 |
|
As many of you know, I recently moved. I moved into a townhouse that has about a dozen houses within just a few hundred feet. Within the first few days, I had the wireless up and running and started to hook up my laptop to do a little Dad Blogs surfing.
I found about 6 different wireless networks within range, and four of the six were locked down. This is amazing to me. In today's lawsuit-laced society and software/music piracy rampage, I would think people would protect themselves better.
Most people just say, "I don't have anything to hide," or "No one in my neighborhood will hack me," or even "I don't care who uses it." Let's say someone sits in your parking lot or on the street by your house gets on your wireless and downloads illegal programs, pornography, and hacks a few websites while they are at it as well. This will be traced back to YOUR IP address which is in YOUR house which YOU pay for. There are ways to tell if the traffic was indeed from you based on MAC address but even that can be spoofed (duplicated) and blame can be put 100% on you. Fighting this would take time and money which most people would not want to waste either.
I could go more into why you want to lock down your wireless but take it from this nerd that "You just want to do it". Now.
Here are a few steps you can take to lock down your wireless.
If you need any assistance in finding documentation for your particular wireless device or other question feel free to fill out the about page form and let me know.
- Change the Administrator Password and User name - If nothing else do this so bad guys cant change your settings.
- Turn on WPA/WEP encryption - WPA is by far better then WEP, but WEP is better then nothing, so choose whichever is available. Once encryption is turned on, even if someone was eavesdropping on your conversations, it would be garbled text that would not make sense.
- Change the Default SSID - Although this really is not a security flaw if a "hacker" sees a default name they will assume that it has not been set up correctly and you may be victim to more attacks.
- Enable MAC address Filtering - Every network device has a unique number, or MAC, that identifies itself. You can set your wireless to only accept certain MAC addresses from being allowed to connect to your device.
- Disable SSID broadcast - This turns off the notification to surrounding computers that your wireless is available. To connect you would need to know the SSID.
- Use Static IP Address - Turn off DHCP and set a fixed IP range on your wireless. Assign each device in your house a specific IP address within that range. This will help prevent attackers from gaining access by not giving them an IP address automatically.
- Enable firewalls - Turn on firewalls on the router, and each computer.This will prevent unwanted traffic and viruses from entering or leaving a computer (if infected).
- Place Wireless in the Center of the house - Putting your wireless in the middle of the house will prevented unnecessary "leakage" outside your house and will improve your signal throughout the house.
- Turn off Wireless during extended non-use - Turning off your wireless when not used is the only 100% true way to be secure. **EDIT** Check out the comments below. Unplugging cables may be a better idea then turning off. Thanks Toast***
Although there is no way to be 100% safer other than turning off all devices and unplugging them from the wall, these steps will surely help you become more secure. You can check out more tips or stories at my blog over at Tech Dad in an Analog World.
Image: http://chemistry.about.com/od/healthsafety/ig/Laboratory-Safety-Signs/Do-Not-Enter-Sign.htm
Share this post!
Hits: 636
What people have to say (17)
Subscribe to this comment's feed
written by Am, May 13, 2009
While your points are technically true, I have to disagree that many of them are really necessary.
Enabling MAC address filtering might be one of the best security measures you can take on your wireless network - but is it really worth the pain to reconfigure your router every time someone with a new device wants your permission to use it? If you buy a new mobile phone that uses your wireless, or if you have friends visiting with their own WiFi-enabled devices, are you going to run upstairs to redefine your router? I doubt it's worth it.
Using static IP addresses is a joke for any experienced computer user. You don't even have to be a hacker to know how to set up your own IP and bypass the DHCP service, so this really doesn't protect you from anything. Then, when someone new who you DO approve wants to log on to your network, go and reconfigure things then reconfigure them back when he's gone.
My wireless modem is placed where the most computers can connect to it by cable, which is right next to the wall facing the street. Yes, there's leakage, but it really doesn't matter when I have other security measures in place, and I can get 4 of the computers in the house to connect via cable - and the benefits of connecting by cable over wireless are enormous.
And turning off the wireless router when I'm not using it? Yeah, and the only way to not get hacked is to disconnect your computer from the network. Or better yet, turn it off. Come on, nobody can resort to that unless he has enough money to pay someone to turn the router on/off every time.
