I’ve been on a bit of a security kick lately…more than usual anyway. I’ve always been a bit of a security fanatic but lately I’ve been learning a whole lot more. Working as an IT auditor by day and just naturally being attracted to technology, security is of great interest to me. I’m also becoming a huge fan of the open source DD-WRT firmware as I start to use more and more of its features on my home network.
A lot of security topics exists that I’d love to write about sometime, but securing your wireless network is one that should be useful to most of my blog readers. Plus, this is a natural progression from my recent post about How to Flash the WRT54GL with DD-WRT Firmware. This post will not cover the intricate details of the hows and whys of wireless security nor will provide a ton of details on how to circumvent (i.e., crack) common security settings. Maybe I’ll cover those topics at a later date. For now, I just want to tell you about what security settings you should use on your home or small business wireless network to ensure no one is able to sniff (see what your doing on your wireless connection) or use your wireless connection without your permission.
Table of Contents
- Select Your Encryption Method
- Select Your Password
- Disable SSID Broadcast
- MAC Filtering
- Turn Off UPnP
- Change Default Router Log-In Settings
- Setup Your Firewall
- Patch Windows Client
- Configure Client Devices
- External Resources
Select Your Encryption Method
The first thing you must decide on is what encryption to use. The decision is pretty simple; pick the strongest form of wireless encryption that your network will support (excluding the Radius methods for reasons noted below). Remember, even if your wireless router supports the strongest encryption but some of the wireless cards joining the network does not then you will have problems connecting from those machines if you don’t pick a level of encryption supported by all of your devices. Most people with remotely up-to-date hardware will not have trouble supporting all of the encryption levels mentioned below.
Below I’ve listed the DD-WRT’s wireless encryption security mode options (these will be available in most other wireless routers) from strongest to weakest:
- WPA2 Radius Only
- WPA2 Radius Mixed
- WPA Radius
- WPA2 Pre-Shared Key Only
- WPA2 Pre-Shared Key Mixed
- WPA Pre-Shared Key
- Radius
- WEP
- Disabled
All of the RADIUS methods are too complex for most home users because they require a separate Radius server for for authentication. RADIUS is designed for a Corporate type environment.
The DD-WRT firmware provides a second option for WPA Algorithms (for WPA security modes) or Encryption (for WEP security modes).
The WPA preferred order is:
The DD-WRT help file suggests using WPA2 Mixed/TKIP+AES for maximum interoperability. So if you’re having trouble getting WPA2 AES to work on your network, try this configuration. Also note that WPA2 TKIP is not supported. Don’t worry, any form of WPA is very secure.
For WEP, the preferred order is:
- 128-bits 26 hex digits
- 64-bits 10 hex digits
Below is a screenshot of the encryption settings I recommend:
Note: Both forms of WEP are easy to hack due to poor implementation of the RC4 Stream Cipher; don’t worry what this means right now, just know its really insecure. Also, note some people call 128 bit 105 bit WEP and 64 bit WEP 40 bit because they subtract the 24 initialization vector (IV).
Select Your Password
Password selection is of vital importance as well because if someone can easily brute force your password (quickly determine your password by trying all possible values) then the strongest form of encryption is worthless. Some people claim WPA has been broken, but in reality all that has really happened is someone sniffed a lot of packets and then carried out a dictionary or brute force attack and correctly guessed the password. A WEP password doesn’t really matter as a WPA password because a hacker with a little time and some free tools can quickly determine your WEP password due to the improper implementation of the encryption algorithm.
So, how can you make it practically impossible to brute force your password? The answer is simple…use a long, random password. The longer the password the more time brute forcing takes to work (as in thousands of years for a strong password). Basically, brute forcing tries all possible combinations of letters and number (or a predetermined sub-set of them) until the combination works so the longer the password the more guesses required. Randomness protects against dictionary attacks. A dictionary attack is just like it sounds. A very large list of common passwords is tried; therefore, you don’t want to use any words that may be in a dictionary.
Because you are not required to enter your wireless password more than once on each client you want to connect to your wireless network, you can easily select a very long and complex password and not worry about having to memorizing it. GRC has an excellent random password generator perfect for wireless security. Use the 63 random printable ASCII character for ultimate security. Why 63 characters? Its the maximum length accepted by WPA.
