dslreports logo

Expand Open navigator
Wireless Local Area Networks (WLANs) are inherently less secure than wired networks, but you can make it very, very difficult to break into your wireless network.

Although this seems like a long list of instructions, if you print them off and go through them one at a time, they are not complicated. Some steps won't apply to a household situation; some won't apply to a mid-sized or larger office environment.

If you have unusual security requirements, a large network, or if you want more background information, please consult the linked articles.

If you are a high-value target or business that depends on its computers, we recommend periodic audits by an IT security professional to ensure that all vulnerabilities are protected against.

This article provides background explanations of most of the steps in this FAQ. »www.extremetech.com/arti ··· 5,00.asp

You should upgrade your operating systems and firmware to use Wi-Fi Protected Access (WPA) or the newer Wi-Fi Protected Access 2(WPA2).

Wireless Equivalent Privacy (WEP) no longer provides adequate security.
Cracking tools have been distributed that exploit a serious flaw in WEP: After enough data has been monitored, the encryption key can be determined using available cracking software. In a busy office network, or if large files are being transmitted, the WEP key can often be determined in a few minutes. If one device cannot be updated to support WPA, you will have to replace it.

If you you must use WEP, please consult this link: »www.arstechnica.com/paed ··· y-1.html
It contains additional detailed steps on how to add as much security as possible to WEP.

The following steps below work incrementally to make it more difficult and time consuming for a hacker to enter your wireless network. You should implement as many steps as you can. Some of the steps below can be bypassed by scriptkiddies in minutes, but reduce the public visibility of your network in off-hours. Others would take professional hacker months to bypass electronically, but could be quickly breached by social engineering or disabled by misconfiguration. The objective is to have multiple layers of protection.

Where a hard-to-guess password, key or identifier is suggested:
- Use a long hard-to-guess sequence that includes both letters and numbers
- Two words separated by 2 digits, or the first letters of words in a phrase with some digits added, are good sources of something hard-to-guess
- Dont use anything involving your companys name, childrens names, birth dates or words in dictionaries of any language

Make sure that records of passwords, keys and identifiers are backed up and securely locked away.

Do not transmit keys and configuration passwords over any wireless connection (including WLANs and cordless phones).

Do not give keys or passwords by telephone to any caller whose voice you do not easily recognize (telephone caller ID info can be faked). Instead, offer to telephone them back and verify their number against your corporate directory before you do.

1. Use a wired connection to change the security settings on your Access Point (AP or "wireless router").

2. If you can, use WPA2. Otherwise, use WPA. WEP is no longer adequate.

2.1 With Windows XP, you can get WPA2 and "WPS IE" support by following the link here: »support.microsoft.com/?id=893357 (update Q893357).

WPA support for Windows XP (Q826942) is available through Windows Update.

For machines running earlier versions of Windows, youll need to obtain WPA client software. Sometimes this comes with the Access Point (AP or wireless router), sometimes with the Network Interface Card (NIC) or wireless adapter.

2.2 Update the firmware on your AP and drivers for wireless adapter cards to versions that support WPA2 or WPA.

2.3 In the router configuration, activate WPA2 or WPA. Use WPA2-PSK or WPA-PSK (Pre-shared key) and Advanced Encryption System (AES). Use Temporal Key Integrity Protocol (TKIP) if AES doesnt work with some devices.

2.4 Use a hard-to-guess key.

3. Change the default Service Set Identifier (SSID or network name) in your AP. Use a hard-to-guess SSID.

They can detect your SSID when your network is active, but you can make it hard for them to know who it is they are seeing.

4. Turn off SSID beaconing if your AP supports this.

Turning off SSID beaconing isnt great protection, because although the SSID isnt being beaconed, it is still being broadcast as part of regular traffic. However, turning beaconing off will help prevent accidental connections by neighbors, and it may reduce the visibility of your network when it is not in active use.

Some devices may not connect with SSID beaconing turned off. If you have such devices, turn SSID beaconing back on and try increasing the SSID broadcast interval instead.

5. Change the administrator password on your AP. Use a hard-to-guess password.

6. Turn on the highest level of encryption your hardware supports.

7. The AP should be configured to drop any unencrypted network traffic so that unauthorized wireless stations or rogue access points cannot "associate with" (connect to) the AP since they do not know the pre-shared key.

8. Use Media Access Control address (MAC address) filtering on your AP, if you can. Specify which MAC addresses are allowed to access your AP. /faq/9763

9. If your router supports SNMP and you dont use it, disable it.

Otherwise, choose a hard-to-guess community name.

There may be separate SNMP read-only and update passwords. Both should be changed to hard-to-guess passwords.

10. In a large building, locate the routers centrally, away from the outside walls, to limit how much the signal radiates outside. In a smaller building, you could try locating the router in the basement. Directional antennas that focus the signal to one side are available. Trying to reduce the range the signal travels simply makes detection harder, but it doesnt make it impossible. There are antennas available that can detect ordinary wireless signals at distances of several kilometers.

