Easy 802.11g Security

We all love the convenience wireless LANs (WLANs) bring to our lives. They keep us connected beyond our cubicle or office. We can access the Internet as easily from a coffee shop or our couches at home as we can sitting at our desks. An entry-level wireless Access Point (AP) costs less than $75, a price that makes these devices one of the best-selling computer peripherals since the iPod. And heck, you can literally plug one of these boxes into an electrical outlet and into your network, and wham!— your Wi-Fi-enabled laptops can connect to your network without any wires. But is this necessarily a good thing? This convenience brings with it a huge risk to your network and data, because when you accept the configuration defaults of many of these inexpensive wireless APs, you run the risk of others connecting to your network or snooping on your data just as easily. Fortunately, most wireless APs include easy-to-configure steps that dramatically improve their security. In six basic steps, you can secure a small WLAN that uses inexpensive 802.11g equipment.

Although 802.11g is an IEEE standard, most vendors offer a myriad bolt-on features to their wireless AP products. However, the security features typically remain consistent, although different vendors might name similar features differently. In the sample configuration process presented here, I use a Linksys WRT54G as the 802.11g AP. The WRT54G is inexpensive and popular for small offices, home offices, and even labs in larger companies. This and similar APs don't offer the same level of features as enterprise-class products such as the Proxim ORiNOCO or Cisco Systems Aironet product lines; this article is focused on securing basic, entry-level APs.

Out of the Box Unsecure
A problem with many of these inexpensive wireless APs is that they emphasize ease of setup at the expense of security. For example, unpack some of these devices and plug them into your network. Then, when you enable a wireless network adapter on a computer running Windows XP Service Pack 2 (SP2)—which these days can be as easy as plugging in the network card and turning on the computer—Windows will announce that it has found a new wireless AP and will ask if you want to connect to it. Click yes, and you're instantly connected to that network.

Vendors are getting better—the most recent version (version 5) of the popular Linksys WRT54G AP includes a SecureEasySetup wizard that combines hardware and software steps to securely configure your AP. The manual has an appendix devoted to wireless security that answers even advanced questions that you might have. However, if you use an older Linksys AP, be sure to check its setup because earlier models shipped with many of the security options described in this article disabled.

This unsecure configuration was by design; early versions of the Linksys manual stated several times that "the router is designed to function properly after connecting the router to your network." Once connected, the computer can connect to any other computer on the network or even piggyback on your Internet connection. XP's wireless configuration features make connecting to an unsecured wireless AP a snap. Unfortunately, the features that make it easy for you to connect to your network also make it trivial for anyone else with a Wi-Fi device within a few hundred feet to connect to your network.

In the next few sections, I walk through locking down a basic wireless AP. The setting changes are simple—anyone with a wireless network can and should perform them. My sample configuration uses a slightly older version of the Linksys WRT54G and assumes that you know how to access an AP's configuration screens. I've chosen the older version for two reasons: first, because many of these devices are deployed in an unsecure manner out in the world, and second, because the wizard in the new Linksys WRT54G is proprietary to Linksys, whereas the configuration screens of the older version are more representative of what vendors typically provide and thus my instructions for working with them can easily be adapted to other products. Even if you're using the newest version of any AP, it's wise to check your configuration against these easy-to-perform steps.

STEP 1: Protect the AP Administration Page
The first step is to change the default password on the Administration tab of the Linksys AP's Web interface. If your wireless AP also functions as a broadband router, you need to make sure that you can administer the device only from the internal interface and not directly from the Internet. You don't want someone to be able to make a Web connection to your public Internet address on the external interface of your wireless AP and reconfigure that interface to take it over.

STEP 2: Change the SSID, and Disable SSID Broadcasting
Changing or disabling a wireless AP's SSID makes it more difficult for the casual Wi-Fi snoop to find your network but doesn't deter even a novice attacker. Anyone running a wireless sniffing tool such as NetStumbler (http://www.netstumbler .com) will still be able to detect the AP and its nondefault SSID. And once an attacker knows an AP's SSID, he or she can take additional steps to connect to the AP. Nonetheless, changing the SSID from the default is better than broadcasting to everyone that you have a particular brand of wireless AP.

To change the SSID, navigate to the Basic Wireless Settings area on the Linksys AP firmware's Wireless tab and change the Wireless Network Name (SSID), as Figure 1 shows. Change the name to something discreet; for example, don't use your company name or something enticing, such as Finance. These names might draw attackers looking for something of value.

On the same Linksys firmware page, select Disable to disable wireless SSID broadcasting, as Figure 1 shows. When you change the SSID name and disable SSID beaconing, you must also manually configure wireless clients with the SSID name to connect to the AP. (I explain the client steps later.)

   Previous  [1]  2  3  Next