Although I trust GRC’s Ultra High Security Password Generator, I still hit the refresh button a few times to collect a small selection of passwords. Then, I cut and pasted tidbits of each password to ensure its security–I know you think I’m crazy.
Of course, you must store this password in a protected place to keep others from finding it. I recommend putting it on a portable storage device such as a CD or USB drive. If you want to be ultra secure, and geeky, store the password in an encrypted form with a tool such as TrueCrypt.
WEP requires you to use an exact password length so you won’t be able to use the full 63 character long password generated by GRC’s Ultra High Security Password Generator. 26 hexadecimal characters equates to 13 alpha-numeric characters and 10 hexadecimal characters equals 5 alpha-numeric characters. If you must use WEP, you can just select the appropriate subset (26 characters for 128bit WEP and 10 characters from the 64bit WEP) from the 64 random hexadecimal characters section of the password generator.
Disable SSID Broadcast
Hiding Your Service Set IDentifier (SSID) doesn’t provide much security because anyone using a tool such as Kismet can still find your SSID, but at least your wireless network ID will be hidden from the average Joe. If you do hide your SSID, your network will not show up when you scan for wireless networks in Windows or OS X so you must manually type in the SSID name you selected on each client when you first time connect to your network.
MAC Filtering
MAC Filtering is a way to limit what network cards can connect to your network. Every networking device has a unique MAC address assigned to it during the manufacturing process. To set up MAC filtering, you will need to determine the MAC address of every device you want to connect to your network and enter this information into the router.
As you can tell, I have MAC Filtering disabled. Why? Its takes quite a bit of time to setup and it doesn’t provide much security. The idea behind MAC filtering is good, but its flawed because a user is able to change their MAC address to anything they want. So, a someone wanting to access your network would use a good wireless sniffer (i.e., Kismet) to determine what MAC addresses are connected to your network. They would then change their MAC address to one of those allowed addresses. Because MAC addresses are supposed to be unique, your access point will get confused if two clients with the same MAC address is connected to it. So, a smart hacker will kickoff the original machine whose MAC address they stole using a common Denial-of-service (DOS) attack or simply wait for that machine to disconnect.
You must decide whether or not MAC Filtering is worth the trouble because it does provide some protection.
Turn Off UPnP
Another worthwhile security measure is turning of Universal Plug and Play (UPnP) on both your PC and your router. UPnP is bad because it lets software automatically open ports on your router without your knowledge. To make it even worse, you can’t tell which ports have been opened. The idea behind UPnP was to make it easy for network software/devices to work without a user having to manually configure Port Forwarding.
The problem is that malware could also use this auto-configuration feature to open ports behind your back in order to communicate with the outside world. Additionally, UPnP has several major vulnerabilities in the past such as buffer overruns that could lead to remote code execution. Although the known vulnerabilities have been patched, turning off UPnP would prevent any future exploits.
The easiest way I know of to turn off UPnP on your PC is to use the UnPlug n’ Pray utility.
Go to the Applications and Gaming tab and the UPnP sub-tab to disable UPnP.
Note: I believe most routers not running the DD-WRT firmware have a similar option to disable UPnP. If not, disabling it on your PC should be enough as long as Windows, as it has bad habits of doing, doesn’t decide to turn the feature back on.
It is important to reset your router to factory defaults to undo any ports opened by UPnP when it was enabled. Please note that resetting your router to factory defaults will also reset any of your custom options, so think twice before doing this. Be sure to reset your router before completing the rest of the security steps or else you’ll probably have to re-do them. See the following two pages on the DD-WRT wiki for information on how to perform a reset: Factory Defaults & Reset and Reboot.
I am uncertain, but simply rebooting (not resetting) your router may also undo the ports opened by UPnP. One way to ensure all your important ports have been closed is to check out the Shields Up web service. If you want to do a full port scan check out NMAP.
