Limiting Access to Wireless Networks


Changing the default SSID name and administrative password for your wireless access point are both important steps in helping to secure your wireless network. However, neither does anything to prevent other wireless users within range from forming an association with your access point, and effectively connecting to your network at will.

In this section, you learn more about two techniques that you can use to limit the exposure and accessibility of your wireless network. While neither offers complete protection from an experienced hacker, both are an important part of the defense-in-depth approach to network security, and should be implemented on all wireless networks.

These wireless security techniques explored in this section include:

  • Disabling broadcast of the wireless network name (SSID)

  • Implementing MAC address security

The following sections explore both of these wireless security procedures in more detail.

Disabling SSID Broadcast

By default, access points broadcast their SSID name as a way to announce their presence to wireless client systems. These broadcasts are heard by Windows Vista and used to display its list of available wireless networks within range.

Changing the SSID name is important insomuch as it stops the access point model (and its associated default password) from being easily discovered. However, this does nothing to stop the existence and availability of the network from being broadcast to all wireless clients within its range. If you want to stop your wireless network from being announced in this way, then you need to make it disappear.

To complete this magical act, you need to disable the SSID broadcast feature on your wireless access point. When SSID broadcast is disabled, Windows Vista and other wireless clients systems will not discover your network automatically, nor display it as an available wireless network for their users to connect to.

Follow these steps to disable SSID broadcast on your wireless router:

  1. Select Start Internet Explorer, or open your preferred web browser.

  2. In the address box, type 192.168.1.1, or the correct address for your access point make and model. Press Enter.

  3. On the logon screen, type your administrative access password. Click the Login button.

  4. In the administrative interface, look for a section marked Wireless, Wireless Settings, or similar. On the SMC access point used in this example, the SSID broadcast setting is changed from Wireless Channel And SSID.

  5. Select the option to disable SSID broadcast (see Figure 17-7), and then click Save Settings.

image from book
Figure 17-7: Disable SSID broadcast to improve wireless network security

Disabling SSID broadcast stops your wireless network from announcing itself as "available" to Windows Vista systems and other wireless clients in range of your access point. However, without additional layers of security (such as encryption), users within range can still use a range of wireless network discovery tools to find your network. These tools do not rely on these SSID announcements to find wireless networks. Instead, they listen for wireless network traffic, extracting captured information to determine the details associated with networks within range. While disabling SSID broadcast offers a great way to "hide" your network from casual and less experienced wireless users, it does not make your wireless network completely invisible. Nonetheless, you should always disable SSID broadcast as a wireless security precaution and best practice.

There is a small downside to disabling SSID broadcast, namely that your own wireless client systems can no longer discover your wireless network automatically. Thankfully, it's easy to help your Windows Vista systems find these hidden wireless networks - all you need to do is manually configure them with the same SSID name used by your network.

Follow these steps to configure Windows Vista to connect to a wireless network that has SSID broadcast disabled:

  1. Select Start Control Panel Network And Sharing Center.

  2. Click Set Up A Connection Or Network.

  3. On the Connect To A Network window, click Set Up A Connection Or Network.

  4. On the Select A Connection Option screen, click Manually Connect To A Wireless Network and click Next.

  5. On the Enter Information For The Wireless Network You Want To Add screen, enter the SSID name of your wireless network. If you want Windows Vista to connect to the network automatically when it's in range, check the Start This Connection Automatically box. Additionally, select the Connect Even If The Network Is Not Broadcasting check box as shown in Figure 17-8. Click Next.

    image from book
    Figure 17-8: Manually configuring the SSID name for a wireless network with SSID broadcast disabled

  6. Click Connect To; this establishes a connection to the network you've added.

image from book
USB Flash Drive Easy Does It

In addition to the steps outlined in this chapter, it is also possible to configure wireless network settings easily using the Set Up A Network Wizard that is included with Windows Vista. This tool can automate the configuration of wireless network devices (including access points) through the use of a USB flash drive. If your access point includes a USB port and supports Windows Connect Now (generally mentioned on the product packaging), you may want to consider using the wizard and a USB flash drive to automate the configuration of your entire wireless network, including advanced settings like WEP or WPA security.

