Leadership

Five blatant security mistakes you should avoid when setting up a wireless access point

Bill Detwiler shows you how to avoid five blatant security mistakes when deploying a new wireless access point.

Wireless hardware manufacturers have made installing and configuring new access points and routers pretty simple, for both consumer and enterprise devices. This ease of installation can lull the inexperienced tech into a false sense of security and lead them to make mistakes during configuration.

Whether you're installing a wireless access point in a home, small office, or large building, following a few best practices can make the difference between a reasonably secure network and one that screams "hack me now!"

During this week's TR Dojo episode, I discuss five blatant security mistakes to avoid when deploying a new wireless access point.

Check out the following TR Dojo episodes for more security tips:

For those who prefer text to video, click the View Transcript link below the video player window or check out Brian Posey's article, "10 tips for deploying new wireless access points," on which this video is based.

You can also sign up to receive the latest TR Dojo lessons through one or more of the following methods:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

50 comments
ejobrien
ejobrien

Most of this makes perfect sense, however I'm a bit confused about why it is such a problem to keep the default router login. If I have remote admin disabled on the router, and I'm using WPA2 with a strong passphrase to secure the AP, then how could anyone access my router in the first place, and therefore how could the router login details I use make any difference? Obviously in a business environment where there are employees, contractors, customers etc. accessing the AP this is obviously critical, but for a home network, where I control all access and all devices, I can't see how this is really all that important.

Madsmaddad
Madsmaddad

I have a 3Com Officeconnect ADSL wireless router. The SSID is the same as my employers, because years ago I didn't want the bother of changing the laptop configuration every time I brought it home. That's OK. I haven't bothered hiding SSID broadcasts for years now. I recently improved the antenna on a USB wireless device, and now Netstumbler finds 33 wireless networks in my neighborhood. Some are FON or situations where a home router also has a public SSID (BT), but that's still a lot. I used the results of this scan to move to a less densely populated channel. I also have my DHCP tied down to a max of 6 devices using sub-net mask of 255.255.255.248. I couldn't tie it down any more because when the children come home we need most of them. I have WPA2 as well, whereas my employer didn't as it was a public network for students. They had the wireless on a seperate VLAN. In the first year of operation a user could wander the network and see everybody elses 'My Documents' folder - a terrific tool for teaching about security! That's now sorted.

ben_gyampo
ben_gyampo

I am glad you are discussing this subject. I ordered a Netgear MODEM/WIRELESS ROUTER for use on a vodaphone DSL line IN AN OFFICE. It never worked after AUTOMATIC installation. The internet link TRIPS OFF every 30 secs and stays off for about 5-10 secs and reconnects. I had it disconnected. This was replaced with a CISCO (LINKSYS) WIRELESS (ONLY) ROUTER, connected to the Vodaphone Huawei modem. It is also not working satisfactorily. The wireless stops working when connected to the sharing device. Any experience on this. I can provide further details if needed.

NZJester
NZJester

Turning of the SSID and using WEP are two of the things I would never do. WEP these days can be cracked in less time than it takes some people to remember the WEP key and type it in. As for turning off the SSID to hide the router, this does sound like a good idea until you realize that the wireless devices that connect to this device have to ask if it is there. If this is a laptop you take with you it will be asking every where it goes while it is on and not connected to a wireless network if that wireless device is there. This would make your laptop an easier target for hackers to connect to while you are out and about.

Shadeburst
Shadeburst

A few years ago when wireless first hit the streets I made a lot of money installing cards in peoples' home computers. My selling point was (a) no cables and (b) you can install this card yourself but let's see who else around here installed their own wireless... we're in, let's go to My Pictures... that's hot, your neighbor and his wife you say?--So it's going to cost you a few bucks but I'll give you a network that's HIGHLY hack-resistant!

rwparks.it
rwparks.it

Enjoy the point you make using descriptive SSID's. Security through obscurity is a false premise. Strong password policy with good (not WEP) encryption delivers working security. On the flip side, don't just connect to wireless because the name sounds good. These can be faked also to skim off data that passes though it (a la man-in-the-middle). Also, interesting side note regarding (gray area) legal implication in Texas -- it's illegal to use someone else's computer equipment without their permission. Even if they don't password protect it, you could break the law by accessing the Internet through a wireless AP across the street if they don't authorize it.

dcolbert
dcolbert

#1 should be doing occasional site surveys to identify rogue access points. If you've followed all 5 steps listed here, all it takes is a single employee coming in and hooking up an unsecured WiFi AP to their Ethernet drop and all your hard work is for nothing. That has always been and remains the single biggest threat to wireless security on your corporate network.

