Securing Wireless Access Points

Like most computing devices, wireless access points are pre-configured with factory default settings. Designed in a very plug-and-play fashion, you can usually take a brand new access point out of its box, plug everything in, and have your wireless network up and running in minutes.

Although this makes it exceptionally easy for any user to set up a wireless network, leaving default access point settings intact represents a serious security risk. At issue is the fact that wireless access points broadcast their network name automatically, making themselves visible to all wireless users within range. Unfortunately, these default network names are almost always the same, and identify the access point's manufacturer. Armed with this information, any user can easily obtain the device's default configuration settings online, including its administrative password.

As a best practice, always change the following settings on a wireless access point:

• The password used to access the administrative interface

• The wireless network name

The configuration of these settings is explained in more detail in the following sections.

Changing the Default Administrator Access Password

Almost all wireless access points include an integrated web-based administrative interface for the purpose of making configuration changes. You gain access to this interface by opening your preferred web browser and entering the access point's management IP address, usually 192.168.1.1 or similar. Assuming that you've entered the address specified for your model, the access point's logon screen will appear.

To log on to the access point for the first time, you need to supply the default administrative password assigned to your model, and then click the Logon button.

Unfortunately, the passwords assigned to access points by default are inherently insecure due to the fact that they're so well documented. For example, the default password associated with some access points is the manufacturer's name, whereas in other cases it's blank or password. Just about anyone can find the default password associated with an access point in minutes - if not seconds - on the Internet.

Because wireless networks are not secure by default, changing your access point's administrative password is imperative. If you don't change this password, other wireless users may be able to connect to your access point's administrative interface and change its settings.

Follow these steps to change the password used to access the administrative interface of your wireless access point:

1. Select Start → Internet Explorer, or open your preferred web browser.

2. In the address box, type 192.168.1.1, or the correct address for your access point make and model. Press Enter.

3. On the logon screen, type the default password specified in your access point's user manual. Click the Login button.

4. When logged in, look for a section marked System or Passwords. On the SMC access point used in this example, passwords are changed from System → Password Settings, as shown in Figure 17-5.

   
   Figure 17-5: The password setting configuration screen

5. Type the access point's current password, and then type your new password and confirm it. Be sure to protect the device with a strong password, according to the password best practices outlined in Chapter 3.

6. Some access points include the capability to configure a setting called Idle Time Out. This setting controls how long a logged-in user session can remain idle before it is logged off automatically. Configure an appropriate setting (shorter time periods offer better security), and then click Save Settings.

Changing the Default Wireless Network Name

Along with a default administrative password, all wireless access points are configured with a default wireless network name. Known as a Service Set Identifier (SSID), this name distinguishes between wireless networks, and is typically configured with the access point manufacturer's name by default. For example, the default SSID name on most Linksys access points is usually linksys; the SMC access points typically use the SSID smc.

Access points broadcast their SSID name so that wireless clients can discover them. However, using the default SSID makes it easy for other users within range to identify the access point's manufacturer, and by extension, its default password. As a security precaution, always change the SSID of your wireless network to a unique (and less easily identified) value.

Follow these steps to change the SSID name on your wireless network:

1. Select Start → Internet Explorer, or open your preferred web browser.

2. In the address box, type 192.168.1.1, or the correct address for your access point make and model. Press Enter.

3. On the logon screen, type your administrative access password. Click the Login button.

4. When logged in, look for a section marked Wireless, Wireless Settings, or similar. On the SMC access point used in this example, the wireless network SSID is changed from Wireless → Channel And SSID, as shown in Figure 17-6.

   
   Figure 17-6: Configuring an SSID name for a wireless network

5. In the box marked SSID (ESSID on some access points), type a unique name to identify your wireless network. As a general rule, don't choose a name that makes it easy to identify you personally, but do choose a word or name that you'll remember. When complete, click Save Settings.