Change Default Router Log-In Settings
Changing the User Name and Password used to configure your router is very important (this is the info you type in when going to 192.168.1.1 o whatever your router’s internal IP address is). The default router user names and passwords are widely known…you can easily find a massive list of them. Symantec published an article on a very interesting concept they coined “Drive-By Pharming: How Clicking on a Link Can Cost You Dearly.” The basic concept is Cross Site Request Forgery can be used to log in to your wireless router if you haven’t changed the default log-in settings. Once access has been gained to your router, your DNS Server setting can be changed to a malicious DNS server. This is a major problem because DNS associates domain names (web site addresses) with server’s IP addresses. A malicious DNS server could associate your-bank.com with spoofed site that looks just like your bank’s site and collect your user name and password when you try to log in. However, the simple change of your router’s user name and password protects against this attack.
Go to the Administration tab and the Management sub-tab to change the default settings. While your there, go ahead and disable all Remote Access as well.
Setup Your Firewall
Firewalls are set rules for what can come in and out of your network. One of the main benefits of all routers is Network Address Translation (NAT). Basically, it only allows connections into your network if one of your computers made the initial request. Sometimes you will need to use Port Forwarding to allow connections through certain ports for services running behind your router that you won’t make the initial request…for instance you’re running a web server on your network that needs to accept connections on port 80. If you recall, UPnP automatically configures port forwarding which could open up ports you don’t want open.
Stateful packet inspection (SPI) provides an extra layer of security to NAT routers. I recommend enabling SPI, blocking anonymous Internet request, filtering multicast, and filtering IDENT. You can set all of these by going to the Security tab and the Firewall sub-tab.
Patch Windows Client
One thing I do recommend is downloading the following patchs from Microsoft: The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) and Wireless Client Update for Windows XP with Service Pack 2.
The first update “enhances the Windows XP wireless client software with support for the new Wi-Fi Alliance certification for wireless security. The update also makes it easier to connect to secure public spaces that are equipped with wireless Internet access.”
The second update “enhances support for Wi-Fi Protected Access 2 (WPA2) options in Wireless Group Policy. This update helps prevent a Windows wireless client from advertising the wireless networks in its preferred networks list.” Please note that this patch was never included in any automatic updates from Microsoft. Unless you specifically went to Microsoft to download this patch, your system will not have it (as far as I know anyway). Don’t ask me why Microsoft didn’t include this in their standard update cycle.
Configure Client Devices
You should configure Windows to only connect to Access Points because Ad-Hoc (computer-to-computer) networks are dangerous. To do this go to Start > Control Panel > Network and Internet Connections >Network Connections then right-click on Wireless Network Connection device and select properties. On the Wireless Network Connections properties screen select the Wireless Networks tab and then the Advanced button. Make sure to select Access point (infrastructure) networks only and uncheck Automatically connect to non-preferred networks.
You will also need to add your network to the preferred networks list by going back to the Wireless Networks tab and selecting Add. Then type in the appropriate information for you wireless setup.
External Resources
To learn more about Wi-Fi security, I recommend listening to the following episodes of Security Now:
- Episode 10: Open Wireless Access Points
- Episode 11: Bad WiFi Security (WEP and MAC address filtering)
- Episode 13: Unbreakable WiFi Security
- Episode 14: Virtual Private Networks (VPN): Theory
- Episode 15: VPN Secure Tunneling Solutions
Note: Each Security Now podcast also have text transcripts.
I also recommend checking out the following articles:
I realize this is a long, fairly technical post so feel free to ask any questions, correct any mistakes, offer suggestions, or anything else using the commenting feature below. If nothing else, just let me know if you found this post useful. Thanks!
Note: Although I touched on a few ways to get around wireless security, I do not advocate doing so. I mentioned some of the techniques because the best way to secure against attacks is to know what attacks are out there.
41 Responses to “Securing Your Wireless Network”
Can’t say that my Wireless router has as many different encryption options as yours but WEP is definitely a must, if nothing else. It’s amazing how many people leave their wireless network open now-a-days.
You’re right Yannick, it’s definitely amazing how many people leave their networks open…they must not have a clue about the potential dangers. Problems extend beyond people stealing your Internet connection.
WEP helps protect against someone casually trying to get in your network, but I highly recommend switching to WPA if your router supports it. WEP is badly broken, see WEP: Dead Again and Breaking WEP in Under a Minute to learn why I don’t like WEP.
