How to Do It: Securing Your Wireless Network

Here is an overview of the steps you'll go through in this section:

• Change the router's default password.
  
  
• Stop advertising your wireless network.
  
  
• Enable wireless encryption.
  
  
• Disable ad-hoc networking.
  
  
• Prevent unintentional roaming.
  
  

Change the Router's Default Password

As previously mentioned, routers from the same manufacturers all come with the same password. Although it may be easy to keep it the way it is out of the box, it is well worth the 30 seconds it takes to change it.

Here are the configuration steps that you need to do:

Stop Advertising Your Wireless Network

By default, wireless routers are set up to broadcast their SSID to make it easy for wireless cards to learn the wireless network without having to know information in advance. Nice feature, bad security practice. Broadcasting the SSID of our wireless home network is entirely unnecessary. So, the first step to securing our network is to shut it off.

Here's the configuration steps that we need to do:

Step 1.	Access the wireless router using your Internet browser. You should be connected via a wired connection because any change you make could break the connection between the router and the computer if you have only a wireless connection at the time.
Step 2.	Click the Wireless tab.
Step 3.	On the line labeled Wireless SSID Broadcast, checkmark Disable (see Figure 2-3). Figure 2-3. Disabling the SSID Broadcast
Step 4.	While you are on that screen, change the SSID name to something random (write it down). Remember that you also need to change the name on the wireless set screen of each computer you access this network with.
Step 5.	Click Save Settings. That's it!

Just by taking these simple steps, you have made your wireless network relatively invisible and fairly anonymous so that people looking for signals will not see a router with your name on it.

Very Important

As a reminder, never use the default SSID that the wireless router is set up with. (For Linksys products this is linksys.) If the SSID is not being broadcast but is easily guessed by intruders, your wireless network is still vulnerable. Change the SSID to something else, such as a random series of uppercase letters, lowercase letters, and numbers. Write it down.

Enable Wireless Encryption

Even with reduced visibility to your wireless network, a more sophisticated eavesdropper still might be able to learn the SSID and try to obtain access, so you need more security. The next step to securing the wireless network is to turn on encryption. Again, by default, encryption is disabled in wireless router products out of the box. To turn on encryption, we make up a secret key (see the previous section on encryption) that is known only by the wireless router and the wireless NICs in our wireless network (NIC stands for network interface card, which is the wireless-enabled card in your computer that allows connection to a wireless router). To communicate, this secret key must be known; otherwise, the conversation is unintelligible.

In general, both the wireless router and all wireless cards in your network have to be running the same encryption method. However, depending on the age of the wireless product, they may not support all options listed in Table 2-1. The key then is to examine what each device (including the router) supports and use the highest level of encryption that all of them can handle. Meaning, start at the top of the table, if all your devices support WPA2, use it. If even one of the devices you plan to network does not, you either need to replace it with one that does or go down in the table (for example, WPA or 128-bit WEP).

Very Important

Keep in mind that even 128-bit WEP is pretty good and will defeat "curious neighbors," but it will not keep a real hacker out. WPA2 is approaching the level of wireless network security that large corporations rely on. So, although you do not need to be overly alarmed if your network "only" supports 128-bit WEP, you should consider upgrading to products that support WPA, or better yet WPA2.

After you choose your method of encryption, you need to implement it on the wireless router and all wireless cards in your network. Each device must be "told" what the super-secret key is to be able to join the conversation.

Enabling WEP Encryption on the Wireless Router

First, let's take an example of implementing 128-bit WEP encryption. We will pick a passphrase of 64Gx3prY19fk2. Now, let's program the wireless router to use this WEP key.

Very Important

It is good practice to always make any modifications to the settings on your wireless router from a computer that has a wired connection, not a wireless connection. This is especially true when changing the wireless settings, such as WEP encryption. If you make a mistake (a typo for example on the passphrase), you will be unable to reconnect your computers to the router, thus cutting off the limb you are standing on.

Step 1.	As we have done several times, access the wireless router using your Internet browser. Click the Wireless tab.
Step 2.	Click the Wireless Security subtab (see Figure 2-4). On the line labeled Security Mode, select WEP. Figure 2-4. Select WEP as Your Security Mode
Step 3.	On the line labeled WEP Encryption, select 128 bits. On the line labeled Passphrase, enter the passphrase you made up. In our example, we chose 64Gx3prY19fk2 (see Figure 2-5). Click Generate. This translates the passphrase into the actual key to be used. Do not forget to write down the passphrase. Figure 2-5. Generate the WEP Key
Step 4.	Click Save Settings.

