Saturday, March 1, 2008

"Lock" your wireless network - WLAN Part 2

On my previous posting ("What is WIFI..?? - WLAN Part 1"), I have briefly discuss on the WIFI Standard and the encryption used. As promise, we will discuss on the "best practise" in securing a home or small office's WLAN.

1> Secure administration account for the Access Point(AP)
Always change the default administrator username and use a strong password. Dafault username and password are easily available in support websites or forums. Username such as "admin" and password such as "admin" or "linksys" are commonly used by Dlink or Linksys wireless AP/router.

Note: Wireless AP/routers don't locked out account with incorrect login. Brute-force attack is possible to launch against them.

2> Disable Remote Administration
Having remote administration allows anyone in the Internet to access the Wireless AP/router. Hackers all over the world can try to brute-force the administrator account. But if remote administration was really required, it should be restricted to specific IP (only those authorised source).

Note: Disable remote administration only reduce a ways of possible attack, especially from the Internet.

3> Disable SSID broadcast
A service set identifier(SSID) is a name used to identify the particular WLAN. Changing of default SSID and disable the SSID broadcast, will make your AP invisible to casual wireless user. Standard wireless software will not show or display as "Unnamed Network". User will need to manually enter the correct SSID to connect to the network.

Note: SSID can be easily sniffed and revealed by using wireless scanner like netstumbler or kismet.

4>MAC Filtering enabled
Media Access Control (MAC) address is a uniquely assigned hardware address for each network card. MAC filtering will restrict the access of the AP by individual MAC address. There will be a problem keeping track of the MAC addresses if there are many wireless devices.

Note: MAC addresses of those legitimate wireless devices can be easily shown using wireless scanner (such as netstumbler). Users can easily spoofed their MAC address to bypass the MAC filtering. As MAC spoofing is generally used on servers for high availability, MAC spoofing programs are easily downloadable from the Internet.

5> Reduce the transmiting power
Try to keep the wireless transmitting signal within your home or office area. This will reduce the ability for others "stealing" the wireless network outside your home or office.

Note: Not all houses or offices are in perfect round. There are also walls and funitures that will affect the signal transmission. So there will be areas outside the office/home that the signal can be received. Wireless card with extended antenna could be used by hacker to identify any weak signal.

6> Enable encryption
Encryption should be enabled for the WLAN. WPA2 is the current encryption standard and is recommended. If due to the version of the AP or wireless card not supporting WPA, WEP should at least be implemented. It is always better on having a weak encryption than having all your data in cleartext.

Note: WEP/WPA is still easily hackable (Demostrate in future posting) unless WPA2 with strong authentication (EAP-TLS) is implemented. But it will not be feasible for home user (or even small office) to maintain an authentication server for their WLAN.

Even though the suggested steps above can be bypassed, but they are still recommended to prevent casual/novice script kiddies from sniffing and hacking the WLAN. Beside the recommended steps, it is advisible (where possible) to use cable instead of wireless to access the network. Accessing of sensitive resources via wireless should also be minimised. If possible, try implementing SSL or VPN for accessing sensitive resource.

No comments: