This post describes some best practices for securely configuring your home wireless network. A few high-level PC security tips are thrown in for good measure. I’ve been on a bit of a security kick lately…more than usual anyway. I’ve always been a bit of a security fanatic but lately I’ve been learning a whole lot more. Working as an IT auditor by day and just naturally being attracted to technology, security is of great interest to me. I’m also becoming a huge fan of the open source DD-WRT firmware as I start to use more and more of its features on my home network.

A lot of security topics exists that I’d love to write about sometime, but securing your wireless network is one that should be useful to most of my blog readers. Plus, this is a natural progression from my recent post about How to Flash the WRT54GL with DD-WRT Firmware. This post will not cover the intricate details of the hows and whys of wireless security nor will provide a ton of details on how to circumvent (i.e., crack) common security settings. Maybe I’ll cover those topics at a later date. For now, I just want to tell you about what security settings you should use on your home or small business wireless network to ensure no one is able to sniff (see what your doing on your wireless connection) or use your wireless connection without your permission.

Table of Contents

• Select Your Encryption Method
• Select Your Password
• Disable SSID Broadcast
• MAC Filtering
• Turn Off UPnP
• Change Default Router Log-In Settings
• Setup Your Firewall
• Patch Windows Client
• Configure Client Devices
• External Resources

Select Your Encryption Method
The first thing you must decide on is what encryption to use. The decision is pretty simple; pick the strongest form of wireless encryption that your network will support (excluding the Radius methods for reasons noted below). Remember, even if your wireless router supports the strongest encryption but some of the wireless cards joining the network does not then you will have problems connecting from those machines if you don’t pick a level of encryption supported by all of your devices. Most people with remotely up-to-date hardware will not have trouble supporting all of the encryption levels mentioned below.

Below I’ve listed the DD-WRT’s wireless encryption security mode options (these will be available in most other wireless routers) from strongest to weakest:

1. WPA2 Radius Only
2. WPA2 Radius Mixed
3. WPA Radius
4. WPA2 Pre-Shared Key Only
5. WPA2 Pre-Shared Key Mixed
6. WPA Pre-Shared Key
7. Radius
8. WEP
9. Disabled

All of the RADIUS methods are too complex for most home users because they require a separate Radius server for for authentication. RADIUS is designed for a Corporate type environment.

The DD-WRT firmware provides a second option for WPA Algorithms (for WPA security modes) or Encryption (for WEP security modes).

The WPA preferred order is:

1. AES
2. AES + TKIP
3. TKIP

The DD-WRT help file suggests using WPA2 Mixed/TKIP+AES for maximum interoperability. So if you’re having trouble getting WPA2 AES to work on your network, try this configuration. Also note that WPA2 TKIP is not supported. Don’t worry, any form of WPA is very secure.

For WEP, the preferred order is:

1. 128-bits 26 hex digits
2. 64-bits 10 hex digits

Below is a screenshot of the encryption settings I recommend:

Note: Both forms of WEP are easy to hack due to poor implementation of the RC4 Stream Cipher; don’t worry what this means right now, just know its really insecure. Also, note some people call 128 bit 105 bit WEP and 64 bit WEP 40 bit because they subtract the 24 initialization vector (IV).

Select Your Password
Password selection is of vital importance as well because if someone can easily brute force your password (quickly determine your password by trying all possible values) then the strongest form of encryption is worthless. Some people claim WPA has been broken, but in reality all that has really happened is someone sniffed a lot of packets and then carried out a dictionary or brute force attack and correctly guessed the password. A WEP password doesn’t really matter as a WPA password because a hacker with a little time and some free tools can quickly determine your WEP password due to the improper implementation of the encryption algorithm.

So, how can you make it practically impossible to brute force your password? The answer is simple…use a long, random password. The longer the password the more time brute forcing takes to work (as in thousands of years for a strong password). Basically, brute forcing tries all possible combinations of letters and number (or a predetermined sub-set of them) until the combination works so the longer the password the more guesses required. Randomness protects against dictionary attacks. A dictionary attack is just like it sounds. A very large list of common passwords is tried; therefore, you don’t want to use any words that may be in a dictionary.

Because you are not required to enter your wireless password more than once on each client you want to connect to your wireless network, you can easily select a very long and complex password and not worry about having to memorizing it. GRC has an excellent random password generator perfect for wireless security. Use the 63 random printable ASCII character for ultimate security. Why 63 characters? Its the maximum length accepted by WPA.

Although I trust GRC’s Ultra High Security Password Generator, I still hit the refresh button a few times to collect a small selection of passwords. Then, I cut and pasted tidbits of each password to ensure its security–I know you think I’m crazy.

Of course, you must store this password in a protected place to keep others from finding it. I recommend putting it on a portable storage device such as a CD or USB drive. If you want to be ultra secure, and geeky, store the password in an encrypted form with a tool such as TrueCrypt.

WEP requires you to use an exact password length so you won’t be able to use the full 63 character long password generated by GRC’s Ultra High Security Password Generator. 26 hexadecimal characters equates to 13 alpha-numeric characters and 10 hexadecimal characters equals 5 alpha-numeric characters. If you must use WEP, you can just select the appropriate subset (26 characters for 128bit WEP and 10 characters from the 64bit WEP) from the 64 random hexadecimal characters section of the password generator.

Disable SSID Broadcast
Hiding Your Service Set IDentifier (SSID) doesn’t provide much security because anyone using a tool such as Kismet can still find your SSID, but at least your wireless network ID will be hidden from the average Joe. If you do hide your SSID, your network will not show up when you scan for wireless networks in Windows or OS X so you must manually type in the SSID name you selected on each client when you first time connect to your network.

MAC Filtering
MAC Filtering is a way to limit what network cards can connect to your network. Every networking device has a unique MAC address assigned to it during the manufacturing process. To set up MAC filtering, you will need to determine the MAC address of every device you want to connect to your network and enter this information into the router.

As you can tell, I have MAC Filtering disabled. Why? Its takes quite a bit of time to setup and it doesn’t provide much security. The idea behind MAC filtering is good, but its flawed because a user is able to change their MAC address to anything they want. So, a someone wanting to access your network would use a good wireless sniffer (i.e., Kismet) to determine what MAC addresses are connected to your network. They would then change their MAC address to one of those allowed addresses. Because MAC addresses are supposed to be unique, your access point will get confused if two clients with the same MAC address is connected to it. So, a smart hacker will kickoff the original machine whose MAC address they stole using a common Denial-of-service (DOS) attack or simply wait for that machine to disconnect.

You must decide whether or not MAC Filtering is worth the trouble because it does provide some protection.

Turn Off UPnP
Another worthwhile security measure is turning of Universal Plug and Play (UPnP) on both your PC and your router. UPnP is bad because it lets software automatically open ports on your router without your knowledge. To make it even worse, you can’t tell which ports have been opened. The idea behind UPnP was to make it easy for network software/devices to work without a user having to manually configure Port Forwarding.

The problem is that malware could also use this auto-configuration feature to open ports behind your back in order to communicate with the outside world. Additionally, UPnP has several major vulnerabilities in the past such as buffer overruns that could lead to remote code execution. Although the known vulnerabilities have been patched, turning off UPnP would prevent any future exploits.

The easiest way I know of to turn off UPnP on your PC is to use the UnPlug n’ Pray utility.

Go to the Applications and Gaming tab and the UPnP sub-tab to disable UPnP.

Note: I believe most routers not running the DD-WRT firmware have a similar option to disable UPnP. If not, disabling it on your PC should be enough as long as Windows, as it has bad habits of doing, doesn’t decide to turn the feature back on.

It is important to reset your router to factory defaults to undo any ports opened by UPnP when it was enabled. Please note that resetting your router to factory defaults will also reset any of your custom options, so think twice before doing this. Be sure to reset your router before completing the rest of the security steps or else you’ll probably have to re-do them. See the following two pages on the DD-WRT wiki for information on how to perform a reset: Factory Defaults & Reset and Reboot.

I am uncertain, but simply rebooting (not resetting) your router may also undo the ports opened by UPnP. One way to ensure all your important ports have been closed is to check out the Shields Up web service. If you want to do a full port scan check out NMAP.