I bet your router supports several of the different encryption options I mentioned above. The only reason my router does is because I’m using Open Source firmware. Without that, I ‘d just have a basic Linksys router.
[...] **UPDATE** Now that your running DD-WRT firmware, make sure to make use of all the available security features. See my post on Securing Your Wireless Connection. [...]
This article goes great along side the flash tutorial. Is there any wireless NIC cards you could recommend that support WPA2 personal. The only thing I see that Linksys has is something called PSK2. I think this is the same as WPA2, correct? Thanks.
Tom,
Just about any new wireless network card should support WPA2 personal. I’ve never had to purchase one for a laptop (they have always been built-in). PSK2 is more than likely referring to WPA2…not sure why Linksys just doesn’t call it what it is.
Essentially, WPA comes in two forms…pre-shared key (PSK) and Temporal Key Integrity Protocol (TKIP). TKIP is more likely to be compatible with older devices, so if the card you’re looking at offers PSK then you can be certain will support all forms of wireless encryption including the strongest WPA2-PSK.
Let me know if you have any more questions; hopefully, I’ll be able to respond a bit quicker next time…I just got back from Alaska.
Very cool stuff…thanks. Got my WRT54GL last night and this and your DD-WRT flashing article (not difficult at all if you read through and go slow) had me up and running in full WPA2-PSKO/EAS in no time! Only snag I hit was locking myself out (twice!) by misconfiguring the MAC filter and having to do a hard resets to get back in. I left it alone the third time.
Jack
JackG, so glad you enjoyed this tutorial. So many people read my instructions on flashing the router and fail to visit this page to ensure they’re properly securing their wireless network.
Sounds like the MAC filtering was being a pain for you…..I’ll be honest I don’t use the MAC filtering feature (not like a hacker can’t sniff packets and find a valid MAC address and then change their MAC address to a valid one).
thank you so much for posting this. i have been looking around for a simple explation and this is it. thanks again
Cool stuff.
Very helpful.
My new WRT54GL says “thanks, dude!”
Keep up the good wok!
m and the_tavi: Glad I could be of help!!!
Patch Windows Client
One thing I do recommend is downloading the following patchs from Microsoft: The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) and Wireless Client Update for Windows XP with Service Pack 2.
The first link is not hotlinked. reads http://
Thanks for the great article helped me secure my network and update my WRT54G to DD-WRT Micro and get things working a LOT better than linksys ever could… should have gone DLink
Thanks for that extra security info Jeff. The firmware is nice…can’t agree with you about the D-Link thing. I had one D-Link product that I wasn’t a big fan of, see D-Link DWL-G710 Wireless Range Extender Review.
I’ll look into fixing that link but exactly which one is it? The first one on this post works for me.
If you go to your Patch Windows Client link in the contents, the second link going to microsoft update is not correct. It links to “http://” not to the update page.
After I have played with the DD-WRT software, my linksys is much more usable, but before… what a worthless piece of junk. It constantly dropped the signal, and would always have to be manually restarted. Not so with DD-WRT, I LOVE the auto restart feature.
Thanks
Joe
Thanks again Joe. I’ve updated the link.
I’ll take your word on the Linksys with stock firmware. I’m just glad people have been nice enough to write and give away other firmware options.
I feel much safer now! Thanks so much for putting this together.
Great Guide!
I bought today a LinkSys WRT54GL and followed your Flash-Instruction and this Security-Guide.
Everything went fine.
Many thanks,
CmdCool.
Thanks geekgirl and CmdCool! I hope you both feel much more secure now because you are!
Thank you so much for the guide. It is very helpful to have all the information together in a single spot. I recently learned to bypass the WEP encryption on my personal wireless network, and was surprised by how little work it took. I was living under the false assumption that WEP encryption was good enough. If I can bypass it, anyone can.
Since then I have upgraded to using DD-wrt and WPA2-PSK. I was reading about setting up a Virtual Private Network, and was curious about your thoughts about it’s security. Any chance you wrote a similar article to this one about securing your VPN?
Thank you again for the time and effort to put into this article. It shows!
