WiFi Security Basics
This article deals with the protection of wireless networks. It gives some practical insights and recommendations on how to set up and maintain a secure WiFi network.
Wireless networks are becoming more common, and the hardware to support wireless connectivity is included on almost every laptop sold today. Being connected and staying mobile is a huge advantage both for business and personal Internet use – you no longer have to be in one place, tethered by cables, when you want to get online. Wireless ‘hotspots’ at airports and hotels are the norm today, and many handheld devices are equipped with WiFi modules that enable Internet access on the go. Wireless signals travel through walls, floors and other physical obstacles, so you can enjoy the Internet’s wealth of information and enjoy lying outdoors in the sun at the same time while your wireless router feeds an Internet signal to every computer in your household.
But of course, all this freedom comes with a caveat: a greater need to be aware of Internet security risks and to take extra steps to protect your wireless connection against them.
Security and public wireless access
Let’s start with the assumption that wireless networks are more susceptible to breaking and eavesdropping than physical, cable-based networks due to the inherent weaknesses of radio transmissions An intruder has to be physically connected to the target wired network to be able to capture or monitor data in transit, whereas all that’s needed to break into a wireless network is to be within the range of the signal.
Public hotspots represent a big risk because the data may pass through them in an unencrypted form, rendering it visible to hackers. Armed with the appropriate tools, hackers can easily “sniff” data packets, re-assemble them, and extract confidential information such as email account passwords, private IM chat sessions and other non-encrypted data that inevitably leave your computer as you connect to different authorization servers on the Internet. A technique called VPN tunneling can help to mitigate the security risks of unencrypted connections, but that’s beyond the scope of this article.
So, what can someone with a WiFi-enabled laptop do to ensure secure access in public places?
First, it’s important to remember to keep all your software updated: install all the latest OS and application patches and check the website of your wireless adapter manufacturer for the latest drivers and firmware updates.
Next, disable “File and Printer Sharing” for any public network you intend to connect to. This restricts access to your computer’s shared resources over the untrusted WLAN (wireless LAN) while still providing Internet connectivity.
Of course, you will also have installed a firewall such as Outpost Firewall Pro to protect your connections against “man-in-the-middle” attacks, where perpetrators seek either to set up a rogue Access Point (AP) and make you connect to it or to intercept data packets in transit through the sniffing techniques noted above.
Now, configure your wireless adapter software or the Wireless Network Setup Wizard in Windows to NOT automatically connect to any new-found wireless network. If there is more than one wireless network where you are, construct a prioritized set of networks according to trust level. Make sure to deactivate the wireless adapter switch on your laptop when you’re not using the Internet.
Make it a routine to know the available WiFi networks around you as you travel around - what’s operational and what entity is operating each network. Where possible, connect to a network that’s promoted by the location you’re currently in (hotel, airport information booth, café, for example).
One of the key things to remember is that you should never do anything that requires the submission of passwords and other confidential data over a wireless network that has not been protected with WPA2 encryption. This includes sending and receiving email, logging on to non-HTTPS pages, conducting financial transactions. Browsing the Internet and checking weather reports, sports scores or reading freely available news is probably not a big security risk, but any activity requiring personal identification should not be engaged in during any unencrypted browser session.
One final point: two wireless devices can connect to each other directly over the airwaves to establish an ad-hoc network. Some overlooked configurations in a number of wireless adapters enable the setting up of an ad-hoc network automatically without requiring consent from the users. Make sure your system is not configured that way.
Setting up a personal WiFi network and safely connecting to it
In wireless networks, encryption is the key to data security. To safely deploy your own wireless network, you’ll need a router or AP that supports WPA2 encryption. And even then, you should pick a strong passphrase that will be resistant to brute-force dictionary attacks. Consult one of the password generators here. Weaker encryption algorithms such as WPA (with a short passphrase) or WEP can be broken in a matter of minutes, so you’re strongly advised to use WPA2 encryption. Some routers provide an upgrade to WPA2 from earlier algorithms through a firmware change.
Another way to improve basic wifi network security is to change the default login for remotely accessing your AP’s configuration page. If your device comes with the standard “Admin”/“Admin” user name and password combination assigned at the factory, change this as soon as possible to something more unique and cryptic. This will prevent potential intruders from altering the security settings in your router and giving themselves access to your personal network using their own credentials.
Other recommended precautions include:
- Assign a unique SSID (AP identifier) to your network – this is the name of the network that will be broadcast and visible to people searching for available WiFi networks. Communicate the WPA2 passphrase in a secure way to authorized people that will connect to your network (network clients), or manually configure those clients’ access settings and instruct them to only connect to the network with the specified name.
- Monitor for the appearance of new access points in your vicinity and remind your mobile clients the dangers of connecting to a wrong or malicious access point. These could include hackers reading traffic to and from the clients and even taking over a wired network if the client is simultaneously connected to an Ethernet LAN.
- Enable IP and MAC filtering in your router configuration. MAC filtering lets you manually whitelist network adapters with specific hardware numbers so that any device that doesn’t have a matching number will not be permitted to access the network. IP filtering uses the same principle – only clients with IP numbers that you define as trusted will be allowed to connect, but that requires turning off the DHCP server in your router configuration and manually assigning permissible IP numbers. Also, you may find it usable to limit the number of clients that can connect to the router (by limiting subnet numbers to what’s necessary) and define time intervals during which the router will let you join the network (subject to availability in some devices).
- Limit the AP’s broadcasting range so that it can be accessible only within a certain distance; the signal will thus be suppressed once the range limit is reached This feature is available only in select devices.
- Consider hiding SSID – an option that’s available from the configuration page of your router - so that your network won’t be listed among the available networks when clients conduct new search. All previously-configured settings on the client will apply and computers that have already been paired with the SSID will continue to be able to detect this station.
Wireless networks extend both mobility and Internet access, which is useful in many situations. Unfortunately, most are not properly protected by default settings and require extra effort on the part of the user to make them secure. If you follow the advice provided here, you’ll be well on the way to ensuring that your wireless communications risk-free.