Enabling MAC address filtering might be one of the best security measures you can take on your wireless network - but is it really worth the pain to reconfigure your router every time someone with a new device wants your permission to use it? If you buy a new mobile phone that uses your wireless, or if you have friends visiting with their own WiFi-enabled devices, are you going to run upstairs to redefine your router? I doubt it's worth it.
Using static IP addresses is a joke for any experienced computer user. You don't even have to be a hacker to know how to set up your own IP and bypass the DHCP service, so this really doesn't protect you from anything. Then, when someone new who you DO approve wants to log on to your network, go and reconfigure things then reconfigure them back when he's gone.
My wireless modem is placed where the most computers can connect to it by cable, which is right next to the wall facing the street. Yes, there's leakage, but it really doesn't matter when I have other security measures in place, and I can get 4 of the computers in the house to connect via cable - and the benefits of connecting by cable over wireless are enormous.
And turning off the wireless router when I'm not using it? Yeah, and the only way to not get hacked is to disconnect your computer from the network. Or better yet, turn it off. Come on, nobody can resort to that unless he has enough money to pay someone to turn the router on/off every time.
-
- +1
-
-
written by DaddyKV, May 13, 2009
@MTD -
1.If you have misplaced the user name and password to your wireless box you can always revert to factory default and set it up again. This is documented in most user manuals.
2.Yes I understand what you are saying. Your modems is 16Mbps(Bandwidth), most if not all wireless should operate at least at 54Mbps or higher. Therefor your modem is actually the weakest link so what you are describing should not happen. Your wireless should be able to handle even double what you have now from your modem.
@AM - Just like in many things you need to weigh convenience with security. As you mentioned MAC address locking is harder to manage but does offer greater security, so some may not find this "necessary" in their situation. As far as using static addresses just like locks on doors it only keeps the honest people out, I agree that it is easily hacked. Like you I have mine placed where I need it for cables but in an ideal world the most central location would be BEST.
I understand that you will not be turning your wireless on and off when you are sleeping or even off to work, however on a 2 week vacation it may be a good idea. When you are home everyday you may monitor usage or even notice odd traffic or slowness if you were getting hacked. If you were away for 2 weeks a hacker or nosy neighbor would have full run with no monitoring.
The point of the last part was the common nerd joke that "Having no network, is the only secure network. Nothing is 100% secure.
1.If you have misplaced the user name and password to your wireless box you can always revert to factory default and set it up again. This is documented in most user manuals.
2.Yes I understand what you are saying. Your modems is 16Mbps(Bandwidth), most if not all wireless should operate at least at 54Mbps or higher. Therefor your modem is actually the weakest link so what you are describing should not happen. Your wireless should be able to handle even double what you have now from your modem.
@AM - Just like in many things you need to weigh convenience with security. As you mentioned MAC address locking is harder to manage but does offer greater security, so some may not find this "necessary" in their situation. As far as using static addresses just like locks on doors it only keeps the honest people out, I agree that it is easily hacked. Like you I have mine placed where I need it for cables but in an ideal world the most central location would be BEST.
I understand that you will not be turning your wireless on and off when you are sleeping or even off to work, however on a 2 week vacation it may be a good idea. When you are home everyday you may monitor usage or even notice odd traffic or slowness if you were getting hacked. If you were away for 2 weeks a hacker or nosy neighbor would have full run with no monitoring.
The point of the last part was the common nerd joke that "Having no network, is the only secure network. Nothing is 100% secure.
-
- +0
-
-
written by Toast Spork, May 13, 2009
Hiding the SSID is upside down in its convenience/security ratio. A hidden SSID provides a much greater feeling of security than it provides in actual security. Hidden SSIDs are easy to discover. The only people that a hidden SSID can protect you against are the kind who drive-by and try to guess your WPA key. If you are that worried about them, what you should really be doing is using a stronger WPA key. (ie: WPA2/AES)
In the mean time, you make it more inconvenient for legitimate users to get connected, or to troubleshoot any connection issues that arise.
This is the Wifi equivalent of having to take off your shoes at the airport.