Charles Bundy
Charles Bundy

Anyone that would make that sort of comment, probably has open file shares too. Hope you like folks perusing your taxes and credit card info. They will probably find that word document with all your business and personal account info including passwords too. They can then use the open AP connection you have so graciously provided to rob you blind ... After all it would be unAmerican and downright selfish to secure your computer, right?

Charles Bundy
Charles Bundy

Unfortunately I've got some units bridged between buildings and unless something has changed WEP is the only option for WDS. :( So thanks for tips Bill and here is another if folks are using WDS - Turn off AP mode on bridge units using WEP so they are strictly P2P links. ADDENDUM - I stand corrected it looks like Apple allows pre-shared static WPA keys in their latest firmware for WDS mode.

chrishardess
chrishardess

Yes what is the damage. lets share. No problem. Right up to the point that the police turn up on your door because some child porography has been downloaded to the IP address of your router. Sure you will be exonarated after a while (Maybe) but not until after the whole street has seen the police leaving your house with all your IT equipment in sealed bags, your children are taken into care and no matter how much your wife loves you theres always the question. Personally I'll stick to being selfish and secure thanks all the same.

Kostaghus
Kostaghus

I for one switched from wireless to wired connections after about one year of home and office wireless networking. Why? 1. It's waaaaay more secure. No way any outsider can hack the cables in my home. 2. It's faster. I currently run a Gigabyte Net both at home and at work. 3. It does not give a damn about iron and concrete walls. 4. I used to find up to 6 computers in the neighbourhood connected to my AP even with WEP security. Sniffers are the keyword. That's why I resorted to UTP cables and now I can thoroughly enjoy all the bandwidth I'm paying for.

adabbas
adabbas

1-Any activity by an IP under your control is traced back to you: If someone hacked your WiFi, does something bad like trying to hack a website or post some terrorist propaganda, it will look like you did it. And neglecting your WiFi Security does not protect you. At least you will be always labeled a suspect. 2- If someone can hack into your WiFi, he will be on your own network: He can continue to hack PCs or laptops in your home or listen to all packets transmitted wirelessly from and to them. I guess you can see the damage that they can do to you from that position. Take care,

xmustanguyx
xmustanguyx

I would like to say that checking the logs to see who has access is useful. If your office has 10 PC's and you're showing 50 people connected with lease times then you know someone gave out the password or maybe neighbors sharing! You could also have the tech (if you're not savvy) only allow connections from certain MAC addresses. I really love the DD-WRT interface vs the linksys! @doctordawg, your point is valid but the problem is when you download copyright infringing material or send death threats out...guess what IP it gets traced back to? Ignorance of the law doesn't save you from the headache of investigation, even though at the end you may be exonerated wouldn't it be prudent to just secure your network?

doctordawg
doctordawg

So someone "hacks" my wifi router and surfs the web using my bandwidth that I'm probably not using all of anyway. Big deal. Isn't this all just FUD to sell new stuff? It all just strikes me as "it's MY wifi and YOU can't use it" temper tantrums. If you're on a metered-use MyFi or something, ok, lock it down. But if you just pay a flat monthly for 2 MB/s DSL with a wifi router... never mind. I guess sharing is un-American.

NickNielsen
NickNielsen

I have an older ([u]well[/u] before Cisco) Linksys WR54-series router that initially only supported WEP encryption. A firmware update about a year ago fixed that. It is now AES-capable. If only I could say the same about my PSP...

edjcox
edjcox

I have a household full of computers. So your timely input regards installing a new router came just as my old USR router (running WEP) failed and got replaced by a NETGEAR. So now all of my systems are better supported and better secured than ever. Appreciate this basic tutorial.

Cynyster
Cynyster

I have always thought hiding the SSID was pure foolishness. All that does is make it harder for legitimate non-tech savvy people from accessing the wireless.. usually requiring a tech visit not just a tech call. A suggestion I like to add to the security of the access point is restrict the number of concurant connections. As an admin you should have an idea just how many devices will be accessing it at any one time.. restricting the connections can help stop or at least alert you to some unauthorized access. In a home enviroment that can keep your neighbors off your wireless even if they did manage to learn your access code.

jjmcgaffey
jjmcgaffey

I do home computer repair, which includes setting up networks and fixing them. I have a _lot_ of clients who still have a wireless-g router with WEP encryption...I do my best, and advise them to upgrade for both speed and security. Other than that, I follow your suggestions - especially changing the password and making it a strong one. Though I must admit, I don't generally get to work on a router unless it's giving a client problems - and once I've set it up right, that doesn't happen all that often. But I check them whenever I come to work on something else, as well.

pjboyles
pjboyles

Still have some old WEP devices that have yet to be replaced. I keep hearing in a couple of years. Until then they are on an isolated VLAN with access to just what the old equipment needs to work. Thanks for gigging the old "hide the SSID" myth. It was never a good idea and broke things to boot.