Change Default Router Log-In Settings
Changing the User Name and Password used to configure your router is very important (this is the info you type in when going to 192.168.1.1 o whatever your router’s internal IP address is). The default router user names and passwords are widely known…you can easily find a massive list of them. Symantec published an article on a very interesting concept they coined “Drive-By Pharming: How Clicking on a Link Can Cost You Dearly.” The basic concept is Cross Site Request Forgery can be used to log in to your wireless router if you haven’t changed the default log-in settings. Once access has been gained to your router, your DNS Server setting can be changed to a malicious DNS server. This is a major problem because DNS associates domain names (web site addresses) with server’s IP addresses. A malicious DNS server could associate your-bank.com with spoofed site that looks just like your bank’s site and collect your user name and password when you try to log in. However, the simple change of your router’s user name and password protects against this attack.

Go to the Administration tab and the Management sub-tab to change the default settings. While your there, go ahead and disable all Remote Access as well.

Setup Your Firewall
Firewalls are set rules for what can come in and out of your network. One of the main benefits of all routers is Network Address Translation (NAT). Basically, it only allows connections into your network if one of your computers made the initial request. Sometimes you will need to use Port Forwarding to allow connections through certain ports for services running behind your router that you won’t make the initial request…for instance you’re running a web server on your network that needs to accept connections on port 80. If you recall, UPnP automatically configures port forwarding which could open up ports you don’t want open.

Stateful packet inspection (SPI) provides an extra layer of security to NAT routers. I recommend enabling SPI, blocking anonymous Internet request, filtering multicast, and filtering IDENT. You can set all of these by going to the Security tab and the Firewall sub-tab.

Patch Windows Client
One thing I do recommend is downloading the following patches from Microsoft: The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) and Wireless Client Update for Windows XP with Service Pack 2.

The first update “enhances the Windows XP wireless client software with support for the new Wi-Fi Alliance certification for wireless security. The update also makes it easier to connect to secure public spaces that are equipped with wireless Internet access.”

The second update “enhances support for Wi-Fi Protected Access 2 (WPA2) options in Wireless Group Policy. This update helps prevent a Windows wireless client from advertising the wireless networks in its preferred networks list.” Please note that this patch was never included in any automatic updates from Microsoft. Unless you specifically went to Microsoft to download this patch, your system will not have it (as far as I know anyway). Don’t ask me why Microsoft didn’t include this in their standard update cycle.

Configure Client Devices
You should configure Windows to only connect to Access Points because Ad-Hoc (computer-to-computer) networks are dangerous. To do this go to Start > Control Panel > Network and Internet Connections >Network Connections then right-click on Wireless Network Connection device and select properties. On the Wireless Network Connections properties screen select the Wireless Networks tab and then the Advanced button. Make sure to select Access point (infrastructure) networks only and uncheck Automatically connect to non-preferred networks.

You will also need to add your network to the preferred networks list by going back to the Wireless Networks tab and selecting Add. Then type in the appropriate information for you wireless setup.

External Resources
To learn more about Wi-Fi security, I recommend listening to the following episodes of Security Now:

• Episode 10: Open Wireless Access Points
• Episode 11: Bad WiFi Security (WEP and MAC address filtering)
• Episode 13: Unbreakable WiFi Security
• Episode 14: Virtual Private Networks (VPN): Theory
• Episode 15: VPN Secure Tunneling Solutions

Note: Each Security Now podcast also have text transcripts.

I also recommend checking out the following articles:

• Wireless Security
• Wireless LAN Security
• Hacking Techniques in Wireless Networks

I realize this is a long, fairly technical post so feel free to ask any questions, correct any mistakes, offer suggestions, or anything else using the commenting feature below. If nothing else, just let me know if you found this post useful. Thanks!

Note: Although I touched on a few ways to get around wireless security, I do not advocate doing so. I mentioned some of the techniques because the best way to secure against attacks is to know what attacks are out there.

Related post

Related Posts:

s:
1. AJAX Security Considerations…
2. D-Link DWL-G710 Wireless Range Extender Review