The same goes for MAC address filtering and turning off DHCP. If someone has the chops to get in past your WPA, they'll easily be able to discover what MAC/IP addresses are legitimate, and spoof them.
Turning off wireless during extended non-use is one thing I do feel ambivalent about, particularly as relates to physical security. I don't necessarily believe that many burglars are likely to be monitoring wireless. But turning off your access point when you are out of town does provide a bit of a clue about whether people might not be at home. I typically recommend to clients that they leave the wireless ON, but disconnect the cable that goes to the cable/DSL modem, and turn off all the desktop and laptop computers. That way, if an interloper does get on the network, they won't be finding anything of use there.
In the mean time, you make it more inconvenient for legitimate users to get connected, or to troubleshoot any connection issues that arise.
This is the Wifi equivalent of having to take off your shoes at the airport.
The same goes for MAC address filtering and turning off DHCP. If someone has the chops to get in past your WPA, they'll easily be able to discover what MAC/IP addresses are legitimate, and spoof them.
Turning off wireless during extended non-use is one thing I do feel ambivalent about, particularly as relates to physical security. I don't necessarily believe that many burglars are likely to be monitoring wireless. But turning off your access point when you are out of town does provide a bit of a clue about whether people might not be at home. I typically recommend to clients that they leave the wireless ON, but disconnect the cable that goes to the cable/DSL modem, and turn off all the desktop and laptop computers. That way, if an interloper does get on the network, they won't be finding anything of use there.
-
- +1
-
-
written by DaddyKV, May 13, 2009
@Toast Spork - Like I already mentioned I agree that DHCP and MAC and SSID are to keep the honest people out, but it helps.
As for your suggestion about leaving it on and unplugging the cables that is great. I never thought about people watching for wireless to go down and then break in. Your idea is very good. I will add and edit in the article to point people to your comment. Very great idea. I like it.
As for your suggestion about leaving it on and unplugging the cables that is great. I never thought about people watching for wireless to go down and then break in. Your idea is very good. I will add and edit in the article to point people to your comment. Very great idea. I like it.
-
- +0
-
-
written by Toast Spork, May 13, 2009
My point is that there is already something that keeps the honest people out: A unique SSID and WPA2/AES.
The only people who would even face the challenge of DHCP/MAC addresses would be the ones who had already gotten past your WPA2/AES, thus proving themselves to be dishonest.
Using DHCP and MAC address filtering as a security measure after already using WPA2/AES is rather like using PGP for encryption, and then ROT-13ing the results, just to be safe. It makes no logical sense. And recommending it to others as an action that "helps" provide security seems almost superstitious.
The only people who would even face the challenge of DHCP/MAC addresses would be the ones who had already gotten past your WPA2/AES, thus proving themselves to be dishonest.
Using DHCP and MAC address filtering as a security measure after already using WPA2/AES is rather like using PGP for encryption, and then ROT-13ing the results, just to be safe. It makes no logical sense. And recommending it to others as an action that "helps" provide security seems almost superstitious.
-
- +1
-
-
written by smartfather, May 13, 2009
I agree with you on many of your points but I would like to reiterate that basically if someone wants in, they're going to get in. Nothing is fool proof outside of physical disconnection. Excellent tips for most users.
-
- -1
-
-
written by DaddyKV, May 13, 2009
@Toast - Agreed that when WPA2/AES is used in combination with static DHCP/MAC filtering its a step that may seem redundant, but why do people but multiple locks on one door? If a perp has already blasted out the dead bolt the handle lock is not going to stop them but people still lock both.
I offer these points in order to at least educate on the options and create discussion similar to this for people to read and educate themselves on how they want to set up based on the discussion.
Thanks for the feedback Toast.
I offer these points in order to at least educate on the options and create discussion similar to this for people to read and educate themselves on how they want to set up based on the discussion.
Thanks for the feedback Toast.
-
- -1
-
-
written by peteej, May 13, 2009
WPA2 is how I roll. My password is so long and random that I sometimes forget it.
I almost want to tell you to keep this stuff quiet, because having unsecured networks all over town really helps when you're in a pinch. BTW, there are literally hundreds of them where I live (college town). I'd conservatively say that at least 40% are unsecured.
