The steps you should take depend on how important the security of your personal network is to you. Some people will feel it more important than others to implement comprehensive security measures. But some of the basic security measures you can take are easy and involve little (or no) trouble to set up and very little extra trouble on the part of network users. So everyone should take at least some security measures:
Change your network name (SSID) so that it is not the default
The measures described in this section cover network security. Besides the measures explained in this chapter, you should also take steps to protect individual computers such as installing antivirus software and personal firewall software, as I explained in Chapter 17.
Set your SSID not to broadcast
Implement WPA-PSK security (preferably) or at least WEP
Make sure that all the computers on your network are running up-to-date antivirus software
Change the default administrative and user passwords in your access point
I'll explain these steps in a little more detail in a moment, as well as what to do if your situation calls for greater security than the minimal measures provide. In other words, one key step is to develop a security game plan in the context of your own requirements for security because all serious security measures involve costs and trade-offs.
The National Institute of Standards and Technology NIST), which is a branch of the U.S. Department of Commerce, has prepared a comprehensive white paper about wireless network security. The white paper contains a very helpful and comprehensive wireless LAN security checklist containing 45 items. The items are characterized as "Best practice" (meaning it should be done) and "May consider" (meaning for those who are a little more concerned about security).
You can view this NIST white paper at http://www.csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf.
To come up with a game plan for implementing security on your Wi-Fi network, you should sit back for a moment and see which of these security levels makes the most sense to you.
The measures described in this section are the ones that everyone with a Wi-Fi network should take. (This means you.)
Even if you truly believe that you have nothing of any value on your network, these measures are so easy to implement and no trouble to use, so why not put them in place?
No-brainer security measures include the following:
Change the SSID, or network name, from its default.
Set the SSID not to broadcast. If your SSID is not broadcast, it will be harder for a nefarious evildoer to log on (or even know that your Wi-Fi network is there).
Implement Open System WEP (wired equivalent privacy) or WPA-PSK encryption and authentication if your devices support it.
Make sure that all the computers on your network are running antivirus software and that the virus definitions are updated weekly. This has more to do with general network protection (and common sense) than it does with Wi-Fi network security, but it is still very important.
Change the default password for the administrative application for your access point.
Pick Your Passwords Wisely
For security reasons, you should be careful about the passwords you pick. Never use as a password the name of your company, anyone in your family, or your pet hamster. (These are all easy to guess.) For the same reason, don't use your date of birth or street address.
The worst kind of password is one based on personal information that can be easily determined (or guessed). But you should also avoid passwords based on numerical sequences (such as 12345) or words (such as "password"). Better passwords are at least eight characters long and include both letters and numbers: for example, d31TY9jq.
Unless no one ever visits your home or office, don't jot down your important network passwords on a post-it, and then stick the post-it on your computer monitor. See Chapter 17 for more information about choosing a password.
Neither Open System WEP nor WPA-PSK encryption should be regarded as the final solution to security problems. With the right tools, both forms of encryption can be cracked in less time than you might think. WPA-PSK is the stronger of the two, particularly if you use an automatically generated 64-bit hexadecimal password string rather than the passphrase mechanism built in to many WPA-PSK implementations (if your equipment allows you to do this). If you choose a short passphrase with WPA-PSK, it might even be less secure than WEP. The bottom line is don't count on either of these forms of encryption as an absolute defense against a determined and knowledgeable attack.
You should consider using some of the middling security measures described in this section if you have some security concerns and are prepared to take some trouble over security, but still don't want to go overboard.
In other words, these measures should make sense to you if your posture is, "I'm reasonably concerned about security, but I don't want to waste too much time on it. I'm willing to go to a little bit of trouble to make my network more secure. I'll do what I should do, so long as it is not too much trouble."
Middling security measures include the following:
Plan to change your Open System WEP or WPA-PSK encryption key regularly, perhaps once every week.
Engage MAC filtering. For relatively small networks, MAC filtering is an absolutely excellent, and a relatively painless, way to enforce good security, but it is problematic to administer if you expect drop-in ad hoc wireless users.
Use the DHCP settings in your router (or access point/router combination) to limit the number of IPs that can be used in your network to the actual number of devices that you simultaneously connected to the network.
After you've changed the password on the access point, there might be no way to get it back short of doing a hard reset on the access point (which means that all your settings will get lost). So keep the password in a safe place, and don't lose it.
Red-alert security measures are intended for use with networks that truly have confidential and proprietary information to protect and are willing to go to considerable trouble and expense. (These networks are perhaps the home of proprietary and confidential information belonging to clients.)
You should realize that protection at this level is not a one-shot affair: You have to constantly be on the lookout for new vulnerabilities. You'll need to keep surveying your wireless site, keep changing your passwords, and generally just keep on your toes. Expect red-alert security measures to take time and money, to be trouble to maintain properly, and possibly to slow down your network!
If you run your own business, as I do, when people ask about your job description, you might well say "Chief Bottle Washer." If you intent to deploy red-alert security on a wireless network, to that job title you could well add "Network Administrator" and "Wireless Security Expert."
If you really need a high level of security, you should consider not using a wireless network at all or, at the very least, bringing in a qualified wireless network security expert.
No wireless network can ever be completely secure. Keep any truly confidential information off a wireless network.
Red-alert security measures include the following:
If your access point allows this, lower your broadcast strength. The lower your broadcast strength is, the less likely a nefarious evildoer outside your network is to be able to intercept it (because it doesn't broadcast outside your premises). The ideal scenario here requires fine-tuning your Wi-Fi broadcast so that it is strong inside your premises but falls off rapidly outside. This can often be accomplished by turning down the transmission power, as shown in the D-Link access point unit in Figure 18.1, combined with clever network design and yagi-type antennas.
Figure 18.1. The transmission power of the D-Link AirPlus access point is cut down to 50% using the Transmit Power drop-down list on the Wireless Performance pane of the Advanced tab.
Understand the range of your Wi-Fi broadcasts, and see if there are any obvious vulnerabilities. (A parking lot? A neighbor who hates you?) Performing a physical survey will not only help you understand vulnerabilities, but it will also help you create a network topography and transmission plan that bypasses the problem areas you have found.
Regularly review the DHCP logs provided by your router to see if there are any unauthorized connections. A portion of the log for the D-Link access point is shown in Figure 18.2.
Figure 18.2. Regularly checking the DHCP log maintained by your access point for illicit connections is part of red-alert security.
Turn off wireless access to the access point's administrative application. (This is usually only available with enterprise-class Wi-Fi access points.)
Use a dynamic, per-session WEP encryption scheme. This requires additional hardware, namely an authentication (or Radius) server.
If you can't install a dedicated authentication server, authenticate Wi-Fi connections with usernames and passwords using a network directory server (which can be a Windows domain server and need not be a separate piece of hardware).
Encourage access to your Wi-Fi network via a VPN.
Create a network topology that uses a DMZ with its own set of firewalls for the Wi-Fi access point. This will isolate the access points from possible attacks. You can beef this up even further by making sure that the access point and the nodes on your wireless network can only communicate via a VPN. In the small office context, a good piece of equipment to use to implement this is the Watchguard SoHo Firebox, which combines a firewall and a VPN and costs about $300.