Thursday, June 30, 2011
Tips for Securing Your Wireless Network
1. Set a Router Password
Failing to set or change the default password of your wireless router or access point is probably one of the most common security holes in home networks. The reason is that even if you take all the other suggested steps with SSID, WEP and WPA settings, wireless transmission of data is not 100% secure. If someone succeeds in accessing your network, the security settings in the router cannot be changed without access to the menus. Changing the password helps prevent someone from granting themselves access to your network, changing your router settings, or worst-case, locking you out of your own equipment.
While most routers and access points require configuring the device through a physical cable connection, some will allow you access to the setup menus through the wireless connection. For this reason, you should make it a point to change both the name (SSID) and password for your router as your first order of business.
2. Change the SSID - (Service Set IDentifier)
Many Operating systems and client applications give you some way to browse available wireless networks. Changing the SSID from the manufacturer's default makes it slightly more difficult to determine "known" information about the router (like its capabilities or default passwords.) But if a router is configured not to broadcast the SSID, then a casual passerby will not be able to connect without manually configuring their client settings. This means they either have to monitor wireless activity and capture network packets to analyze, or know the SSID in advance.
When the SSID broadcast feature is disabled on a router, the list of available wireless networks (on the client) will not display it in the list. To access a wireless network router that has the SSID "hidden" you must create a connection setting that has the SSID entered manually. To do this under Windows XP, click on the option to "Change Advanced Settings" in the Wireless Connection Wizard. From here you can add a new connection, specify the SSID (as it was entered in your router) and specify other settings required for the connection such as WEP and the associated encryption keys.
Changing the name (SSID) helps identify your specific network, which can be useful if there are multiple Wireless networks in your business or immediate neighborhood. Hiding the SSID won't keep "them" out, but it will slow "them" down.
3. Turn On Encryption:
WEP - Wired Equivalent Privacy
Security encryption provides a good layer of you can enable for your wireless network is WEP encryption. Although WEP encrypts your data, people using special network utilities may be able to collect enough information to identify the WEP key that is in use. Once they have the SSID and WEP key, then they can access the network. Like the SSID, WEP won't prevent a determined hacker from accessing your network, but it will prevent or discourage the casual "war drivers" and neighbors.
Choices for WEP security may be presented in several ways, but the core features work out to: no encryption, 64-bit encryption or 128-bit encryption. (Microsoft and some of the wireless vendors may describe this as 40 bit and 104 bit encryption.)
WEP encryption codes can be entered as a hexadecimal string (numbers 0-9 letters a-f), or generated with a text-based pass-phrase. (The pass-phrase is used to create the hexadecimal string.) If the method to generate the string is not consistent between your different clients, you may need to copy or manually enter the resulting hexadecimal string from one device, and then paste or manually enter it into the rest of the network configuration boxes.
The Wireless Networking Wizard that is part of Windows XP Service Pack 2 includes a method of saving this configuration detail to a USB flash drive (or other storage media) to transfer the necessary settings to other XP SP2 systems.
WPA (Wi-Fi Protected Access)
Some routers and clients may support enhanced security features that are stronger than WEP encryption. WPA automatically rotates or changes the encryption key, making it more difficult for eavesdroppers to determine the codes necessary to access your network. All of your devices must support the feature to be able to take advantage of this, so check your documentation. If you are using equipment from assorted manufacturers, and one piece does not support WPA, then you must decide whether to use WPA - but not with that adapter, or not to use WPA on your network.
4. Use MAC (Media Access Control) address filtering
Most routers support this feature. To determine the hardware (MAC) address for your wireless network adapter, examine the details of your wireless adapter properties or use the text IP configuration utility with the /ALL switch (IPCONFIG /ALL). You can manually enter this address into a client list through the router's setup menus. Once a list of your known adapters has been entered and the MAC filtering feature is active, only devices with these addresses will have access to the router. Again, there are ways around this, but only if the hacker is really determined to get into your equipment.
MAC filtering must be enabled in the router or access point. Once this has been done, there should be a section to select or enter the MAC Address of the wireless client that you want to have access on the network. Devices that are not in the MAC address list will not be able to connect to the network.
The MAC address for your adapter can be found on a label on the adapter itself in most cases, although if this is a wireless adapter built-in to a notebook computer, you will find it easier to just check the network connection status. To do this, open your Network Connections, either from the Control Panel or by right clicking on "My Network Places" and selecting "Properties". Double click on your wireless connection icon to open the status window. Click the "Details" button to display the current configuration details and the MAC address (Physical Address) at the top of the list.
Most routers will allow you to add MAC address from a list of devices that have recently connected to the router. Verify that the MAC address you select is the one that matches your client computer.
5. Other Network Security
Hiding the SSID, using WEP, WPA and MAC Address filtering are all features of Wireless Networking; In addition to these, you should take general Internet and networking security precautions as well. Standard security measures would include Virus Scanning, Firewalls, and restricting your resources being shared.
[caption id="attachment_218" align="alignnone" width="300" caption="Antivirus applications like ESET NOD32 can catch individual threats as they get downloaded to your system."][/caption]
Virus Scanning
Virus scanners with current definition files will generally scan any file or attachment that gets saved to your computer. Most Anti-Virus programs scan the files as they arrive, even in the background, blocking or deleting threats before they can infect your system. When sharing your hard drive or directory on the network, most will detect infected files as they arrive, even from "trusted" users on the network.
[caption id="attachment_219" align="alignnone" width="300" caption="Malware programs can bypass your antivirus application if the bad guys trick you into installing something. Like antivirus apps, anti-malware apps can be used to keep your system clear of threats."][/caption]
Malware
Unlike viruses, malware can bypass your firewall and even antivirus security because many of these threats are "invited in" by the user. Malware (malicious software) can take several forms, including key-loggers, anti-malware apps, addware, and spyware, just to name some of the more common ones. There has always been a risk to specific programs or browsers, and some malware can target these to attack systems across multiple platforms.
Keep in mind, that any system, Macintosh, PC, or Linux can be infected. Linux is reasonably secure, only because there are so many different versions and implementations available, making it difficult to consturct a program to attack your specific OS. This does not make it invunerable, just less likely to be on the receiving end of most malware.
[caption id="attachment_220" align="alignnone" width="300" caption="A fake security application shows up after users are tricked into installing it - on a Macintosh."][/caption]
Macintosh likewise enjoyed a similar status, being based on Unix, and having a much smaller market share. But that has been changing, and we have seen more malware and viruses both on this platform.
Firewalls
Firewalls are software that monitor and block suspicious network activity. Windows XP has a basic firewall that can be enabled for any network connection, including Wireless connections. Starting with Service Pack 2, a more robust version that allows you more configuration options is installed. Vista and Windows 7 both have more aggressive firewalls than XP.
The main feature of the Windows Firewall is to block external threats from accessing your computer over your network. Third party Firewalls can expand on the features to monitor activity generated by the various programs on your computer, alerting you to suspicious behavior as it occurs. This has the advantage of detecting (and blocking) Spyware and Adware types of software, that are attempting to report your activity or sending personal information out to the Internet.
Resource Sharing
As with any network, you can share printers and files on the network. But without some sort of security, anyone connecting to your network can access these resources. For this reason, sharing your files on the network can be a risk to either privacy or the security of the system itself.
If you share your C: drive for example, you are allowing people on the network access to all of the files on the drive, and not just ones that might be in your pictures or documents folder. There would be network access open to your system files, to the hidden boot files, and to your programs and data files as well.
If an unknown someone were to alter or delete one of the critical system files, it is possible that your system would not be able to start the next time you power on. If a program directory were deleted, that application would have to be re-installed before you could use it again. And if you lose the only copy of your report or thesis paper, you could be out of luck in more ways than one.
What can you do to prevent this type of issue? The easiest way to avoid problems like this is not to share printers and files on the network, but if you need to do so, only share the folder that contains files that you want others to be able to access. In simple terms, share individual folders and not drives.
You can also restrict access to files that are being shared by creating a read-only share. When you share a folder, one of the options is to "Allow others to make changes to the files." By leaving this check box blank, others can access your shared folder and the files you place inside, but they cannot delete or change the files themselves.
If you want to get really paranoid under Windows XP Professional (sorry, not supported with the Home version), or you just like the level of control that was standard in Windows NT or Windows 2000, then turn off "Simple File Sharing" under the folder options. When this feature is disabled, you can set security and access permissions for folders or individual files. Additional levels of security can be set, allowing you to allow one user read-only access, and another full-modification access. You can prevent the folder directory from being shown, but allow access to a file if they know the name.
To enable or disable simple file sharing under Windows XP, open My Computer, select "Folder Options" from the Tools menu, select the "View" tab and scroll to the bottom of the checkmark list. To be able to grant permissions to a specific user, you will have to add users from "User Accounts" in the control panel. If you get thoroughly confused after looking at this, change it back by replacing the check mark next to "Use Simple File Sharing".
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.