I almost want to tell you to keep this stuff quiet, because having unsecured networks all over town really helps when you're in a pinch. BTW, there are literally hundreds of them where I live (college town). I'd conservatively say that at least 40% are unsecured.
-
- +0
-
-
written by commandar, May 13, 2009
WPA2 with a sufficiently complex passphrase and a unique SSID is totally sufficient for most SOHO setups.
If your network is important enough that somebody is going to dedicate the time and computing power needed to break a WPA key, the rest doesn't even count as a speedbump in their way and you need to be looking at solutions like integrating with a RADIUS server.
If your network is important enough that somebody is going to dedicate the time and computing power needed to break a WPA key, the rest doesn't even count as a speedbump in their way and you need to be looking at solutions like integrating with a RADIUS server.
-
- +0
-
-
written by Toast Spork, May 13, 2009
So what you are saying about DHCP/MAC filtering, then, is not so much that it helps, but that it couldn't hurt. And that's a totally different assertion. And even then, not really an accurate one.
I say it hurts on several counts. It fails to provide the promised benefits, and thus as security advice it is actually false and misleading. It makes the setup of Wireless needlessly more complicated. And in doing so, can increase user frustration and may motivate them to give up on the prospect and go back to easier, unsecured methods.
This isn't multiple locks on a door. This is a No Trespassing sign, hung up inside the house.
I say it hurts on several counts. It fails to provide the promised benefits, and thus as security advice it is actually false and misleading. It makes the setup of Wireless needlessly more complicated. And in doing so, can increase user frustration and may motivate them to give up on the prospect and go back to easier, unsecured methods.
This isn't multiple locks on a door. This is a No Trespassing sign, hung up inside the house.
-
- +1
-
-
written by DaddyKV, May 13, 2009
I stand by my point of this article is to make people aware of the options that are available and my opinion that engaging in all the steps will lead to a safer wireless system. Agreed there are options that are better/safer then others, however implementing all will in no way HARM the user other then cause possible frustration, in which case learning and understanding the technology is a good idea, and in the end will help them.
I sure hope you stick around DB to troll other topics of mine.
I sure hope you stick around DB to troll other topics of mine.
-
- +0
-
-
written by CharliePATpk, May 13, 2009
Re disconnecting/turning off router:
I have been researching new home sceurity systems (my current one is ~15 years old) and have seen many that require web access for alarm monitoring. Further, web cams inside the home become usless for remote monitoring by me if the router is disabled. Then there's my remote desktop software which is also rendered useless.
As others have said, anyone can break in to your network if they wanted to do so badly enough. Just like any home security can be defeated. The idea is to build enough fences to keep as many of the thugs out as possible, hoping they'll go to another site less protected.
And use STRONG p@s5Wo~ds!%!
I have been researching new home sceurity systems (my current one is ~15 years old) and have seen many that require web access for alarm monitoring. Further, web cams inside the home become usless for remote monitoring by me if the router is disabled. Then there's my remote desktop software which is also rendered useless.
As others have said, anyone can break in to your network if they wanted to do so badly enough. Just like any home security can be defeated. The idea is to build enough fences to keep as many of the thugs out as possible, hoping they'll go to another site less protected.
And use STRONG p@s5Wo~ds!%!
-
- +0
-
-
written by SurprisedMom, May 13, 2009
I get your message. It's a good one. However, for those of us who are techno illerate it sounds hard to do. I'm learning, but I have aways to go before I can understand how to do what you're saying. But, I'm copying your instructions in case I ever understand them. 
-
- +0
-
-
written by Rob, May 15, 2009
I agree with you 100%. I am amazed that people leave their wireless internet connection unlocked for anyone to use. Not sure why as it is not hard to lock it down and encrypt it! Thanks for the cool post.
-
- +0
-
-
Write a comment
1. My lap top remembers my wireless password..so I don't have to log on each time..but I have since misplaced my user id and password..I'm afraid that if I ever get a new lap top I won't know how to set it up under my current secured wireless..any suggestions?
2. I have 16(what ever) cable modem...which I guess means it's really fast. I have an old Linxys wireless that may not be picking up all 16 (whatevers). I was told that this can interupt my connection from time to time because people are trying to use the what my wireless is not picking up.. Does that make any sense to you?...