Guidelines for a secure wireless network

Discussion in 'Networking, Telephony & Internet' started by Mr Mephisto, Nov 25, 2004.

  1. Mr Mephisto

    Mr Mephisto Member

    Joined:
    Nov 24, 2004
    Messages:
    97
    The following is a list of steps you should undertake to secure your home wireless network. These tips are suitable for home networks only, as enterprise deployments have their own, considerably more complex, methods.


    1 - Enable WPA if at all possible
    Background
    WPA (WiFi Protected Access) greatly increases WLAN security. It introduces several new enhancements, including TKIP (Temporal Key Integrity Protocol) that mitigates against so-called AirSnort or Wardriving attacks, and MIC (Message Integrity Check) that protects against Man in the Middle attacks. It also increases the WEP Initialization Vector from 24bits to 48bits, which is a huge improvement, as this makes the statistical likelihood of a weak IV being captured much lower. Finally, WPA introduces a dynamic key management feature, which allows for regular and automatic regeneration of WEP keys.
    Implementation
    WPA for most home wireless kit will run in WPA-PSK mode. The PSK stands for Pre Shared Key. This is effectively a password that you enter in your Access Point and your client that is used to independently generate new WEP keys on a regular basis. Ensure your passphrase is at least 20 characters long!
    Caveats
    Not all Access Points support WPA. This is unfortunate, but is not the end of the world. However...
    "What happens if my Access Point doesn't support WPA?!!!"
    Well, you can still follow the steps below. And you should manually setup a WEP key on your Access Point and your client devices. This is a pain, but ABSOLUTELY NECESSARY. You should also change this regularly; at least once every few months.



    2 - Change default SSID
    Background
    SSID (Service Set Identifier) can be considered analogous to a network name. All Access Points come "out of the box" with a default SSID. Every hacker worth his salt will know the most common SSIDs. Common examples are "Linksys" (for Linksys kit), "Netgear" (for Netgear kit), "Tsunami" (for Cisco kit) etc.
    Implementation
    Change the SSID to something more appropriate to you. Your name, favourite band, pet... whatever. Just don't use the default.
    Caveats
    None. There is no reason this should not be done.



    3 - Disable SSID Broadcast
    Background
    SSID (Service Set Identifier) can be considered analogous to a network name. Most Access Points "broadcast" this by default. That is, they advertise the SSID to any listening client devices. This is fine for enterprise networks or "hotspots", but there is no reason to advertise your network to your neighbours. You will know the SSID anyway (see above), so you don't need to broadcast it.
    Implementation
    Different for all manufactures, but it should be pretty obvious. Just look for "SSID Broadcast" and disable it.
    Caveats
    This should not be considered a security improvement, as it's still possible to ascertain the SSID of a network that is not broadcasting, but it IS best practice. Just do it.



    4 - Enable MAC filtering
    Background
    All Ethernet devices, including WLAN interfaces, have a MAC address. This is a 6-byte hexadecimal address that a manufacturer assigns to the Ethernet controller for a port. MAC addresses are "lower level" that IP addresses and are used on the Data layer. You can setup your Access Point to only allow certain MAC addresses (ie, certain devices) use your WLAN. In other words, you configure it to only allow your computer (laptop, sister/brother's etc) to associate to the WLAN. This will prevent unwanted visitors from hitching a free ride...
    Implementation
    Search for MAC Filter in your Access Point config guide. You will have to go to each computer you will use on your WLAN and note down their MAC address. Make sure you note down the WIRELESS adaptor, and not the wired network card! It's a bit tedious (as a MAC address is a long sting of hex), but it's worth it.
    Caveats
    Not entirely foolproof, as experienced hackers can spoof MAC addresses. But it certainly adds greatly to security.



    5 - Turn down transmit power
    Background
    Most Access Points can transmit at up to 100mW; some even more. Why bother covering more area that you need? There's no point is offering temptation to the people across the street, so you should turn down your transmit power to the lowest level that sufficiently covers your house/apartment.
    Implementation
    Different for every manufacturer. Check your user guide.
    Caveats
    You may need some tweaking to get it right. If you do, then congratulations. You just carried out what is called a "Site Survey" in the industry. Soon, you'll be doing this for a living!



