Wireless hardware that is sold for home use today is made to power up and connect right out of the box, after all most people opt for convenience over security, we just want it to work so we can surf the web from the porch on Saturday morning while drinking coffee. What this easy setup means is that security features available in the hardware are generally turned off. Regardless of which company’s equipment you choose, the features that you can use to help secure your network can be found in the manual that comes with the equipment or even online.
Defense-In-Depth is a time honored strategy for security. Medieval castles had moats surrounding the perimeter, gated access, armed guards, lookout towers and alliances with neighbors. That same strategy can be applied to your wireless network at home. What this means is that you will be setting up your security controls so that they overlap, in the event that one goes down the others can still protect you. Many people feel their home network is at a low risk for attack, but if you have an open access point you are inviting trouble. Not everyone is out to steal your passwords, some just want to surf a free connection, but as wireless technology has seen wider use bad guys also know that they can transfer their risk to you.
What follows is an example of the strategy I use in my home, and for anyone who asks my advice in setting up a network of their own. Will you be invulnerable? No you will not, but the name of the game is to make yourself a smaller target than the folks down the street. If there is an alarm sign in your yard but not the house next door, between the two, the one without the sign is more likely to be hit.
Discover and Take Action
Discover the wireless devices on your network. There are some simple scanners out there that can do this, some common ones for computers include (Who’s on My Wi-Fi) and (AngryIP) for IPhones and Androids some common ones are (NetAnalyzer, Fing and Netty). You need to know as much as you can about any wireless device that connects to your network, including routers, wireless access points (WAPs), laptops and other mobile devices. Document all including each device’s location and owner. Look for rogues.
Rogue devices are wireless devices that should not be on your network. Take the list of devices from your discovery, and if any device you don’t recognize shows up, block it. Update your inventory to include every smartphone, tablet, laptop, desktop, gaming device or other wireless device that your family uses. All your access points should have the;
- Latest security patches and firmware installed.
- Password changed from factory “admin” or blank to something created.
- Highest encryption level supported enabled
- Ability to block unauthorized protocols
- Ability to send security alerts
Re-educate everyone in your house about your defense in depth strategy and why it’s in place.
Typical Home Nework
Layered Defensive Measures
Anti-Virus: Ensure all devices if capable, have an anti-Virus program installed. Schedule full system scans during low activity and update the definition file at least once a week.
Personal Firewall Software: Ensure all systems if capable that use the wireless network have a personal firewall installed. This will help to prevent malicious traffic from one device on the wireless network reaching others.
Change the Default SSID of the AP: All companies give a well-known default Service Set Identifier (SSID) to their AP(s). If a hacker sees this they can reasonably expect that all of the settings of the AP are the same creating an easy target. Do not use personal information such as your name, address, or phone number in your SSID.
Disable SSID Broadcast: This means that the SSID of the network will not be sent out in every beacon packet sent by the AP. This screens your SSID from casual viewing by wireless discovery tools that depend on probe responses. It is not foolproof but it is a layer.
Restrict the DHCP Pool or use Static IP Addressing: If someone does succeed in accessing your wireless network, setting a limit on the number of dynamic addresses that can be assigned to the bare number needed for your own use may deny the attacker the ability to receive an address. Alternately you could use static addressing and disable DHCP altogether so the attacker is forced to guess what the valid address range is.
Lower the AP Broadcast Power to the Minimum Level Needed: home use routers and modems often provide more power than is needed. Take a walk with your laptop and see how far away from your AP you can be and still have a connection, consider lowering the power levels so that the signal is not broadcast further than the area you want. A standard AP broadcasts in a 360 degree area, if you only need coverage in a long narrow area consider employing a directional antenna. This can be really useful in apartment buildings and multifamily houses.
Encryption: Use the strongest encryption practical for your network. While you may think that there is nothing you have that requires the protection of encryption, the use of encryption can serve two other important roles:
- Take the place of a warning banner to indicate that the network is not free for use. There have been many arguments over the use of private but unsecured wireless networks for free internet access. The exact legal status is not clear as it has not been tested in a court of law. However, if an attacker has to break your encryption in order to use your network, they most likely had to know they were not supposed to.
- Deter people looking for free internet access. While in some cases these people are simply looking for a place to check their e-mail, many malicious users have discovered that they run a lot less risk being caught sending spam and downloading illicit materials if they use someone else’s network to do it. If their traffic is caught, it will be traced to the account of the person who subscribes to that cable modem or DSL line.
The following is a listing of encryption mechanisms in descending order from strongest to weakest:
- WEP with 802.1x (dynamic WEP)
- WPA stands for Wi-Fi Protected Access while WEP stands for the older Wired Equivalent Privacy.
Change Encryption Keys: If you are using WEP or any of the pre-shared key (PSK) variations of WPA, it is advisable to change the encryption keys occasionally to deter attempts to break the keys. This is most important with WEP which uses a single key for encrypting all traffic from all stations. WPA derives multiple keys from the passphrase you enter and rotates it during use making it more secure. Be sure to use strong pass phrases to make them harder to crack.
Media Access Control (MAC) Address Filtering: MAC address filtering is a way to restrict the clients that can connect to your wireless network by using their hardware address. Although this tool has fallen out of favor with many security professionals because an experienced hacker can fake it, there is still value in this setting for a residential user:
- A residential network may have many hours per day when it is idle. There will be no authorized client traffic for an attacker to gather MAC addresses to spoof from. This is a deterrent to the person looking to make use of a free internet connection.
- It is an additional layer in your defense-in-depth. A hacker can identify an authorized MAC address to use, but is it worth his time? Or will he simply move to the next network that doesn’t require him to jump through the extra hoops?
Wireless Client Isolation: The wireless network is a shared medium similar to a network hub, all stations on the wireless network can see all traffic on the network. Some AP’s offer a feature called Wireless Client Isolation, this prevents the stations from communicating with one another through the AP. This configuration is more secure since any station that is infected with malware is unable to spread that infection to others on the network. This feature is not available on all AP(s) so check your documentation.
Enable Logging if Possible: Most home use AP(s) offer the ability to send logs to another machine. If you have a system that can receive them, this can be important information to collect for troubleshooting the network and for identifying security issues. Check your logs periodically for signs of failed connections and successful but unknown clients.
Power off the Transmitter When Not in Use: If your wireless network is not going to be used for an extended period of time (away on vacation) it is a good practice to turn it off, if it can’t be seen, it can’t be hacked.
Restrict Management: Many home use AP(s) have configuration options that allow you to specify if the device can be managed from a wireless client. Others, allow you to give a specific machine the ability to change the AP’s configuration. It is dangerous to allow changes to be made from a wireless client. My recommendation is always be directly connected to the router, modem or AP for tasks that involve administrative access and never the wireless interface.
- NIST, Special Pub 800-48, “Wireless Network Security – 802.11, Bluetooth, and Devices”, 2002
- Center for Internet Security, “Wireless Networking Benchmark (version 1.0)”, 2005
- ”5 Steps for Assessing Your Wireless Network Security,” Cisco Blog Small Business. Sampa Choudhuri – February 14, 2012.
Gene Erbacher, CISSP
Wright State Research Institute
4035 Col Glenn Hwy
Beavercreek, OH 45431