Immediately after you click Save Settings, any computers that were connected with a wireless card to the wireless router will lose connectivity. This is normal because you have just changed the way they are supposed to communicate with the wireless router, but you have not told them the super-secret password to use yet. Let's do that now for each wireless NIC.

Very Important

You may notice four keys are listed after you generate the WEP key. In general, you can choose any of the four keys, but most often you can just pick key number one. The other three keys are just alternate keys that you can use if you want to keep the same passphrase but change the actual key. Keep in mind that if you choose a key other than number one, write it down because this is the key you will also need to enter in all the wireless NICs.

Enabling WEP Encryption on the Wireless NIC

There are a couple different ways to manage the wireless connection in each of your computers. Windows XP offers a built-in function for wireless NIC management. With computers with older versions of Windows (2000, 98SE, and so on) most likely you need to use a wireless management program that comes with the NIC.

The sections that follow show two examples: a Windows 98 desktop computer with a USB-connected wireless card that we set up with the Linksys WLAN utility and a Windows XP laptop that we set up using the XP built-in wireless NIC management function.

Enabling WEP Encryption Using the Linksys Utility

First, let's walk through an example of setting up WEP encryption on a computer running Windows 98SE, using a USB wireless NIC and the Linksys WLAN utility:

Step 1.	Launch the Linksys WLAN Monitor by double-clicking the icon on the far right of your Windows taskbar (the example shows a computer running Windows 98/Me/2000). If you do not see such an icon, try going through Start > Programs > Instant Wireless > Instant Wireless LAN Monitor. Notice there is no connection to the wireless router (the signal bars are not "lit" up). (See Figure 2-6.) Figure 2-6. Launch the WLAN Monitor Utility Click the Profiles tab.
Step 2.	Select the profile for your home wireless network, and click Edit (see Figure 2-7). Figure 2-7. Select and Edit the Wireless Profile
Step 3.	No changes are needed to the Network Settings (see Figure 2-8). Click Next. Figure 2-8. Network Settings Stay the Same
Step 4.	No changes are needed to the Network Mode either (see Figure 2-9). Click Next. Figure 2-9. Network Mode Stays the Same The Security Settings window appears.
Step 5.	On the line labeled WEP, select 128-bit. On the line labeled Passphrase, enter the passphrase you made up. In our example, we chose 64Gx3prY19fk2 (see Figure 2-10). Leave the WEP Key and TX Key fields alone. Figure 2-10. Generate the WEP Key
Step 6.	Click Next. Very Important Make sure to enter the passphrase exactly as you did on the wireless router. Lowercase a is different from uppercase A. The two keys (on the router and on the wireless card) must be identical.
Step 7.	A confirmation window appears (see Figure 2-11). Double-check that WEP is set to 128-bit and click Yes. Figure 2-11. Confirm the New Settings
Step 8.	Another confirmation window appears (see Figure 2-12). Click Activate new settings now. Figure 2-12. Activate Your New Settings
Step 9.	Click the Link Information tab. If you entered everything correctly, the Signal Strength and Link Quality should reappear as green bars (see Figure 2-13). Figure 2-13. Success at Last! Very Important The green bars may or may not be solid the whole way across. It depends on the strength of the wireless signal and how far away you are from the wireless router, much like a cell phone. If not, you probably entered something incorrectly. See the "Troubleshooting Tips: Wireless Encryption" sidebar later in this chapter for help.

Enabling WEP Encryption Using Windows XP

Now let's walk through enabling WEP encryption on a built-in wireless NIC on a laptop computer running Windows XP:

WPA Encryption Example

To compare enabling WEP encryption to how WPA encryption is enabled, let's take an example of WPA (this time, we pick 8F37ahr43K as our example pre-shared key). Enabling WPA encryption is a lot like enabling WEP encryption, except you must make one additional decision: You must decide how long an encryption key will be allowed to be used before a new key is assigned. The lower the value, the less time a hacker has to try to "crack" the key. For example, if you set the value to 1800 seconds (which is 30 minutes for you nonmath majors), a key is used for 30 minutes, and then the wireless router and wireless NIC create a new key. If a hacker "cracks" the key within 30 minutes (which is pretty tough to do), the key will only be valuable for the remainder of the 30 minutes before it is switched to an entirely new key, and the hacker would have to start all over.

