Monday, 14 April 2014

67. How secure is your own wifi network?




Reproduced from the Zone Alarm blog

It’s easier than ever to set up a wireless network. Plop in a WiFi router and connect to a DSL or cable modem, or if you are one of the lucky ones, with a FiOS box. But before you start online banking, shopping, and surfing the Web, make sure your network is secure from intruders.

 

You may think that your neighbor hopping onto your wireless network to check email is harmless. Actually, there is more at stake than the fact that this unauthorized person may hog up the bandwidth by streaming HD videos. This person, once on your network, can intercept all the data you are sending, trick you into going to a malicious site, and break into computers and other devices you may have connected over the WiFi. Letting someone you don’t know on to your network is essentially letting that person see all the data flowing in and out.

If you have your own WiFi network, it’s important you secure it from unauthorized users and devices by configuring the wireless router appropriately. While specific steps in the management software vary from vendor to vendor, and from router to router, the options are fairly universal and shouldn’t be too hard to find.

Below are some tips on how to enhance your wireless network security.


1. Encrypt with WPA2
When you set up your wireless network, you had the option to turn on encryption. For home networking users, you should turn on encryption (as opposed to running an open network) and you should select WPA2 as the encryption method. WEP is not secure and some of the other methods are generally out of reach for most home users. Even if you didn’t enable WPA2 when you first set up the network, your management software should let you turn it on after the fact.

When you select WPA2, you will be prompted to create a passkey for users to enter when trying to connect to the network. It is important—no, critical—to make sure the password is unique and complex so that outsiders can’t just brute-force or guess a password and hop on to the network. Make sure to select a string of characters that is fairly long and a mix of both numbers and letters. If your passkey is flimsy, then determined attackers will be able to breach your network anyway.

Don’t turn on WPS (WiFi Protected Setup). It doesn’t always work consistently, and its nine-digit PIN is vulnerable to guessing attempts. Once the attacker figures out the PIN for WPS, there is nothing stopping the adversary from accessing any shared data that resides on your wireless network.


2. Change Default Passwords
Many of the routers ship with a default password for the administrator management software. It could be “admin,” or even a blank password, and is quite often printed somewhere in the documentation and available online. Users should immediately change the password for the management interface while setting up the wireless network so that outsiders can’t reach the management interface. If adversaries get access to the management interface, they have full control over your router and you would be in serious trouble.

While you are changing passwords, check to see if the router shipped with any pre-created SSIDs. SSIDs are the names of the wireless networks configured for the router. You should change the passwords for these SSIDs even if you aren’t using them, just in case.


3. Clean up the list of SSID names
Speaking of SSIDs, vendors tend to use very generic names for the SSIDs, such as ‘linksys’ or ‘netgear-wireless.’ Change them from the default to something unique. Attackers can launch man-in-the-middle attacks by using frequently used SSIDs for their rogue wireless hotspots which could be used to trick devices into connecting to that network. Having a different SSID name and password ensures that it will be harder for a person to guess and break in.

It may be just easier to delete all the SSIDs on the router (usually listed under “wireless” on the management software) other than the one you are using. Why increase the potential attack surface? After you have cleaned up your list of SSIDs, hide the name. Some vendors call this cloaking, but the idea is to prevent the SSID from broadcasting to all devices in the vicinity. You can connect by manually entering the name of your network, but other people won’t know that network is there.


4. Regularly Check Who Is Connected
The management software generally has a section called “Device List”, which shows the computer name of all the devices that are connected to the wireless network. It’s a good idea to periodically go in and check to make sure you recognize the names. To prevent unknown devices from ever being able to connect, you can enable Mac Address Filtering. This will require you to know how to get your device’s hardware address (MAC Address) so that you can enter it in the software. It can be a little manual and time-consuming, but it ensures no one will ever be able to get on the network without your knowing about it.

Your router has other advanced features, such as “guest networking”, which you should turn off, and a firewall, which you should turn on. If you aren’t already running a software firewall, turning on the router’s firewall is critical, but it’s not a bad idea to have both to boost your layers of security.

Regularly update your router firmware when they are available, and you’ll have a pretty secure wireless network. It’s worth the time to set it up properly as a closed network will save you tons of headaches down the road.

-----------------------------------