Josh
Hey Josh. I’m glad you enjoyed the article. As far as VPN security, I’m fairly confident that it is very secure. I have not had a chance to write an article about it. I’ve wanted to for a while but just don’t have the time. I haven’t even got VPN to work yet (at least doing it the best way). I tried for a while when I first got dd-wrt up and running but never got it to fully function. I haven’t had enough free time to dedicate to troubleshoot the problem on something that I decided I don’t have to have.
Great article. Thanks! Nice screenshots and good detail on the settings to check, and great backup text to explain why. Very high quality article. Thanks again for your work.
Dan, I’m glad the post was useful to you and my hard work didn’t go unnoticed.
Thanx Matt for this very clear tutorial and your insight in wireless router encryption. It has been very helpfull for me. I have applied your recommendations on my router!
No problem Luc.
Matt,
I’ve got a WRT54GL with DD-WRT. The WAN port is connected to our network here and I have a laptop connected to LAN port 1 to access the web interface. On the Wireless Security tab I’ve selected WPA Enterprise with TKIP. On my Windows XP laptop I am unable to edit or delete the network under Preferred Networks. Any suggestion?
Thanks,
Jim
Jim,
Can you provide a little more background information. I understand you are wanting to remove a network from your Preferred Networks list. I assume the network you’re wanting to remove is the new one you just added. Are you trying to remove that network while connected to the network? If so, Windows may not allow you to do so. You’ll need to disconnect your laptop from the network and then delete it.
After the WRT54L was configured, do you plan on connecting to it wireless with the laptop that you’re having trouble with or is the access point just going to be used by others?
This Microsoft TechNet article may help. Also, look at this Texas Tech University help page.
Matt,
We are working on a project with very small businesses in a very rural area to implement free hotspots. We have settled on Linksys WRT54GL routers with a dd-wrt load and NoCatSplash enabled as the hotspot of choice.
Since these are very small businesses hosting the hotspots, some of them have nothing else on their broadband connection other than the hotspot router. However, most of businesses have a business computer, and would like to have it access the Internet without buying a second broadband link (which are still quite expensive here).
I have a technical background but am far from a networking expert. Having the business computer access the Internet through the hotspot wireless network or via an Ethernet cable to the WRT54GL seems to be a grave security exposure. Do they gain anything from having another router between the modem and the hotspot router, and connecting the business computer to that router (either LAN attached or wirelessly)? If so, are there any specific routers that should be used for this or any parameters that should be set in the intermediate router?
Thanks.
Laura,
My quick response is that your thoughts about creating a grave security exposure are correct. Luckily, a workaround exists to eliminate this exposure without having a second broadband connection. It involves three Linksys routers (not two) connected in a Y-fashion.
If needed, I’ll write a further explanation. Just let me know. Also, this topic has been covered on multiple SecurityNow podcasts. The podcast talk more about having three router to have one WEP and one WPA network in a way where your not compromised by having a weak WEP network. The concept applies to your situation though.
Matt,
Thank you for your response. I’ve looked through the SecurityNow sessions (wow! what a lot of information!). I haven’t heard them all, so perhaps I missed something, but I’m still having trouble understanding what we need to recommend.
The typical hosting location for our hotspots has a single PC cable-connected to their cable or DSL modem. If we merely insert the hotspot router between the modem and the business’s PC, I can see that the PC would be in danger. One fairly knowledgeable acquaintance suggested that a second router downstream from the hotspot router would offer reasonably good security:
modem=>cable=>hotspot=>cable=>router=>cable=>PC
I’m not sure why this is more secure than having the non-hotspot router first, with both the business PC and the hotspot router cabled into it. The business PC is cabled — not wireless — so WEP/WPA security don’t apply. If the business has an internal wireless network, it makes sense to me to have a Y configuration with both the business wireless router (with WPA) and the open hotspot router cabled to a third router.
Does this make sense?
Laura
SecurityNow does have an overwhelming amount of information. I’ll try explain what you need more clearly this time.
Your acquaintance suggestion is on the right track but I’m afraid that may not be fully secure. Rather than re-invent the wheel and take a chance on misleading you, I’ve pasted in some of the content from the SecurityNow podcast below. I’ve also included the corresponding episode numbers so you can get the full story if you want more information. Although the SecurityNow content is geared directly toward running WEP and WPA off of a single broadband connection, the solution works for your situation as well since what you’re describing is one potentially insecure network sharing the same connection with a network that should be secure.
