digg

Facebook Connect Join Digg About

How to: Secure A Wireless LAN

dailywireless.com An unsecured wireless network is an open invitation to hackers to walk right in to your computer and steal your personal information, upload malware onto your computer, and otherwise terrorize you. Thankfully, securing your wireless connection is extraordinarily simple to do.

Who dugg this? Made popular Feb 15, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

96 Comments

show profanity settings
expand all
  • theVariable, on 10/12/2007, -5/+83Why digg this? Just RTFM.
  • inactive, on 10/12/2007, -2/+64Leave it open, so you can defend yourself against the RIAA by citing that IP != person.
  • Alfdog, on 10/12/2007, -7/+611. Turn it off
    2. Nuke it from orbit (that's the only way to be sure)
  • shosterman, on 10/12/2007, -1/+54Agreed. Don't let my neighbor see this...I'm using his now!
  • orangekid13, on 10/12/2007, -4/+53get two routers, 1 with an open node, one off that that's firewalled and the wireless is secured. you will use this one.
    anyone can use the unsecured one so why bother hacking into the other. Also, then when the RIAA comes knocking, mail your hard drives to your relatives and tell them you have an unsecured wireless network and remind them that no matter what they think you are innocent until proven guilty and they can go pound sand up their ass
  • CraigJ, on 10/12/2007, -3/+35this *might* be good for N00bs. This is really, really obvious *****, and if it isn't you probably shouldn't be hooking up WiFi in your house.
  • dasluvaluva, on 10/12/2007, -5/+29When I find an unsecured network, I Google for:
    .: howto build bomb
    .: blow up airplane
    .: directions to whitehouse
    .: directions to crawford
    .: kill bush!
    .: midget child porn video skat

    Three days later, my neighbor's apartment's available for lease!
  • BobMysterioso, on 10/12/2007, -6/+30Thats awfully angry when you're basically saying this:

    Pay for bandwidth and services - and don't be a ***** prick by not giving it to me.

    This prick business you speak of.. might be directed at the wrong party.
  • denied, on 10/12/2007, -4/+25I leave mine wide open but keep QoS, MPAA be damned. Pay it forward, share the bandwidth.
  • playerZero, on 10/12/2007, -2/+21i blew mine out the goddamn airlock.
  • mashw, on 10/12/2007, -1/+20If only the DS supported WPA wifi. I don't think my 70 year old neighbours are into stealing my internets but I'd still prefer to not have to keep switching between WEP and WPA.
  • Boondoggle, on 10/12/2007, -2/+19MAC address filtering is a joke. Invisible SSID is too.

    WPA2 with a massive 63 character password is the single most effective way to secure a home wireless network. All else is balls.

  • r00tus3r, on 10/12/2007, -1/+18The computer/user would have to already know the SSID.
  • Giever, on 10/12/2007, -1/+17I'm always logged in..!
  • sagemane, on 10/12/2007, -1/+17What's the point of turning off SSID broadcast and doing MAC filtering once you've switched to WPA with a good key (other than making it more inconvenient to add devices to your own network)? If someone has found a way to break your WPA encryption, I don't think taking 10 seconds to get the SSID and an allowed MAC is going to constitute even a speedbump to them.
  • Hydraulix, on 10/12/2007, -1/+16@jeremy66158

    Are you kidding? Once you pop on someone WiFi you can do a ping sweep to see active hosts.

    nmap -sP 192.168.1.* Assuming 192.168.1.x is the IP for the network. Once you scan the network for active hosts you port scan the box. From there it determines what ports are open on your box. It's a LOT easier cracking into a box from inside a home network then outside. The router protects you (sort of) from outside attacks. But, once someone is on your network, they are basically considered a trusted user. You think this is just people being paranoid? Try, people being smart enough to secure their ***** down.
  • retral, on 10/12/2007, -0/+15There was wifi in 1996?
  • Boondoggle, on 10/12/2007, -2/+16by jerbaker 18 minutes ago

    If someone uses your broadband while you aren't using it, how does that affect you?...