    6 - Change the admin password
    Background
    All Access Points come with an Admin account and password. You would be surprised at how many people leave these as the default ("Admin" and "Admin" for Linksys kit for example). You should change the password to something only you know as soon as you can.
    Implementation
    There shouldn't be any problem doing this. Just look for the Admin or Account Management section on your configuration page.
    Caveats
    Make sure you note down what you change the Admin password to!!



    7 - Change default IP address
    Background
    Most access points come with the default RFC1918 IP address of 192.168.1.1. Most hackers know this. Bad combination. Try changing the IP address to 192.168.x.1, where x is a random number between 2 and 254.
    Implementation
    Different for every manufacturer. You should be able to do this from the Admin web-page for your access point quite easily.
    Caveats
    Remember than when you change the IP address of the router, you will have to remember the new one when you access it again via a web-browser!! Of course, that's the whole point, but just dont' forget it. Chances are, once you make the change, the current web session will no longer work and you'll have to start another session; you just changed the address after all.



    8 - Reduce the size of your DHCP pool
    Background
    DHCP (Dynamic Host Configuration Protocol) is a system that dynamically provides your clients (ie computers) with an IP address every time they join a network. In simple terms, your computer gets an IP address from your access point, and you don't have to worry about messing around with esoteric network settings. IP addresses are assigned from a "pool" of available addresses. The AP has to ensure it doesn't give the same address to two computers, or there would be problems. This "pool" of addresses often has up to 254 addresses available. Most home networks have only a handful of computers. By reducing the number of addresses in the DHCP pool to exactly the number of computers you have, you reduce the liklihood of a hacker gaining access to your network. They simply won't get an IP address in the first place.
    Implementation
    Again, this is different for every manufacturer. It is usually in a "Network" or "DHCP" section on your AP configuration web-page.
    Caveats
    None really. Just make sure you have enough IP addresses left in your pool for your computers. Remember that reducing the pool to the exact number of computers you have means that "friends" as well as hackers and freeloaders won't be able to use your network either. If you have visitors that come to your home to use the network often, then this may not be suitable.




    If you have any questions, please feel free to ask.

    I can also post an explanation of the 802.11 "alphabet soup" and all the relevant acronyms if anyone is interested.


    Mr Mephisto
     
    Last edited: Nov 26, 2004
  2. blak-jak

    blak-jak Member

    Joined:
    Jan 9, 2002
    Messages:
    79
    Location:
    Brisbane
    riddle me this, how can i get win98se to support WPA??? without paying money of course, i know there is a program that you can buy, but i'm poor :(
     
  3. OP
    OP
    Mr Mephisto

    Mr Mephisto Member

    Joined:
    Nov 24, 2004
    Messages:
    97
    Well, you need a wireless adaptor that supports WPA first of all. What make and model do you have?

    There may be Win95/98 client software that came with the adaptor. If not, check their website.

    Microsoft do not support WPA natively in Win98 or Win2K (you can get WPA support on Win2K with a service pack upgrade).

    Finally, Funk Software produce a wireless supplicant that runs on Win98. You can download a 30 day trial, or buy the software itself. Check out www.funk.com



    Mr Mephisto
     
  4. blak-jak

    blak-jak Member

    Joined:
    Jan 9, 2002
    Messages:
    79
    Location:
    Brisbane
    yeah i've tried that program, for 30days.... i have a linksys WMP54G PCI card, which does support WPA of course, but sadly win98se doesn't, shame ah well i guess 128bit WEP, MAC access control and disabling SSID broadcast being off will have to suffice
     
  5. OP
    OP
    Mr Mephisto

    Mr Mephisto Member

    Joined:
    Nov 24, 2004
    Messages:
    97
    Make sure to change your WEP key regularly.


    Mr Mephisto
     
  6. Whisper

    Whisper Member

    Joined:
    Jun 27, 2001
    Messages:
    8,297
    Location:
    Sydney
  7. OP
    OP
    Mr Mephisto

    Mr Mephisto Member

    Joined:
    Nov 24, 2004
    Messages:
    97
    Done.