Before I paste the info, one other thing you also need to keep in mind is to put the two different local networks on different local IP address ranges. For instance, one of the networks could be on the 192.168.x.x range while the other could be on 10.x.x.x range. The main thing is that you don’t want them all on the same subnet.
SecurityNow Episode 124 explains the solution:
“Yes. As we’ve discussed, due to the problem with ARP poisoning that we discussed some time ago, which allows somebody bad who had accessed your network to insert themselves, essentially create a man-in-the-middle and be able to filter any traffic coming and going from your Internet gateway, which is absolutely possible. That means that any access to your packet traffic is a problem. The only safe way that I can see to solve the problem is to have three routers. You would have your main router, which is your Internet connection. Then you would have a router running WEP and a router running WPA, both connected to that first router. So you essentially have a Y, and two routers running different WiFi. The reason this works is that you still have the potential for an ARP poisoning problem except that ARP will not cross a router. ARP is only used within a local Ethernet. So you end up with essentially three Ethernets. You’ve got an Ethernet on the inside of your WPA router, an Ethernet on the inside of your WEP router, and then you’ve got a little tiny Ethernet that’s linking those three routers.
Well, that ends up being sacred, that little three-router Ethernet, because there’s no way for anybody even who breaks your WEP security to mess around with the little network that links the routers. So essentially the routers provide isolation. But if you allowed WEP access to, for example, your main core router, the router on the outside, then it would be able, if that were hacked, to gain access to all your network traffic. So there’s no way to do it that I’ve been able to think of with two routers. You would need three. But if you had three routers you would be able to use WEP services on one, WPA services on the other, and there’s no way that even somebody with access to the WEP router would be able to gain access to any of your WPA traffic. ”
SecurityNow Episode 128 explains why having just two routers is insecure:
“Let’s review briefly this idea of chaining routers. The idea was that you could have your outside Internet connection go to Router #1, and that would be a wireless router running WPA or WEP. And then you would chain it to a second router which was also wireless, running WPA or WEP. Now, the problem is, if the inside router is the insecure one, then it is potentially able, that is, somebody who cracks WEP, and we know how easy that is now, remember it’s less than a minute to do that now. If someone cracks that, then due to the fact that it’s possible to make upstream connections through a router, which of course is how the Internet works, we’re all downstream of our routers, and we’re able to make upstream connections through the router. That allows somebody on the inside, that is, on the inner router, to connect to devices on that outer level router because upstream connections are permitted. So that’s why it’s not safe to have an insecure network chained off of your secure network.
Now let’s swap the routers around so that now the outer router, that is, the one connected to the Internet, let’s make that one the WEP, the insecure WiFi router, and our WPA router where we have all of our crown jewels and our high-security WiFi due to using WPA. That’s the inner one. Now the problem is that all of the precious, super secure network traffic goes out through the inner router to the outer router, which is the insecure one. The problem is, as we’ve discussed before, in the face of ARP spoofing, which is well mature now and developed for Ethernet networks and for Ethernet WiFi, it is possible for – it would be possible for a wireless attacker to convince the inner router, the secure router, that its IP is the gateway, so that all of the precious Internet traffic on the inside would route through an attacker’s machine on its way out to the Internet. So there is a, if you assume that ARP spoofing could be present, then it is not secure to have the insecure router upstream of the secure one because ARP spoofing absolutely allows essentially man-in-the-middle traffic rerouting.
So it is not safe to chain an insecure and a secure router together in either order. The only thing you can do that is safe is to have two routers that are joined by a third router.”
Episode 160 also touches on this topic.
To recap, what you need in order to be fully secure is:
modem 1=>cable 1=>router 1=>cable 2=>hotspot 1 and also modem 1=>cable 1=>router 1=>cable 2=>router 2
Bear in mind that the hotspot is also a router so you have three routers connected in a y-fashion.
Another potentially more complex solution would be to have some sort of custom firewall rule but that would take a lot of configuration.
