Ten Steps to a Secure Wireless Network

Wireless networks are fast, easy, and full of security holes. Follow our ten tips to keep your LAN safe.

Businesses and home users are quickly adopting wireless networking—and for good reason. Its cheap, convenient, easy to set up, and provides great mobility. In fact, more than one third of PC Magazine readers have already installed wireless networks in their homes. The freedom from tangled cables is intoxicating but comes with a price. A wireless network can broadcast far outside your building. With a powerful antenna and some widely available hacking software, anyone sitting near your installation—or even driving by—can passively (without alerting the target) scan all the data flowing in your network.

We pointed out a year ago in "Wireless LANs at Risk" (April 9, 2002) that most wireless setups have no security measures in place. By all accounts, little has changed. But this doesnt have to be the case. Here are ten security techniques you can implement right now.

1. Control your broadcast area. Many wireless APs (access points) let you adjust the signal strength; some even let you adjust signal direction. Begin by placing your APs as far away from exterior walls and windows as possible, then play around with signal strength so you can just barely get connections near exterior walls. This isnt enough, though. Sensitive snooping equipment can pick up wireless signals from an AP at distances of several hundred feet or more. So even with optimal AP placement, the signal may leak. Keep reading.

2. Lock each AP. A lot of people dont bother changing the defaults on their APs, and maintaining the default administrator password (like admin for Linksys products) makes your system a good target. Use a strong password to protect each AP. For tips on creating substantial passwords, go to www.pcmag.com/passwords and click on Password Dos and Donts.

3. Ban rogue access points. If an AP is connected to your home or office network, make sure you or the network administrator put it there. Bob in Accounting isnt likely to secure his rogue AP before he connects it. Free software like NetStumbler (www.netstumbler.com) lets you sweep for unauthorized APs.

4. Use 128-bit WEP. Passively cracking the WEP (Wired Equivalent Privacy) security protocol is merely a nuisance to a skilled hacker using Linux freeware like AirSnort (http://airsnort.shmoo.com). Still, the protocol does at least add a layer of difficulty.

5. Use SSIDS wisely. Change the default Service Set Identifiers (SSIDs) for your APs, and dont use anything obvious like your address or company name. For corporate setups, buy APs that let you disable broadcast SSID. Intruders can use programs such as Kismet (www.kismetwireless.net) to sniff out SSIDs anyway (by observing 802.11x management frames when users associate with APs), but again, every bit of inconvenience helps.

6. Limit access rights. Chances are, not everyone in your building needs a wireless card. Once you determine who should take to the airwaves, set your APs to allow access by wireless cards with authorized MAC addresses only. Enterprising individuals can spoof MAC addresses, however, which brings us to the next tip.

7. Limit the number of user addresses. If you dont have too many users, consider limiting the maximum number of DHCP addresses the network can assign, allowing just enough to cover the users you have. Then if everyone in the group tries to connect but some cant, you know there are unauthorized log-ons.

8. Authenticate users. Install a firewall that supports VPN connectivity, and require users to log on as if they were dialing in remotely. The Linksys BEFSX41 router ($99 list) is a great choice for this. Tweak the settings to allow only the types of permissions that wireless users need.

As a side benefit, VPNs help prevent users from being fooled by malicious association attacks. In this type of assault, the perpetrator sets up a machine that pretends to be an authorized AP, in the hope that someone will be tricked into logging on. If you connect to an AP and dont get the VPN log-on prompt you expect, you know somethings amiss.

9. Use RADIUS. Installing a RADIUS server provides another authentication method. The servers tend to be expensive, but there are open-source options, such as FreeRADIUS (www.freeradius.org), for UNIX-savvy administrators.

10. Call in the big boys. If you have billion-dollar secrets to protect, such as the formula to Coca-Cola, you should have wireless-dedicated hardware security in place. For instance, AirDefense (www.airdefense.net) is a server appliance that connects to sensors placed near APs. The system monitors activity and protects all traffic on your wireless LAN—but it doesnt come cheap. Prices start at $10,000 and can reach $100,000 depending on the number of sensors needed.