Saturday, January 22, 2005

Protect Your Wireless Network From Snoops

Did you know that you may already be offering a free WiFi hotspot to your neighborhood or nearby businesses? The kid next door may be downloading illegal MP3 files as we speak. That guy sitting in the Toyota outside could be probing your corporate network for customer credit card numbers. Worse, your personal firewalls or even that $50,000 network security appliance in the server rack are doing absolutely nothing about it.

We've been warned about hacker attacks coming through the Internet. That's why we use firewalls and anti-virus programs. They make us feel safe. But if you've added a wireless router, you might have just punched a gaping hole in all that security.

It's not that wireless access points have to be insecure. It's just that the people who make and sell them want happy customers. Most people want plug and play right out of the box and the easy way to do that is to turn off all security by default. You may have paid good money for a wireless router with 128 bit encryption, but as it comes from the factory it probably isn't encrypting anything. Your network is an open invitation to anyone with a laptop a block or less away. Maybe farther if they have a fancy directional antenna.

At home, most of what you have to fear is leaches. Somebody in the neighborhood sees that a broadband network is available and hops on for free access. A more dastardly group are those who want to poke around in your computer to see what they can find. Or, determined criminals who are deliberately targeting corporate networks where the real booty is. Either way, it is fairly easy to make all but the most determined go away and look for easier pickings elsewhere.

The one fast and easy thing you can do that will give you instant protection is turn your encryption ON. If you have a choice of 64 or 128 bit encryption, use 128 bit. You'll have to install the same key on all your wireless clients or they'll stop communicating. The WEP security isn't foolproof, but it will stop the casual poacher or curiosity seeker. Newer wireless routers may offer a stronger encryption standard, WAP.

Next, change your SSID. That's the identifier that gives your network a name. The default names provided by the manufacturers are well known and scream " I don't know much about security" to anyone who happens on your signal. If you can, turn off the SSID broadcast feature. Only WiFi hotspots that WANT people to find them need to be advertising their presence.

Change any administrative user names and passwords for the same reason as you changed the SSID. Turn off remote management unless you really need that feature.

Some wireless routers let you approve clients on a case by case basis. Others let you specify who gets on the network by entering the MAC address for their computer. This gives you another lock on your network door. It's a good idea to check your access logs from time to time just to make sure nobody unexpected is sneaking in.

If you really want to take control, you can disable the DHCP that automatically assigns network addresses as clients request them. Assigning static IP addresses is more work, but makes it harder for someone to get on the network. They'll be forced to guess possible open addresses instead of being handed the next available one.

As a last measure, corral your wireless signal as much as possible. Better to have the access point close to inside walls than outside walls and windows. A directional antenna will cut down signal levels in some directions while favoring others. If you can adjust the power of your transmitter, use as little as you need for reliable access.

For more on corporate network security, read "New Edge Networks' Award Winning VPN.

Follow Telexplainer on Twitter