Bill Detwiler
Bill Detwiler

Too often companies try to save money by running outdated equipment with poor security controls. Wireless APs and routers that only support WEP are a good example. These antiquated wireless devices should be replaced with equipment that supports WPA2 and AES-based encryption. Unfortunately, security doesn't always win out over cost or expediency. Do you still support old wireless APs or routers that only run WEP? Take the poll and let me know: http://www.techrepublic.com/blog/itdojo/five-blatant-security-mistakes-you-should-avoid-when-setting-up-a-wireless-access-point/2749

NickNielsen
NickNielsen

The main reason I can see for changing the default login and password is because the initial contact between the router and a device is unencrypted. If there's a remote admin hack that allows an intruder access to the router login, the passphrase makes no difference. And you don't control all access; it is a wireless router, no?

NickNielsen
NickNielsen

You'll be much more likely to get a useful response over there.

Neon Samurai
Neon Samurai

It would be a network "break in" rather than a "hack".. "hack" simply means "to understand in detail.. to grok" .. wait.. yeah.. you could be selling "hack" resistant networks if the clients are unable to later explore and understand the setup.

robo_dev
robo_dev

While Cisco port security is not foolproof, it's a good start. The NAC solution from Cisco is very spoof-resistant, and other vendors (juniper, extreme, etc) are very good in this space. The Cisco WLSE (wlan solution engine) can detect, isolate, and disable rogue APs on a wired LAN.

Badge3832
Badge3832

I actually don't care if somebody peruses my tax and credit card info. That doesn't harm me. I'm not sure why you care. I do hide my bank and broker passwords.

Neon Samurai
Neon Samurai

wow.. for me that just sounds like fun with a spare access point. Drop a landing page with "the nework is free to use but you give up expectation of privacy" then start your "research". :D And with WEP in place too.. you know those folks took at least five minutes of effort to intentionally connect into your network.

NickNielsen
NickNielsen

My home router is set up to run WPA2-AES encryption, with a limit of no more than 5 concurrent wireless connections. I've changed the default userid/password, and can only access the router management application from a direct connection.

Neon Samurai
Neon Samurai

DD-WRT is fantastic for getting business class features without the business class hardware costs (if you can get by with number of devices vs SOHO quality hardware). MAC filtering I'd just make one point about though. This shouldn't be relied on as a form of security. It's very easy to change what MAC address one's device apears to connect from and the list of valid MAC addresses only takes a little longer than finding a "hidden" SSID (ie. secounds). You still need that good strong WPA2 passphrase providing a real security mechanism. Now, MAC filtering is good for reducing load on the router. I don't want my device paying attention to every wireless broadcast within range. It should pay attention only to devices that apear to be relevant. Thus, allow only MAC addresses in the filter list and ignore all the rest.

Neon Samurai
Neon Samurai

Someone won't "hacks" your network, they'll "break in" to your network or "crack" it if you must use a techy sounding sensationalist term. A real Hacker wouldn't be interested in breaking into networks without the owner's permission. A few possible outcomes of a break-in: - financial loss - you pay overage charges when neibours "help" use up your monthly limit - resource loss - you get slow shared performance at those times when you are using your bandwidth heavily - criminal charges - "mr dawg, we show your address as the destination for movies/music/child-abuse material. Please come with us while these officers have a look around." - criminal charges - "mr dawg, we show your address as the source of ongoing attacks against XYZ company's networks. We also show your address distributing copyright infringing materials. Please come with us while these officers have a look around." - criminal charges - "mr dawg, are you or have you ever been a member of the communist part-er.. Taliban cell? we show a lot of your address talking to known group control centers." - criminal charges - "mr dawg, we see that you have an unmanaged open wireless network here" (only a few, but some countries have made irresponsible wireless network ownership a legal issue.) - unwanted advertising - your so lucky, now you get all kinds of offensive images and advertising because your IP has been tagged with someone else's behavior. - personal loss - are you sure that all persona devices that can be reached from that wirless access point are secure? no shared folders with media or personal files being exposed to anyone who happens to connect in? Are there any exploitable vulnerabilities in your current systems that would give an opening for getting at personal information or installing malware? - harm to others - is your open network being used to distribute spam or malware? Are your systems exposed to and infected by malware. Other considerations: - do you leave your front door open so anyone walking past can come in to grab a sandwitch from your fridge and a glass of water or pint of beer? - do you have a standing invitation for any passer-by to stop in and watch your TV? - is it ok for anyone on the street to sit down beside your house and plug into an external power outlet? - would you mind strangers camping in your back yard or sleeping on your couch when you arrived home every day? - is the car left out front with keys in it just encase a stranger wants to use it while you don't need it? If your intent is to provide free wifi access then do so by all means. set the SSID to "free wifi", drop the access point on a seporate line from your house network and have at it. At least you'll have done so with informed consent unlike the thousands who buy a router, run home and unknowingly add another node to the "Linksys Global Network".