To make use of this Windows Vista feature, follow these steps:

  1. Select Start Control Panel Network And Sharing Center.

  2. Click Set Up A Connection Or Network.

  3. On the Select A Connection Option Screen, click Set Up A Network and click Next.

  4. On the Set Up A Home or Small Business Network screen, click Next.

  5. When the Wizard Detects Network Hardware But cannot Configure It Automatically screen appears, click Create Wireless Network Settings And Save To USB Flash Drive as shown in the following figure.

    image from book

  6. 6. Complete the remaining steps in the wizard to save your settings to your USB flash drive. To use these saved settings to set up other Windows Vista computers on your wireless network, insert the USB flash drive, select Wireless Network Setup Wizard in the AutoPlay dialog box, and then complete the steps in the wizard.

image from book

Implementing MAC Address Security

Hiding your wireless network is one way to limit its accessibility to outside users within range, but it doesn't stop more advanced users who can find the network from forming an association with your access point. Thankfully, almost all wireless access points include a feature to control exactly which systems can connect, in the form of Media Access Control (MAC) address security settings.

In the world of networking, MAC addresses (also known as physical or hardware addresses) are the individually unique identifiers that a manufacturer assigns to each and every network card. Although other addresses assigned to a network card may change (as is the case with IP addresses), a network card's MAC address belongs to it and it alone.

Knowing this, almost all access point manufacturers include a security feature in their products that enables you to configure a list of MAC addresses with which the access point is allowed to communicate. In other words, you configure the access point with a list of the MAC addresses assigned to wireless network cards in use on your network, and the access point denies communication attempts coming from network cards with MAC addresses that are not on this list.

MAC address security is not enabled on wireless access points by default, so it's up to you to find and then configure the correct addresses for the wireless computers on your network. MAC addresses are made up of 12 hexadecimal digits, usually displayed in a format similar to 00-90-4B-24-B9-10.

Follow these steps to determine the MAC address associated with your wireless network card:

  1. Select Start All Programs Accessories Command Prompt.

  2. At the command line, type ipconfig /all and press Enter.

  3. In the Windows IP Configuration results, look for the section pertaining to your wireless network adapter card, as shown in Figure 17-9. Note the Physical Address value, which is the MAC address of your wireless network adapter card.

image from book
Figure 17-9: Use the ipconfig /all command to find the MAC address associated with your wireless network card

When you acquire the MAC addresses for all of your wireless network cards, it's time to enable MAC address security settings on your access point.

Follow these steps to implement MAC address security on your wireless access point:

  1. Select Start Internet Explorer, or open your preferred web browser.

  2. In the Address box, type 192.168.1.1, or the correct address for your access point make and model. Press Enter.

  3. On the logon screen, type your administrative access password. Click the Login button.

  4. In the administrative interface, look for a section marked MAC Address Security, Wireless MAC Filter, or similar. On the SMC access point used in this example, MAC address security settings are enabled and configured from Firewall MAC Filter, as shown in Figure 17-10.

    image from book
    Figure 17-10: You use the MAC filtering table to restrict access to a wireless network

  5. Select the option to enable MAC address control.

  6. In the MAC filtering table section, enter the MAC addresses of the wireless network cards used by clients on your network. Be careful to type these addresses correctly (case typically doesn't matter), because client addresses that do not appear in this list cannot connect to the access point. When finished, click Save Settings.

Implementing MAC address security helps to keep casual and inexperienced users from connecting to and making use of your wireless access point. As such, you should always use this technique to add another layer of protection to your wireless network.

However, it's also important to understand that MAC addresses can be spoofed, a technique whereby the burned-in MAC address assigned to a network card is replaced by another (some network cards allow you to change their MAC address to any value, while others require the use of spoofing utilities to do the trick). On wireless networks that do not use encryption, an experienced user can capture unsecured traffic, and then reconfigure their MAC address to one in use on the wireless network. Ultimately, this allows them to bypass MAC address security completely.



PC Magazine Windows Vista Security Solutions
PC Magazine Windows Vista Security Solutions
ISBN: 0470046562
EAN: 2147483647
Year: 2004
Pages: 135
Authors: Dan DiNicolo

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net