    I'll post an explanation of the 802.11 alphabet soup soon... The one already there is a bit old.


    Mr Mephisto
     
    Last edited: Nov 26, 2004
  8. Iceickle

    Iceickle Member

    Joined:
    Jun 10, 2002
    Messages:
    956
    Location:
    Wollongong
    Great post :) I agree with everything, and am going to be anal and say:


    Please dont do this :) pretty pretty please. Someone else gets that password, you will regret it ;)
     
  9. OP
    OP
    Mr Mephisto

    Mr Mephisto Member

    Joined:
    Nov 24, 2004
    Messages:
    97
    So are you saying, don't change the admin password, or don't actually write the new one down?

    :)

    I personally see no problem writing your IP address and admin password on a sticker and putting it on the bottom of your access point, or the first page of the manual. It's outside hackers you're trying to protect yourself from.

    If a hacker has physical access to your house, then you've got other problems... :)


    Mr Mephisto
     
  10. titan

    titan Member

    Joined:
    Dec 28, 2001
    Messages:
    2,887
    Location:
    Leichhardt, Sydney
    Reducing your DHCP pool does nothing for security at all. If WEP / WPA has been bipassed by an unauthorised user, do you really think that sniffing the network to find a valid IP address is beyond their means? Especially when they are probably spoofing their MAC address...they could get IP addresses from their packet sniffing session too.
     
  11. OP
    OP
    Mr Mephisto

    Mr Mephisto Member

    Joined:
    Nov 24, 2004
    Messages:
    97
    It does improve security.

    Disabling SSID broadcast also "does nothing for security at all", yet it is considered a best practice. Enabling MAC filtering is also easy to bypass for a dedicated hacker. But you don't see people saying "do you really think..." just because an experienced or technically astute hacker can circumvent certain security steps.

    That's just like saying "Locks can be picked, so don't bother locking your door." It's disengenous and it is actually incorrect.

    Following these steps will greatly reduce your vulnerability.

    99.99% of "attacks" on WLANs are actually opportunistic in nature. If the attacker encounters some or all of these hardening steps, most of them will just pass by and concentrate on another wide-open WLAN.

    If you have something constructive to say, please do so. But don't post something which is patently untrue.


    Mr Mephisto
     
    Last edited: Nov 26, 2004
  12. Tekin

    Tekin Member

    Joined:
    Nov 16, 2002
    Messages:
    4,039
    Location:
    Elsewhere.
    Mr Mephisto, that was one of the best written explanations of developing security options in wireless routers that i've read for a while.

    One thing you may want to add is for people using adhoc point to point networks instead of AP networks. They are a hell of a lot easier to secure, but it is still important, espcially considering most people leave one end of it open a lot of the time when they're other point isn't accessing.
     
  13. titan

    titan Member

    Joined:
    Dec 28, 2001
    Messages:
    2,887
    Location:
    Leichhardt, Sydney
    I disagree. I also disagree that SSID broadcasts aren't a security measure...it's security via obscurity. Let me put it this way:

    The unauthorised user will see a network with a hidden SSID (via kismet / airsnort or similar), and will generally move on. The SSID is the FIRST thing they see, hence by making it obvious that the network admin isn't using default settings it will generally make them move on unless they have a specific bone to pick with you. It also stops unassuming neighbors.

    Next, they see that WEP / WPA is enabled (or fearfully, not in most cases). Decision time...to bother or not to bother?

    At this stage, THEY DO NOT KNOW if you are running DHCP or not. What they DO know, is how you've configured your SSID. Hence, it's important.

    OK, so they make the decision to bypass encryption, succeed, and now have layer 3+ access to your network.

    Oh noes! I can't get a DHCP lease! I'll move on!

    ...or not.

    See where I'm going? Once encryption is bypassed, you're screwed unless you use IPSEC / VPN etc...Please tell me (with a straight face), that if someone managed to gain layer 3+ access to your network, they would shit their pants about no DHCP (or limited pool).

    You can't be serious.
     