acmp
acmp

The criminally intent will find weak networks to enable their activities, I'm glad there are trusting people like you so that I keep being a tough target and the criminals focus on your network instead.

Not~SpamR
Not~SpamR

If someone uses your wireless and your internet connection to download their email it's really not a problem, as you suggest. But what if their email contains instructions on how to make a bomb, or some child porn, or some such? Worse still, since it breaks the defence of "I didn't want this, someone emailed it to me and I deleted it", what if they use your wireless to upload spam, fraudulent emails, child porn etc? It won't be them who gets a visit from the Feds.

Kostaghus
Kostaghus

Yes, IT IS my web and I am paying for it. I for one am nevertheless TOTALLY unsatisfied with the current security level of wireless. So that's why I'm still using wired networking.

Neon Samurai
Neon Samurai

The SDIO wireless network card only supports WEP. No Palm T5 on my network since WEP's weaknesses started shining through. A PSP though.. boo.. sucks to have something that recent supporting only WEP. Shame on Sony.

cpguru21
cpguru21

While im not fooled about whether its more secure or not, with BYOD, I already get enough questions about plugging personal devices into the network. It just helps to avoid the "can you get me on the wifi" question. maybe this is a foolish thought?

bellrm
bellrm

I keep getting into arguments with security consultants on this point... Basically, my view is that for the typical WiFi deployment a user recognisable SSID is desireable, specifically for the 'landing'/initial connection WiFi network. However, this doesn't mean that the SSID needs to be meaningful to the general public, it only needs to be meaningful to your legitimate users (specifically employee's, contractors and guests). This permitting a level of self help with initial connection problems. I find that some security experts prefer a non-meaningful SSID, using the rationale that user's don't typically look at which network they are connnecting to, so why compromise overall security to deliver a questionable user benefit. Personally, whilst I understand the sentiments my preference for those enterprises that require greater security, is to have a meaningful 'landing' SSID and let the network, as part of the log-on re-assign the user to another SSID, which may be random and have a limited life.

Neon Samurai
Neon Samurai

Provided you have the home owner's permission; the demonstration of breaking into there home network wireless in five or ten minutes usually opens a few eyes. Budgets are tight but if they can find the 100$ for a newer router, it really is worth getting away from WEP limited hardware.

TG2
TG2

anything with an ethernet port gets its wireless turned off .. and then it gets attached to its own AP or switch to AP that is WPA/WPA2 enabled. couple of months ago picked up several ASUS wireless AP/Routers that could run DD-WRT .. they are either usb or ac powered, with a single ethernet port, and are about the size of a deck of playing cards. They were 25 bucks a piece back then. Thus.. even on an older laptop .. simply attach some velcro to the lid of the screen, or get an L bracket to hang it off the screen's edge .. plug into the ethernet and USB ports.. and go to town.. :) yes, the range isn't what I'd like it to be.. but its still small, efficient, and allows secure wireless.

robo_dev
robo_dev

You don't mind if an attacker views your credit card and tax records?

Neon Samurai
Neon Samurai

With how easy it is to change a reported MAC address, it's sure not a security mechanism. But, as a filter, it may reduce the amount of radio traffic your router cares to read beyond the frame header. "hey.. that's not one of my filtered MAC addresses; drop.. let's see.. what's in the next frame.." (actually, I'd be interested if any of the radio nerds can confirm if MAC filtering for the purpose of filtering actually does reduce hardware workload. It makes sense that it would but I've never had secondary confirmation of this theory.)