    -------

    Well if they're uploading kiddie porn to usenet on my IP address and the Feds come knocking on my door, that kind of affects me.
  • vondur, on 10/12/2007, -0/+14My ssid is "I read your email" and I leave it open with a packet sniffer running 24/7
  • djjuice, on 10/12/2007, -2/+15yes, while this for newer people installing wireless, but it doesn't mean they shouldn't be using it. Most people setting up for the first time think WEP is enough since the installer says to setup a password.
    I recommend using WPA2, making the SSID invisible and using a ACL with mac addresses. That not too difficult for first timers to setup and provides a few good layers of security.
  • jeremy66158, on 10/12/2007, -3/+16Paranoid people are going to be the downfall of humanity. How do you hack in to a computer because you have access to their wireless internet connection? Call me naive or worse but I like to give away my connection because it makes me feel like I'm being ripped off less by AT & T DSL.
  • sexycommando, on 10/12/2007, -0/+11can't you just secure it, and then later claim you left it open if attacked by the MAFIAA?
  • jerbaker, on 10/12/2007, -6/+16"I paid for this *****, go get a job and get your own ***** broadband."

    In case you didn't figure it out on your own, that is being a prick. If someone uses your broadband while you aren't using it, how does that affect you? Does it make your bill higher? No? You just want to block it because you're a selfish ass? That's fine if you want to be, but don't pretend that's not what it is.
  • dbr_onix, on 10/12/2007, -5/+14WEP *is* enough, honestly. Most wireless encryption is just to stop casual users accidentally connecting to your access point instead of theirs. Anything over WEP is pretty-much overkill. I suppose you may get some random bored person who might try and crack the WEP key, but it's extremely unlikely. Although there's no reason not to use WPA, people suggesting using WPA with a Radius Server, MAC-address ACL's (Totally pointless, if someone has gone to the trouble of getting your WEP/WPA key, it's no-problem to find a valid MAC address and change their MAC-address to that - beside you have a bigger problem anyway if someone that determined is trying to get into your access-point..), and disabling SSID broadcast does *nothing* for security, aside from (again) stopping people accidently connecting (Any decent wireless-network-detecting software can see hidden-SSID'd networks..)

    Really, any form of encryption will stop 99% of "attackers", changing the router-control-panel's password is good idea generally (In case remote-access accidentally gets, or someone gets bored and starts fiddling with the settings, or.. etc etc), using "standard" WPA will deter most "I'm bored, oooh, access point with WEP, I think I'll crack it"-people. WPA with SSID-broadcast disabled and MAC-address ACL's is overkill, I can guarantee *no one* will get past it (The MAC-ACLs/disabled SSID-broadcast are the both unnessiary, and just make things less convient for you)
    - Ben
  • DrGonzo1184, on 10/12/2007, -2/+11Actually, instead of mailing then you should deliver them yourself if possible... No records that way.
  • Cyaegha, on 10/12/2007, -1/+8Well if n00bs actually discover this article, it might get them wondering about that black box on their desk. They obviously have not idea how to make the suggested changes so they call us technicians out to help them feel safe again. Of course we know that no wireless connection is safe, but at least they feel safe again and are paying for that feeling :P
  • johnmccreath, on 10/12/2007, -1/+8I'm just digging this down because I don't want my neighbor to read it.
  • r0b1, on 10/12/2007, -0/+7Shhhh! Don't let the people in my building find out about this, or I'll have to start paying for broadband again...

    In all seriousness, I was shocked to find the number of open, unsecured wireless networks around my home (I live in a large apartment complex) when I first moved in. Some people had attempted to lock down their networks, though, as you could tell by a couple of the SSIDs that told me that I would be "killed" if I "***** with" their internet connection...
  • SecretSnack, on 10/12/2007, -11/+17Yes, that is essentially what I'm saying. And I'm not angry; just foul-mouthed.
  • kalpol, on 10/12/2007, -0/+6Be careful with maximum power output...that 251mw might cause your radio to overheat. I've got mine set at 75 (DD-WRT), just high enough to get a good SNR at the clients.
  • uhdean, on 10/12/2007, -1/+7As nonanull said you have to type it in on the clients. However if you use Netstumbler or other WiFi scanners you can view the "hidden" SSIDs in the area.
  • nonanull, on 10/12/2007, -0/+6you'll have to manually type it in
  • krinthekuz, on 09/16/2008, -8/+13totally stupid. anyone who knows anything about linux can apt-get install kismet and break into your wireless. the amount of time it takes merely depends on encryption type and how nasty the key is. MAC filtering, non-broadcasted SSIDs, WEP, and WPA can all be broken in minutes if not seconds. WPA-PSK 2.0 will take a few minutes or possibly a few hours if your key is nasty, but it's still easy. the vast majority of idiots don't even change their default router logins (so you can just check out one of the default password lists). even if they use the nastiest of the nasties, hop onto usenet or check some of the torrent networks for rainbow tables.