  14. OP
    OP
    Mr Mephisto

    Mr Mephisto Member

    Joined:
    Nov 24, 2004
    Messages:
    97
    You have to take a holistic approach.

    First of all, if WPA is setup correctly (with at least a 20 character secret), then it is effectively impossible to gain access to the network. WPA (with sufficient length secret) remains unbroken and offers the best security outside 802.11i (which virtually no home network is going to enable at the moment).

    Secondly, if you think disabling SSID broadcast is a security feature you are sorely mistaken. It may prevent the odd "passer by" from seeing your network, but it's not going to stop a motivated attacker.

    However, as I said earlier, most attacks on home wireless networks are opportunistic. So-called "war drivers" or "war walkers" will try to gain access to unsecured WLANs. In this case (ie, in 99% of cases) ANYTHING that makes it more difficult for them to gain unfettered access to your network improves security. If you don't believe this you either don't understand the holistic nature of modern network security or don't work in the area.

    As I implied (indeed, explicitly stated) in my post, if you cannot enable WPA, you can still improve security by following steps 2 to 8.

    A script-kiddie, with no hacking experience, can easily "break into" an unsecured WLAN. Microsoft XP even enables this by "discovering" local WLANs (the user has to do nothing). If WPA and/or WEP is not enabled, they can gain access by the drop of a hat. But if the AP does not provide them with an IP address automatically, then they have to engage in extra effort. If all the existing IP addresses in the scope are already assigned, then "stealing" one from an existing device will result in significant network problems. This in turn will make it harder for the hacker to enjoy his free ride and will also highlight a problem to the real owner of the network.

    So we have a situation where

    a) the vast majority of WLAN hackers, who are not technically astute, will be prevented from gaining an IP address automatically.
    b) would need the ability to identify and understand the issue
    c) would need the ability to circumvent it
    d) by so doing, would negatively impact their ability to use the network
    e) by so doing, would highlight that an attack (or IP address conflict) was occuring to the real network user.


    All of these go quite some way to dissuading the common WLAN hacker. In other words, you make your network more difficult to use (or abuse) and therefore more secure.


    Finally, as I said in my caveat section (to each tip), there are very few disadvantages to this step. Anything that makes life harder for a hacker, improves your security be default.


    Feel free to PM me if you have more questions on this issue.



    Mr Mephisto
     
  15. titan

    titan Member

    Joined:
    Dec 28, 2001
    Messages:
    2,887
    Location:
    Leichhardt, Sydney
    You are correct that reducing your DHCP pool size / turning off DHCP is effective on WLANs without WEP or WPA. For those with WEP / WPA enabled (regular key changes with WEP), it's as effective as hiding jewelry under a napkin when it's locked in a safe.

    Also, you say that it's "effectively impossible" to break WPA? Do you follow the industry? Here's a hint: passphrase-based PSK. The term "pre-shared" implies security risks in itself.

    Note: The only reason I'm writing this is because there has been a recent number of posts on the forums where people are posting as "professionals", and brushing off all other posts as mere opinion. Telling me that I "don't understand the holistic nature of modern network security or don't work in the area" is a joke, which I find quite offensive as someone posting my EXPERIENCE to the forum.
     
  16. ConundruM

    ConundruM Member

    Joined:
    Jun 27, 2001
    Messages:
    910
    I'd just like to point out that spoofing MAC address isnt something only experienced hackers can do.
    Under linux (and other unix systems) its often documented in the man pages.

    its as easy as running:
    ifconfig eth0 hw ether <new MAC address>

    and given that MAC addresses are in any packet that you capture from the network, its not very hard at all to obtain a valid one.
    Yes multiple levels of security are good, but this level isnt a very strong one at all.
    But a good all round thread !
     
  17. titan

    titan Member

    Joined:
    Dec 28, 2001
    Messages:
    2,887
    Location:
    Leichhardt, Sydney
    Indeed, and it's as easy as running Network Connections --> Properties --> Configure... --> Advanced --> and typing a valid MAC into Locally Administered Address on Windows XP for instance.
     