11. Make sure the AP are physically secure and that they cant be tampered with by disgruntled employees or visitors.

12. If an employee leaves the company, retrieve their wireless adapter card. Otherwise, you will have to change all the keys.

13. If you can, use static IP addresses on the computers and disable DHCP on the router.

Limit the number of IP addresses your router recognizes to the ones in use, if you can.

Consider starting the IP addresses at a non-standard point, such as 192.168.3.113, instead of 192.168.1.1 or 192.168.254.0.

14. Where it is not required, users should not be allowed to set up their wireless stations in "ad-hoc mode." This means they won't be able to communicate with each other or a rogue computer without going through the access point. Removing the configuration setup software will help prevent users re-enabling ad-hoc mode.

15. Power down the wireless stations when they are not being used for a long periods of time (after office hours).

16. As with wired stations, wireless stations (workstations, desktops and laptops) should not have simultaneous direct connection to any untrusted network, such as a direct dial-up connection to the Internet, while they are on the WLAN.

17. In a company, consider isolating your WLAN from the rest of the company with a firewall, and then have the computers on the wireless network use Virtual Private Networking (VPN) to access your main network.

There are different implementations of VPNs from different vendors that may be incompatible with each other. Check the capabilities and requirements of hardware and software vendors to be sure all of the VPN clients are compatible.

With wireless connected computers, you want a VPN client on the computer itself tunneling through the wireless network and firewall to your wired internal network.

Properly configured, VPN creates an encrypted and authenticated tunnel between 2 devices (computers or routers) on a network, but computers at either end of the endpoints can access one another without going through VPN. This means an outsider could try to break into one of your computers, access its VPN client and pass through the tunnel into your main network -- which is why layers of security are needed.

18. Computers on a WLAN should be provided with software firewalls. File and Printer Sharing should be removed, or all disk, folder and printer shares should have hard-to-guess passwords. (More on securing laptops and roaming computers here.)

19. Restrict physical access to the routers/access points (APs) to prevent tampering and to prevent disclosure of keys and passwords.

20. WLANs are readily susceptible to intentional and unintentional Denial of Service (DOS) attacks. For example, nearby heavy construction equipment or large electric motors can disrupt wireless signals.

Therefore, for essential services, wired facilities should be provided as backup to wireless connections.

21. Consider implementing Internet Protocol Security (IPSEC) on all of the computers in the organization/family. IPSEC supports network-level peer computer authentication, data origin authentication, data integrity, data encryption and replay protection.

There is more on IPSEC for Windows computers here.

* Continue to practice general security procedures, including: keeping the anti-virus, operating system and applications up-to-date with security and critical fixes; running software firewalls; having on-site and off-site backups; and periodically checking firewall logs for evidence of intrusion attempts.
/faq/security



When installing Windows XP or XP SP1 on a computer equipped for wireless access, remove or shield the network card on the computer until you have had the opportunity to complete the initial install and activate the internet connection firewall (ICF). Do not turn ICF off until you have applied all the critical fixes and service packs for Windows and replaced ICF with another firewall. (Windows XP SP2 has Windows XP Firewall, so it is free of the ICF issue.)

Run Windows Update immediately after you connect to the internet the first time. Install all Critical Fixes and Service Packs (Express Install). If you don't have time to install all the Critical Fixes and Service Packs, physically disconnect from the Internet (by removing or shielding the wireless access card) until you do.



The advice contained in this FAQ is general. If you are a company that depends on its computers, we strongly recommend using the services of a security consultant to ensure that no gaps are left in your security protection.



References:
Webopedia encyclopedia of computer terminology
»www.microsoft.com/window ··· y10.mspx
»www.sans.org/rr/catindex ··· at_id=68
»www.sans.org/rr/papers/i ··· ?id=1233

VPN Resources:
»www.microsoft.com/window ··· pns.mspx
»support.microsoft.com/de ··· &sd=tech
»www.microsoft.com/techne ··· tag.mspx
How-to Windows XP VPN Server Configuration
How-to Windows XP VPN Client Configuration

Other resources:
BBR Wireless Security Forum: /forum/wsecurity
Other BBR Wireless Security FAQs: /faq/wifisecurity
BBR Wireless Forum: /forum/wlan
BBR VPN Forum: /forum/vpn
BBR Security Forum: /forum/security,1
BBR Security FAQs: /faq/security
BBR Hardware Support Forum Index: /forums/18


Recent changes:
2008-02-02 Keith
- Clarified caution on entering passwords and on ICF steps.

2006-02-03 Keith
- Fixed broken links to MS VPN support pages.

2005-05-03 Keith
- Added WPA2.
- Strengthened the recommendation to now avoid WEP.

2005-01-24 Keith
- Added point 21 on IPSEC. Thank you Daniel and Zipp.
- Added references to the BBR Wireless Security Forum & FAQs.
- Added additional caution on giving out passwords by telephone, since caller ID info can be faked.


Feedback received on this FAQ entry:
  • for WEP the following link is dead: http://www.arstechnica.com/paedia/w/wireless/security-1.html

    2009-03-28 19:32:11



Expand got feedback?

by keith2468 See Profile
last modified: 2008-02-02 19:21:19