    wireless lan will never be "secure". it's just a matter of how important your data is versus how much you want to invest in protecting it. there are different tiers of risk, and for most people even the 2nd highest tier of risk (merely using MAC filtering) will be substantial enough, and you don't have to worry about degraded performance from encryption.
  • DarkJC, on 10/12/2007, -0/+5Yeah it's easy to say just use WPA, but when your router is a POS and locks up every 30 minutes when you're using WPA it's more annoying that it's worth. (SMC wireless...I was surprised because we also have an old wired SMC router that has been rock solid from day 1) Besides, my neighbours don't know anything about wireless networks anyway. If they do decide to start freeloading off my network I get the added benefit of spying on what websites they visit and potentially private information. Or I could MAC filter. Their loss.
  • geronimo, on 10/12/2007, -0/+5I've got mine at 100, I might tone it down to 75. I'm in an arms race with my neighbor, a CS phd student, who has the SSID of "dd-wrt" and all of a sudden his signal is overpowering mine.. or was until I bumped it up. I feel sorry for all the others who can't crank up their power settings. :)
  • beartrash, on 10/12/2007, -0/+5A few additional methods I use to secure my WiFi networks.

    I use two separate subnets in my LAN, one for the wired portion and one for the wireless portion. The router handles the connectivity between the networks.

    I also turn off DHCP, or at least limit the number of DHCP addresses given out to 1 or 2, some routers have large DHCP pools. Just about all of the equipment on my home LAN has static IPs.

    Finally, I change the NAT IP address range from the ubiquitous 192.168.0.0/24 or 192.168.1.0/24 subnets to another less common private address block.

    There are three private address blocks as defined by Internet RFC 1918

    10.0.0.0 - 10.255.255.255 (10/8 prefix)
    172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
    192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

    I tend to use something in the middle of the 172.16/12 subnet, because 10/8 is in use by many ISPs and 192.168/16 is the default most manufactures use.
  • bleonard, on 10/12/2007, -1/+5Great idea, but mailing hard drives to relatives living in the same state as you can bring US Postal Service Federal agents into the investigation. Mailing the hard drives across state borders can do the same and then some. I recommend you hand deliver a large amount of personal stuff (spring cleaning!) to a local friend or relative and include your HDs with those items.
  • kd1s, on 10/12/2007, -0/+4All well and good. I broadcast SSID because quite honestly it's a pain in the ass to plug it in.

    I do use WPA, and I do filter by MAC address so only MY machines can get on the net. Otherwise the WAP is up 24x7 since it's used by various people in the house at all hours of the twenty four hour day.

    You have to balance convenience against security sometimes.
  • BobbyOnions, on 10/12/2007, -3/+7I don't use any kind of wireless encryption or MAC filtering.

    I use OpenVPN with a 2048-bit RSA key.
  • Giever, on 10/12/2007, -2/+6Not to mention that sharing the network in the first place should absolve you of that since they wouldn't know who had uploaded it in the first place.
  • pcghost, on 10/12/2007, -1/+4I intentionally leave my wireless network wide open for simplicity. I run only secured Linux machines on my lan and anyone who is close enough to my access point is trespassing and well within rifle range. Pringles can...meet 30-06.
  • ropers, on 10/12/2007, -0/+3Since no one else has mentioned it yet:

    If you want to be reasonably secure, use an OpenBSD box sporting a wireless card and RJ-45 NIC as your Internet gateway and access point, and establish a VPN between the OpenBSD box and your laptop. Or tunnel through SSH or something. Go ahead and let outsiders have a bit of net access too, but use pf to protect the clueless and/or to throw out port 25 udp/tcp (smtp traffic). But prioritise your own traffic.
    Which brings me to tonight's WØRD:

    Queueing.

    "Outbound, priority queues see to it that empty ACK packets hit the wire first, making the net "feel" faster. This is followed by the web server, DNS requests, web surfing, and finally general junk traffic (like p2p). Nothing is worse than one person whining about not being able to websurf because another's getting "Debby does Dresden 22" on Kazaa."

    (from http://www.openbsdsupport.org/obsd_dsl.html )
  • elebrio, on 10/12/2007, -1/+4While none of these are a BAD idea, its easy to just spoof your mac addy and bump u off the networkl
  • theoldmoose, on 10/12/2007, -0/+3Seems like most everyone forgot about the 'other white meat' of breaking into wireless networks.

