What Do I Do About Wireless Security?

You can take three really simple steps to dramatically increase the security of your wireless network. It is not foolproof wireless security, but it will keep you from being an easy target and it will keep most of the riff raff out.

As Figure 2-1 shows, there are plenty of easy targets out there, so all you need to worry about in most cases is the curious neighbor or someone specifically looking to access a network with no protection at all. The steps in this chapter will not keep out a really serious hacker; if you have reason to worry about a hacker specifically targeting you (as opposed to someone hacking at random), however, you can hire a security specialist, or better yet, just do not use wireless. For the vast majority of you, though, read on.

Figure 2-2 shows varying degrees of wireless home network security and the vulnerabilities related to the networks.

Figure 2-2. Wireless Security Examples

So what are the four things you need to do?

• Change your router's password.

• Do not advertise your network (turn off SSID broadcast).

• Scramble (encrypt) your wireless signal (use WEP or WPA).

• Do not use ad-hoc networking.

Before we get into the "How to Do It" section, let's take a closer look at the "what" and "why" of wireless network security. Do not worry if this seems a bit complicated; it really is not. The "How to Do It: Securing Your Wireless Network" section walks you through the setup so that these basic security features can be turned on in a fairly painless way. Trust us here: It is a far worse pain to have people get on and take advantage of your network than to implement these steps.

Change Your Password

Pretty much every router on the planet comes with a default password of admin. If you don't change this immediately upon turning on and connecting to your router, you are asking for trouble. You need to open the screen where the password gets changed anyway, so do yourself a favor. Chapter 8, "Tip 8: Create Strong Passwords," explains how to create strong passwords.

Do Not Advertise Your Wireless Network

Every wireless router is given a name that allows clients (wireless-enabled computers) to find and associate to it. This name is called the service set identifier, or SSID. The first thing you can do to greatly improve the security of your wireless network is not to broadcast the SSID.

Most wireless routers have the broadcast SSID setting turned on when you take them out of the box. This feature announces the name of your network to every wireless-capable computer within range. Although this makes it easy for you to connect to your network, it makes it easy for the rest of the neighborhood, too. Turn this feature off (we show you how later in the section "Stop Advertising Your Wireless Network"). In addition, remember that knowing the name of a network (even if the broadcast function is turned off) gives you the power to get on that network, so you should choose a random SSID name. The same rules that apply to any password apply here, too, so take a look at Chapter 8.

Any SSID that is easy for you to remember is probably easy to figure out, so avoid SSIDs that include your name, the word home, the word network, or anything related to your name-homewireless-network. We suggest that you rename the SSID to something personal (but not easily guessed), or use a random combination of numbers and upper- and lowercase letters. Do not worry about having to memorize this; you can just write it down and keep in a drawer or a folder where you can access it later if you need it. Remember, however, that these steps only keep out the nosy neighbors and provide your router with some level of anonymity, but this step does not by itself protect your network.

Scramble Your Signal

Another thing you can do to improve the security of your network is to turn on encryption. If you are unfamiliar with encryption, the concept is pretty simple. Remember being a kid and making up a list like this:

A B C D E F G H I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X  Y  Z 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

Then your friend writes you a note like this:

9 12 15 22 5 12 9 19 1 

You pull out your handy-dandy decoder table and translate it to "I love Lisa." Congratulations, you were doing encryption.

We are obviously oversimplifying, but encrypting your wireless network is actually a similar concept. You are going to choose a "key" for your wireless network. That key is known to both the sender and receiver (for example, your computer and the wireless router). Every time you send information between each other, you use the key to encode it, transmit it, and then use the key again to decode the message back to its real information.

In the case of wireless encryption, instead of a single letter to number translation, a mathematical formula is calculated using the original information and the key. The result is a highly encoded piece of information that is difficult to decode without knowing the key. In general, the longer the key, the harder it is to break. Think of an encryption key like a PIN code that has 64 or 128 digits instead of 4. (How the mathematical formulas work are beyond the scope of this book. If you are interested, pick up a book on cryptography.)

In the end, though, what is important is that even if someone intercepts the signal between your computer and your router, if you are using encryption that person will not be able to make heads or tails out of the information.