Neon Samurai
Neon Samurai

From the info-sec side, all information given out is in the wild. It's about what information you give out intentionally and being aware of what info one can give out accidentily. It's about only giving out information that has valid reason to be given out. For a business, you want to advertise and be known in the community. You have a sign out from. You have business cards. You may have radio and tv advertising. In this case, have your company name apear when anyone locally looks for wireless networks. Let your wireless AP broadcast "Bob's Plumbing" in a nice radio bubble just like the sign out front broadcasts your name across the street infront of it. For personal, there is no real reason your network needs to broadcast who lives in the home or what interests they may have. "Bruce's family network", "The Henderson's", "we lov3z teh gaming".. not relevant information to anounce to anyone who happens to pass through your radio bubble. A five to eight random character string gives the network a unique name which does not relate back to the home or otherwise expose information about the owner. Repeat devices have the random SSID saved within an applicably named network connection entry so no problem. with guest devices, point out the network in the lest and let them save it under a relevant connection entry name. Personally, the fun comes for me after pointing out the SSID when I direct them to the computer screen with "and that is the network password you'll need to type in" (max length upper/lower/num/char WPA2.. bwahahahaa). Of course, I'm as happy as other's to see the "hide the SSID" claim officially denounced here also. If you hide it, you just cause your devices to broadcast your SSID so your not accomplishign anything. Worse still, your devices now broadcast that SSID all around town encase they happen to be within range to connect. Or, they try to connect to rogue access points setup to answer any of those broadcasts with "oh yeah. That's me. I'm your access point named whatever that was you just called out for.. send your password over please." (and they do.. they do send your network password over to the stranger). Better to broadcast your SSID. Pick a SSID that does not broadcast relevant information about you. Have all your client devices keep quiet while roaming about town and let the access point start the connection. On the up side, you may have some savvy neibours that see your broadcast SSID while looking to choose a less populated channel.

NickNielsen
NickNielsen

If he takes reasonable precautions to prevent that data becoming public, then under the law he's not financially liable for the consequences of theft or compromise. FWIW, any credit card records (receipts, statements, etc.) that might become publicly available due to his inaction will not include the entire card number. We already pay higher costs at retail outlets due to inventory shrinkage, 79% of which is due to employee theft and shoplifting. Retailers do what they can to reduce or eliminate it, but it's an unfortunate cost of doing business. Card issuers no doubt look at it the same way.

Neon Samurai
Neon Samurai

True, and when the credit card company takes the loss, it's you and the rest of the company's card holders who will pay for it in higher monthly fees. I can understand not putting in the amount of effort a security enthusiast puts in but actively not caring must fall somewhere under irresponsible neglegence. Consider how much the malware epidemic could be reduced simply by devices owners applying a minimum level of resposability for there blinky light toys.

Badge3832
Badge3832

If I give you my numbers the credit card company would have a reasonable argument that I should pay. If you steal my numbers I'm not liable. I'd prefer you not steal them, but I'm not going to bust my butt to prevent it.

Neon Samurai
Neon Samurai

Won't take me but an hour though I've no idea how long it'll take you to pay off the dept. :D

Badge3832
Badge3832

No, I don't. First, it's not likely anyway. Second, I'm stumped as to how this would harm me.

NickNielsen
NickNielsen

MAC filtering can reduce the amount of traffic the router reads beyond the header, but the radio is always receiving signals, amplifying them, and passing them to the modem. Any non-802.11 data is simply ignored. For 802.11data, the modem demodulates and passes to the router. The router then does its thing, passing the traffic on, assigning an IP, or whatever is requested within the configuration restraints. Any power or equipment savings is miniscule.

Arctic.Moet
Arctic.Moet

You can have great fun with personal SSIDs... what, you've never used the classic "FBI/CIA/(YourLocalPD) Survelillance Van?"

NZJester
NZJester

Its amazing how many people put their name or address in their SSID. I use a SSID of "PRIVATENET####" where the #### is a random number I change from time to time with the password. You don't want to give SSID information to help thieves know where to break into to steal computer equipment. My new ADSL modem from Vodafone has a button on the front that held in for 5 secs lets me turn on and off the wireless with out the need to log into it to switch the WiFi on or off and most of the time it is turned off till it is actually needed. As for businesses I don't know why most don't have isolated WiFi networks that dead end at a PPPoE server computer. Have them identify again with a second username and password to get access to the larger network and the internet. You can use the PPPoE server to assign a fixed IP to each user so you can track who and when specific users are using the wireless network and lock accounts to only be able to access the network an hour each side of their working hours to prevent others using the account while that employee is not there. As a business if they do not use a PPPoE username and password to get through to the main network, you could have a HTTP-server on the PPPoE computer reply to any URL request with advertising pages for your business!