    That is, instead of concentrating on breaking the encryption, just use one of many known buffer overflow exploits to break into the laptop wireless adaptor driver using one of the unencrypted channels (for instance the SSID browse function), and thus gain control of the laptop in question.

    Various wireless chipset and adaptor manufacturers have had long-known security exploits in their drivers, and have yet to patch any of them. Sites like metasploit have written research papers detailing these exploits, and their ability to blue-screen and otherwise disrupt the behavior of a vulnerable system.

    It's only a matter of time before some bright boy releases a script or two into the wild that will allow anyone to 'own' a machine using one of these attack vectors.

    So, what's the difference between these kinds of attacks and other similar 'over the wire' exploits? That depends, of course, on how well you keep your machine up to date with the various patches from Microsoft, et al, and whether you run appropriate firewalls on your wired connection to keep folks on the Internet from freely probing for vulnerable ports.

    On wireless, though, any fool can just drive by and play known exploits from a PDA or similar device, looking for unpatched wireless drivers.

    Is this being ultra paranoid? Who knows? All I know is that a small office I do part-time IT support work for was asked to shut down a WPA2 AES personal wireless setup with long, complex key arrangements, because the building IT management were worried about these particular kinds of attack vectors. They were not worried about our encryption, but rather that we were exposing possibly unpatched wireless adapters on laptops that were connected to their in-house wired network (we were asked to turn off the wireless adaptors on the laptops, too, thank you for asking).

    Are they being too paranoid? Good question, really, because they didn't seem to care that every Tom, Dick, and Harry that sets up an office in the building is free to connect their possibly unpatched virus-ridden systems to their wired network. Because of this, we insisted on placing a firewall between our systems and the remainder of the building network. The building IT staff is mystified as to why we don't want to expose our office network to their building network.

    Imagine that!
  • randomgeek, on 10/12/2007, -2/+5I don't see why not. QoS functions of modern routers can ensure that your computers IPs will get what ever bandwidth they request even if that means squeezing the leechers. It's not like you're losing anything. A firewall on your computer will keep prying eyes out of it. There have been a few times over the last year that I've been without Internet access and found some people who had it open so that I could check my email, etc. It's actually a very nice thing to do and has nothing to do with being a prick on either side.
  • klutch2112, on 10/12/2007, -1/+3If this article is supposed to be about securing a wireless network, it totally missed the mark.

    1. MAC address filtering = LOL
    A MAC address is just a 12 digit hex value that is sent totally in the clear. Anyone with a packet sniffer can see it plain as day. They simply change their own MAC address to one of the ones that is already on the wireless network and they can connect right up.

    2. SSID Hiding = LOL
    When you "disable your ssid" you're simply turning off BEACONING on the AP. Nothing is done to PROBE REQUESTS, PROBE RESPONSES, ASSOCIATION REQUESTS or RE-ASSOCIATION REQUESTS. All you do when you switch off the beacon is add complication to clients trying to legitimately connect.

    3. Positioning of the Access Point? Seriously? I can almost imagine someone walking around with a laptop trying to find the "edge" of their network... All you achieve by doing this is finding what kind of range the wireless card in your laptop has. Google for dozen different ways to extend the range of your network card by using a variety of household items and you'll be surprised to find you can quickly access 802.11 networks miles away.

    4. Turning off the network?
    A secure network never needs to be turned off.

    The only thing useful this article mentions is changing your default password, default ssid and enabling encryption.

    - K
  • Boondoggle, on 10/12/2007, -0/+2It will get all your email, network file sharing and unencrypted web traffic.

    It will also provide a would-be hacker with constant access to your home systems to test for vulnerabilities day and night.
  • masterofsw, on 10/12/2007, -1/+3"wireless lan will never be "secure"."

    there are many stronger protections that already exist. Unfortunately, they aren't available to the public yet (SecNet products):

    http://www.rfcomm.harris.com/products/embeddable-security/
  • justice7, on 10/12/2007, -1/+3how about this

    change your routers internal IP to something non-standard.....

    disable DHCP...

    enable mac filtering

    enable wpa encryption

    laugh.
  • syco123, on 10/12/2007, -0/+2With all the unsecured networks everywhere why would anyone bother to hack into a secured box? The level of security is equal to locking your car, house or using a padlock. All those take seconds to circumvent yet most of us think it's adequate. Opportunists look for easy access.

    If you need to get connected drive to the hotel area in town. they are always unsecured 24 hours a day and no one cares who is connected.
  • Fetching more discussions...
    Show 51 - 98 of 98 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.