide real protection but, like hiding your wireless network's SSID, restricting the MAC addresses allowed to connect to the network helps ensure you are not one of the "low hanging fruits" that people prefer to attack. It is best to be effectively invulnerable to the expert security cracker, but there's nothing wrong with being less palatable to the amateur as well.
  6. Shut down the network when it's not being used. This bit of advice is even more dependent on specific circumstances than most of them. If you have the sort of network that does not need to be running twenty-four hours a day, seven days a week, you can reduce the availability of it to security crackers by turning it off when it isn't in use. While many of us run networks that never sleep, and cannot really put this suggestion into practice, it is worth mentioning if only because one of the greatest improvements to the security of a system you will ever encounter is to simply turn it off. Nobody can access what isn't there.
  7. Shut down your wireless network interface, too. If you have a mobile device such as a laptop that you carry around with you and use in public, you should have the wireless network interface turned off by default. Only turn it on when you actually need to connect to a wireless network. The rest of the time, an active wireless network interface is nothing more than another attack vector for malicious security crackers to use as a target.
  8. Monitor your network for intruders. You should always make sure you have an eye on what's going on, that you are tracking attack trends. The more you know about what malicious security crackers are trying to do to your network, the better the job of defending against them you can do. Collect logs on scans and access attempts, use any of the hundreds of statistics generating tools that exist to turn those logs into more useful information, and set up your logging server to email you when something really anomalous happens. As a certain cartoon military SpecOps team from the 1980s would tell you, knowing about the danger is half the battle.
  9. Cover the bases. Make sure you have some kind of good firewall running, whether on a wireless router or on a laptop you use to connect to wireless networks away from home. Make sure you turn off unneeded services, especially on MS Windows where the unneeded services that are active by default might surprise you. In fact, do everything you can to secure your system regardless of OS platform, mobility of the system, or type of network.
  10. Don't waste your time on ineffective security measures. Every now and then, I run across some technically deficient end user handing out free advice about security based on things overheard and half-understood. Generally, this advice is merely useless, though often enough it can be downright harmful. The single most common bit of bad advice I hear from such people with regard to wireless networking is the admonition that when connecting to a public wireless network, such as in a coffee shop, you should only connect if the network uses wireless encryption. Sometimes these people get the advice half right, and recommend only connecting to networks protected by WPA -- it's half right only because WPA is the wireless encryption you should use, if you are going to use wireless encryption at all. There is no point in trying to "protect" yourself by connecting to a public access point only if it uses encryption, however, because the fact that the encryption key will be handed out to anyone that asks for it completely obviates the supposed protection you expect. It's a bit like locking the front door of the house, but leaving a big sign on the door that says "The key is under the welcome mat," which only protects against illiterate burglars. If you want your network to be available to everyone that walks onto the premises, just leave it unencrypted, and if you need to connect to the Internet in some public location, don't worry about encryption. In fact, if anything, the wireless encryption might more properly serve as a deterrent rather than an enticement to using that particular wireless network, because it reduces convenience without effectively improving security at all.

Most of the security tips one can offer about wireless networking are the sort of thing someone might call "common sense". Unfortunately, there's an awful lot of "common sense" floating around out there, and it's not easy to keep it all in mind all the time. You should always check up on your wireless networks and mobile computers regularly to make sure you aren't missing something important, and you should always double-check your assumptions to make sure you aren't wasting your energy on something not only unnecessary, but entirely useless, when more effective security measures could use your attention.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

24 comments
guest2
guest2

Over 2 years ago, George Ou wrote an article "The six dumbest ways to secure a wireless LAN" about urban legends and myths on wireless LAN security. You've picked 2 of his 6 dumbist ways. http://blogs.techrepublic.com.com/Ou/?p=43

thetryckster
thetryckster

http://technet.microsoft.com/en-us/library/bb726942.aspx I'd like feedback regarding the following excerpt from Microsoft TechNet. (The full article can be viewed at the link above.) In this article, Microsoft recommends AGAINST use of the Non-Broadcast feature of the SSID. Comments anyone? "A non-broadcast network is not undetectable. Non-broadcast networks are advertised in the probe requests sent out by wireless clients and in the responses to the probe requests sent by wireless APs. Unlike broadcast networks, wireless clients running Windows XP with Service Pack 2 or Windows Server?? 2003 with Service Pack 1 that are configured to connect to non-broadcast networks are constantly disclosing the SSID of those networks, even when those networks are not in range. Therefore, using non-broadcast networks compromises the privacy of the wireless network configuration of a Windows XP or Windows Server 2003-based wireless client because it is periodically disclosing its set of preferred non-broadcast wireless networks. When non-broadcast networks are used to hide a vulnerable wireless network???such as one that uses open authentication and Wired Equivalent Privacy???a Windows XP or Windows Server 2003-based wireless client can inadvertently aid malicious users, who can detect the wireless network SSID from the wireless client that is attempting to connect. Software that can be downloaded for free from the Internet leverages these information disclosures and targets non-broadcast networks."

Schuylkill
Schuylkill

This list is why my company does not allow our telecommuters to use wireless at home. As I say to every new telecommuter, it is easy to setup a home wireless network; it is very difficult to do so securely. This article proves my point - it is great information for an IT tech, but most people are not IT techs. Until wireless can be done easily AND securely, I just don't feel comfortable with our home users using wireless in their homes. The wireless manufacturers need to address this.

mjd420nova
mjd420nova

I take these tips and go one step further by mounting grounded foil near the antennas to prevent a usable signal from leaving the immediate area. It also helps to eliminate interference from other routers. I've tested it and can't get any signal at all outside the home and nothing usable just outside the wall where it's located. These tips are great but still won't stop a determined hacker who really wants into your system.

Sterling chip Camden
Sterling chip Camden

I think that the mistaken recommendation to only use public networks if encrypted stems from a general misunderstanding of how wireless encryption works.

Editor's Picks