Matt,
Thank you again. Much clearer. A couple of minor follow-up questions:
1. Regarding having the hotspot and secure routers on different local IP ranges, you gave the example of 192.168.x.x and 10.x.x.x. Are you saying that the high level IP address needs to be different, or is 192.168.1.x and 192.168.2.x just as secure?
2. In the 2-router scenario, it seems that the exposure is that a hacker could view/capture the secure information as it passed through the hotspot router. If the PC on the secure router used a VLAN, is this still a problem? Does AP Isolation prevent this?
Laura
1. The combination of 192.168.1.x and 192.168.2.x works just as well as 192.168.x.x and 10.x.x.x. All 3 of those are different subnets. The main thing you want to avoid is having IP address conflicts so as long as the subnets are different on each router, you should be fine.
2. The exposure in the 2-router scenario depends on how they are configured.
a. modem=>cable=>hotspot=>cable=>router=>cable=>PC
The exposure here is that all the secure traffic goes through the insecure router leaving the potential for an attacker to trick the secure router to thinking they’re connecting to the hotspot router when in actuality the hotspot router is being spoofed and the secure router (rather, machines connected to it) is now going through an attacker’s machine who can do what ever he wants to the traffic (a man in the middle style attack).
To answer your last two questions, I think a VLAN might be a secure solution assuming your have a “true” VLAN. I’m not sure how consumer grade routers (like dd-wrt) handle VLANs. You’d have to do some research to ensure that the VLAN really acts like a separate network. However, to be certain that your business users are secure, I’d use three routers.
Of course, you can never be completely secure. Like all things in computers, clever attackers can find holes; VLANs can be crossed. The main thing is to make it really difficult for the common person to attack your network.
b. modem=>cable=>router=>cable=>hotspot=>cable=>PC
The exposure here is people on the hotspot can make upstream connections to the secure router because by default routers allow upstream connections. If they didn’t, the Internet wouldn’t work.
Matt,
Thank you for all your help. You have convinced me that we should recommend the three router configuration.
We did some testing yesterday and discovered another issue with putting the business router downstream from the hotspot router. That configuration makes the business router subject to the restrictions that we put on the hotspot router (such as disallowing SMTP), which is inconvenient for businesses using Outlook, etc.
Laura
Dear Matt,
Thank you so much for taking the time to write up this tech guide where a novice like me can understand it. I bought my first Linksys router and just flashed it to DD-WRT v24-SP1 standard (7/27/08) and the first thing I did was go through your article to secure my router. I do have some questions, though.
1) The two patches that you recommended we download (The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) and Wireless Client Update for Windows XP with Service Pack 2): will these two patches work on a pc running Windows XP 64 bit? I can’t seem to find any info on whether I need it since my pc runs 64 bit version of XP Pro.
2) The DD-WRT configuration is vast and quite complicated: is there any other essential tweaking I need to do for my simple 3 pc home network? We don’t play games or run a server or anything of that nature. At my home, all my PC’s are wired so we don’t use any wireless connection, but I plan to set up another network at my sister’s house using just wireless. Any tip would be greatly appreciated. Would I be correct to assume that DD-WRT v24-SP1 standard (7/27/08) comes with the security features set as default due to user requests?
3) How good is the firewall on this WRT54GL v1.1 router? Do I need a software firewall to go with this or is this sufficient?
Thank you for any insight you can offer. I will check back for any replies.
Jay, I’m glad to help and it’s good seeing novices like you get interested in the security of their home network. I’ll attempt to answer your questions. If my answers aren’t clear, please let me know.
1) I wouldn’t worry about the patches too much. I don’t know if they would work in XP 64-bit. I would think you’d need to find similar patches optimized for 64-bit Windows. Regardless, these are nice to have patches but aren’t essential especially if you’re just using a desktop.
2) I completely agree that the DD-WRT menu is quite vast. Based on your network description, I don’t think any you’ve missed any necessary tweaks. Going though this security guide is the most important. Other than that, look around and play with settings. You’re not going to mess anything up and if you do, just reset it back to the default settings.