Several standards are available for wireless network encryption, including the two most common ones:

• Wired Equivalent Privacy (WEP) Provides a simple and fairly effective means for keeping your information private and your network secure from those wishing to access it without your knowledge or approval. WEP is the most widely available encryption standard and is offered with several different key lengths, including 64, 128, 152, and even 256 (bits). You may also see references to 40 and 104, but these are exactly the same as 64 and 128. WEP is good enough to keep any nonhacker from seeing your information but is not a bulletproof encryption method.

• Wi-Fi Protected Access (WPA) A newer and more sophisticated method of encryption. We recommend that you use WPA if it is available on your gear because it provides better protection than WEP. The major difference between WEP and WPA is that with WEP your encryption key remains the same until you change it, whereas WPA changes the key periodically (you don't have to worry about the changes; it is done automatically for you). Changing the key makes it more difficult for others to discover the key, and even if they do the key is only useful for a short time because it will change again. There are two versions of WPA: WPA and WPA2. WPA2 adds a newer encryption algorithm called Advanced Encryption Standard (AES), which provides "business-level" security for home networks.

Some home networking products (wireless computers, access cards, and wireless routers) support all the encryption options, whereas others support a smaller subset. This is important because both the computer and router need to be talking with the same encryption method and key to understand each other.

Table 2-1 summarizes the different encryption methods mentioned previously. It is important to note that these encryption methods typically cannot be mixed together on the same network, so pick the highest level of security that all your wireless network devices can support.

So, how do you choose an encryption key? There are two ways, one very simple, one not so simple. The simple way is to use the key generator that is built in to the home networking products. (Linksys products offer this in every wireless card and router they sell.) Essentially, you just create a passphrase (which is like a password), enter it into the network interface card (NIC) or router (using the administration tool), and click a Generate Key button. Examples are shown later in the "Enable Wireless Encryption" section. The same rules apply to passphrase selection as passwords: Never use names, pets, or words. Make up a random series of 8 to 63 lowercase letters, uppercase letters, and numbers. Do not try to spell words or use clever encoded phrases such as weLUVr2Dogs. (Chapter 8 has more on creating strong passwords.) The key generator takes the passphrase and translates it into a series of numbers (09) and letters (AF). Do not worry about understanding the number system, but this is the encryption key. Write down both the passphrase and generated key; we are going to need it several times.

Very Important

We cannot stress enough that whenever you create something such as an encryption pass code, password, or WEP key, you need to write it down in your notebook. If you lose it, you might have to reset the wireless router to the factory defaults and start over.

The second way to choose an encryption key is make it up yourself using a random combination of numbers (09) and letters (AF). You must create an exact number of numbers and letters depending on which key length you are trying to create. For example, a 64-bit key has 10 digits, a 128-bit key has 26 digits, and so on. (The admin screen where you set this up specifies the number of characters.) If at all possible, use the built-in key generator from a passphrase. You will pull your hair out trying to create them by hand.

Very Important

If you have been paying close attention, you might be confused. If each hexadecimal digit in the key is 4 bits, how can a 64-bit key have 10 hexadecimal digits and a 128-bit key have 26 hexadecimal digits? Wouldn't that be 40 and 104 bits, respectively? The answer is that there is also a 24-bit random number that gets added to each key that makes up the other 6 hexadecimal digits in the full key length.

Oh, and remember if you have guests who want to use your network you will need to give them your passphrase or security key. If you need to, you can always change the key after they leave. You can also have them use a direct (wired) connection into the router, which does not require encryption.

Disable Ad-Hoc Networking

Your wireless-enabled computer has two basic modes of communication: infrastructure and ad-hoc networking. In infrastructure mode, all the computers on the network must communicate through the router. So whether you are talking to the Internet or with another computer on the local network, all your communication traffic goes through the router. This is what most people are and should be doing.

In ad-hoc mode, computers can communicate directly with each other without going through a router or any other device. This is great if, for example, you want to share a file with someone quickly. The bad thing is that if you have this mode enabled, those who know what they are doing can get access to all your files, possibly without you even noticing it. To avoid this, we strongly recommend that you disable this function. If you find yourself in a situation where you need to use this feature (such as visiting a friend's home that only has an ad-hoc network), turn it on for the duration of use and then immediately disable it.