« I'm A MySQL Warning | Main | Infrastructure vs Ad hoc »

10 December 2004

Wireless Network Security

[Security] 

Picked up a NetGear WGR614 802.11g wireless "router" as well as a NetGear WG511 PC card.

The router is configured through its web interface and is fairly easy to setup. www.wardrive.net suggests the following basic steps to improve one's wireless networking security:

» Change the default admin password for the router.

» Disable SSID broadcast. From my living room, my now wireless-enabled notebook has picked up about eight different SSIDs thus far: one "default", one "home", two "linksys" and several others which I recognise to be a local ISP's naming convention.

» Change the default SSID. www.wardrive.net suggests to change the default SSID, then disable broadcast. Better to do it the other way round, because if one is broadcasting the SSID, then it doesn't really matter that the value being broadcast isn't the device's default.

» Enable MAC address filtering.

» Turn off DHCP on the wireless router, i.e., do not be a DHCP server to wireless clients. This is mildly inconvenient if one expects to be moving about and using various hotspots around town, since it is means keeping two configurations for the client - static addressing for home use and dynamic addressing for the other locations. If not possible, use MAC address filtering.

» Refrain from using the default subnet. Most such devices default to 192.168.0/24 or 192.168.1/24. Change it to match the home network's addressing. But see below about firewalling.

» Use the highest level of WEP or WPA. At the moment, 128-bit WEP works for me, WPA doesn't.

» Firewall your wireless network from the rest of your network, i.e., assign it a separate IP segment and enable packet filtering between it and the rest of the network. The NetGear WGR614 implements stateful packet inspection, supposedly, but I don't see a way to inspect the firewalling stuff it does from its web interface. Also, I find that I can't make it DHCP-assign an IP segment different from its wired-side address, meaning the NetGear isn't able to act like a true router can. Thus any firewalling must be done "upstream", i.e., one needs to use another firewall to partition the NetGear's wired and wireless sides from the rest of the network.

» Use a switch for connecting the access point to other network devices, not a hub. If one is firewalling upstream (see previous paragraph) then there shouldn't be other devices on the access point's wired side, except for monitoring devices operating stealthily.

» Encrypt your wireless traffic using a VPN. This comes down to risk assessment: In my case, I'm using my notebook in the living room to surf the web (and blog). Any security-sensitive stuff is already done over SSH or SSL.

» Further, use encryption protocols for applications where possible: TLS/https, ssh, etc. Yup.

» Think about using a proxy with access control for outgoing requests. If one is already firewalling (see several paragraphs above) this is automatically catered for.

» Enable logging, and check your (wireless) log files regularly. This is far easier said then done, unfortunately, since most people neither know what to look out for nor care.

» Test your wireless security using wardriving tools. Yup. But first go buy another wireless adapter.

See more links on wireless network security.


Posted by ngps at 22:30 | Comments (0) | Trackbacks (0)
Comments
There is no comment.
Trackbacks
Please send trackback to:http://sandbox.rulemaker.net/ngps/173/tbping
There is no trackback.