One of the features I like is called something like static-dynamic IP addresses. Basically, most all routers use Dynamic Host Control Protocol (DHCP) which automatically assigns IP addresses to machines that connect to your network. This is very convenient. DD-WRT is no different. However, one inconvenience with DHCP is that the IPs are somewhat randomly assigned so one day you might be 192.168.1.24 and the next 192.168.1.5 even though you’re on the same PC and the same network. Static-dynamic IPs allow you to specify the IP assigned to your PCs (based on their MAC address) each time they connect to the network. This makes it easy to remember the IPs of each of your 3 machines–this is the static portion. The dynamic portion allows other machines that are new to the network (ones you have not specifically assigned an IP address) to automatically obtain a random IP. It’s the best of both worlds.
Another cool feature that I don’t use is Quality of Service (QoS). QoS allows you to set the priority of network traffic. For example, you could give Skype the highest quality and BitTorrent the lowest quality. That way the amount of bandwidth for services that you interact with like Skype aren’t impacted by downloads that are going on at the same time.
3) The firewall that comes with DD-WRT is perfectly fine. All router firewalls are what you call NAT routers which are better than software routers. Basically, they only let traffic that was initiated by a PC inside your network come back into your network unless you do port forwarding. Port forwarding is okay as long as you do a high numbered, random port. The other caveat is to make sure Universal Plug and Play (UPnP) is turned off. With that said, I would not turn off the XPs built-in software firewall though I wouldn’t worry about buying a commercial software firewall.
Hope this answers your questions.
Thanks,
Matt
[...] after flashing to Tomato is the perfect time to implement stronger security. You can reference my Securing Your Wireless Network article if you want to learn how to have a really secure wireless [...]
Matt -
“Thanks!” from another beneficiary of your efforts and generosity. Thanks for sharing your expertise and making this such an easy task.
Best regards!
Ken
Thanks Ken. I appreciate the kind words.
I updated to the DD-WRT firmware and flashed the memory successfully on my WTR54G LinkSys version 6.
However,
I am unable to set a wireless security method.
It is disabled. When I select WPA, I am taken to a blank screen. When I go back, it is still disabled.
I used the dd-wrt.v24_micro_generic.bin
Sorry for the slow reply John. I’ve been out-of-town.
I’ll admit that I haven’t used dd-wrt.v24_micro_generic.bin but from what I can tell from the dd-wrt wiki, the micro version supports WPA security.
Do any of the other wireless security options (e.g., WEP, WPA, WPA2, etc.) work?
Have you tried rebooting the firmware? After a reboot, it might work. If not, you can always do a hard-reset but doing so will reset your router to the dd-wrt.v24_micro_generic.bin defaults so you might want to jot down all of your custom settings before doing the hard-reboot.
Hope this helps.
Matt,
I totally understand the three routers in a Y formation, but I was hoping to do something similar with one router running dd-wrt.
The scenerio that I’m working on is a Router with the Wireless and Wired connections Vlaned so that they are separate, and the wireless is running a hotspot with NoCatSplash. That way the business computers connected to the wired network are not subject to NoCatSplash. I have separated the wireless from the wired network thanks to this article, http://www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN.
The problem is that as soon as I enable NoCatSplash, I am unable to get to the internet.
If I put the two networks back to default and enable NoCatSplash, it functions as expected.
I imagine there is some advanced firewall rules that I would need to change to get this to work the way I want.
Any thoughts?
Thanks,
Jason
Jason,
Sorry for the very delayed response…I offer no excuse. Anyway, I don’t think you will be secure with the VLAN. I’m not sure the Linksys offers a true VLAN so you aren’t getting the same level of security you might get via a enterprise grade switch. However, that’s not what you asked about.
I haven’t played with NoCatSplash or VLANs so I’m afraid I’m not going to be of much help. I wish I could be. I think you’re on the right trail of looking for an advanced firewall rule/IP table rule (one that you have to write in the text box versus configure via a checkbox). I currently have Tomato installed on my router so I can’t even look at the dd-wrt settings to see if I can come up with some good ideas for you. I suggest you post the question over at the dd-wrt site or search their wiki for people trying to do similar features. I bet your not the only person who has wanted that solution. The following forum entry might get you going down the right track: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=1160&postdays=0&postorder=asc&start=15
If you find an answer, please come back and post a reply so that I may know and that others who visit my site can benefit from your knowledge.