  18. OP
    OP
    Mr Mephisto

    Mr Mephisto Member

    Joined:
    Nov 24, 2004
    Messages:
    97
    I'm glad we agree. So what are you arguing about?

    :) I don't need any hints thanks. I've been working with some of the largest wireless neworks in the world for the past four years. But I appreciate the thought.

    I said it was effectively impossible to break WPA if it has a sufficently long secret.

    The attack upon WPA-PSK is called a dictionary attack.

    WPA-PSK, when first proposed to the WiFi Alliance came with a minimum length of 20 characters for the secret. The manufacturers complained that this was going to be too difficult for their customers to configure and implement and market forces forced the "watering down" of the standard. The minimum secret length is now 8 characters.

    With appropriate tools and a long enough dictionary, this can be hacked. However, like all dictionary attacks the liklihood of a successful match decreases exponentially with each increase in the key length.

    An 8 character dictionary has approximately 94^8 (6,095,689,385,410,816) values (if we assume the use of alpha-numeric and extended characters). Using optimized dictionary searches this can be searched successfully in about 1.7 to .33 hours. This is assuming around 25million records per second are scanned which is accurate enough for today's fast processors.

    So, as we can see, WPA-PSK using the default key length of 8 characters is not ideal.

    However, if you read what I said, and if you follow the best practices recommended by the security community, you will find that the recommended length of a secret in WPA is 20 characters.

    This dictionary has a length of 2.9010624113146182337306275467414e+39 entries. I don't think you (or any human) has any comprehension of how big that number is. It would be impossible for any current computer to even store a dictionary that long. Then you would have to scan it looking for a match. Currently, assuming approximately 25 million fields are checked per second, scanning that database would take more years than the Universe has existed.

    Written another way, there are 29,010,624,113,146,182,337,306,275,467,414,000,000,000,000,000,000,000,000,000,000,000,000,000 values that would have to be analyzed to "crack" WPA (with 20 character secrets). That would normally take 3,679,683,423,788,201,717,060,664 years if you could analyze 25million fields a second. As I said above, that's considerably longer than the Universe has existed.

    You could reduce the time required by using a hybrid of hueristics, probability filtering and the so-called "fast memory trade-off technique". Who knows? You might get it down to a couple of Billion years.

    Somehow I doubt you're gonna do it. :)

    So, YES, WPA properly implemented is effectively impossible to crack; at least today and for the foreseeable future.

    Well, as I stated above and as you now agree, diminishing your DHCP pool is one part of a holistic approach to wireless LAN security. I have no idea what your experience. I simply said you don't understand the holistic approach or don't work in the area. Perhaps you do, as you've now accepted the original proposition.

    Mr Mephisto
     
    Last edited: Nov 26, 2004
  19. OP
    OP
    Mr Mephisto

    Mr Mephisto Member

    Joined:
    Nov 24, 2004
    Messages:
    97
    I didn't say it was only experienced hackers that could do this.

    What we have here is a misunderstanding of the threat and risk mitigation.

    We all know, or at least we all should know, that most WLAN attacks are not really active hacking attempts, but simply war-walkers and war-drivers looking for a free internet feed and some snooping. The vast majority of these do not understand MAC address spoofing etc. Also, spoofing the MAC address is not the only step required; you also have to know a valid MAC address.

    So the "hacker" would have to capture some packets, decode them to ascertain a valid MAC address and then spoof it himself.

    This is something most WLAN attackers will not do. Undoubtedly some will, especially if they are explicitly targeting your network, but most won't bother.

    The art of network security is equally about risk assessement and mitigation, as well as implementing specific security hardening. Any additional improvement to your security (no matter how "easy" to circumvent) by definition improves security.

    I would never recommend that someone only implement MAC address filtering. Indeed, personally I don't bother myself as I think it's a pain in the ass, but as part of a integrated security strategy it is an entirely valid recommendation.

    Mr Mephisto
     
  20. ConundruM

    ConundruM Member

    Joined:
    Jun 27, 2001
    Messages:
    910
    hehehe okay,
    but you did say that it greatly improved security.
    i dont think it does.

    your quite verbose arent you ?
     

Share This Page