First, here's an example of setting up WPA on the wireless router:

Step 1.	On the Wireless Security subtab again (see Figure 2-20), select Pre-Shared Key on the line labeled Security Mode. (On some Linksys products, the selection is called WPA Pre-Shared Key.) Figure 2-20. Enabling WPA Encryption on the Wireless Router
Step 2.	Select either TKIP (for WPA1) or AES (for WPA2). If your wireless router and all wireless NICs support AES mode, select it because it is more secure. If any of them do not, select TKIP. You cannot configure some with TKIP and some with AES.
Step 3.	On the line labeled WPA Shared Key, enter the pre-shared key you made up (in our example, 8F37ahr43K).
Step 4.	On the line labeled Group Key Renewal, enter the number of seconds that you want the key to be used before changing it (see Figure 2-20). We chose 1800 (which is 30 minutes) for this example.
Step 5.	Click Save Settings. Very Important So how long should you set the key renewal period for? There is no great answer, although if you have the value set too low (1 to 2 minutes, for example) it could cause connectivity issues for some NICs. We recommend following manufacturer recommendations (or defaults).

With WPA, we also then need to tell the super-secret password to each of the devices with wireless cards so that they know how to decode the conversations with the wireless router. Here is an example for a Linksys WPC54GS Wireless-G PCMCIA laptop NIC:

Step 1.	Launch the WLAN Monitor Utility, similar to the example earlier where we enabled WEP on a USB-connected wireless NIC.
Step 2.	For the Encryption Method, choose Pre-Shared Key (see Figure 2-21). (On some Linksys products it is called WPA Pre-Shared Key.) Click Next. Figure 2-21. Choose WPA Pre-Shared Key
Step 3.	On the line labeled Encryption, select TKIP (for WPA1) or AES (for WPA2). On the line labeled Passphrase, enter the key phrase you made up (see Figure 2-22). In our example, we chose 8F37ahr43K. Click Next. Figure 2-22. Enter the WPA Passphrase
Step 4.	In the confirmation window that appears, double-check that Encryption is set to Pre-Shared Key, and then click Save (see Figure 2-23). Figure 2-23. Confirm New WPA Settings
Step 5.	Click the Link Information tab. If you entered everything correctly, the Signal Strength and Link Quality should reappear as green bars (see Figure 2-24). If not, you probably entered something incorrectly. Figure 2-24. You Are Successfully Connected!

Continue setting up each NIC with the super-secret password, each time checking to see whether the connection is reestablished to the wireless router.

Troubleshooting Tips: Wireless Encryption

If any of the computers do not reestablish communication, items to check include the following:

• Make sure the encryption method chosen on both the wireless router and all wireless NICs is the same.

• Make sure the passphrase for WEP key generation (or WPA) is entered exactly the same on both the wireless router and all wireless NICs. The passphrase is case sensitive, which means that p is different from P. Take care to make sure the entered phrase matches exactly, including lowercase and uppercase letters.

• If all else fails, disable encryption on both the wireless router and all wireless network adapters, reverify the connections without encryption turned on, and then start the encryption setup from scratch.

• Read the Troubleshooting and Wireless Security chapters in the installation manuals that came with the Linksys wireless router and Linksys wireless NICs.

Disable Ad-Hoc Networking

As previously mentioned, we recommend for security reasons that you operate your wireless home network in infrastructure mode, meaning a wireless router provides the central point of the network and all wireless computers communicate only with the central point, not to each other directly (which is called ad hoc). This is a relatively low security risk, but there is a small possibility that those sitting next to us in an airport or other public location can try to make an ad-hoc connection directly between their laptop and ours.

Because we only ever plan to use our laptop computers connected to a wireless router in infrastructure mode, we should disable ad-hoc networking mode so that it is not possible for another laptop computer to attempt to make a connection directly to our laptop.

Using the Linksys NIC management utilities (such as WLAN Monitor), we do this by selecting infrastructure mode. When using Windows XP, the operating system manages most wireless NICs for us, and an additional step is required.

If your laptop or NIC does not support doing so, do not worry about it too much; if it is supported, however, why not take advantage of it? Here is how to disable ad-hoc wireless networking in Windows XP for a built-in wireless NIC:

Now, if we encounter another computer with a wireless NIC that attempts to set up an ad-hoc connection, our wireless NIC will not respond to the attempt, keeping our wireless network (and laptop) secure.

Prevent Unintentional Roaming

Wireless networks are a bit like cell phones. Your cell phone tries to find the closest cell tower so that you can get the most bars of signal strength to have high-quality voice calls.

Wireless NICs work in a similar way in that they try to find the wireless router that has the strongest signal. The assumption is that the router it finds is yours because it is the closest and therefore has the strongest signal. However, that is not always true. If you have poor signal strength in a particular room of your house and your neighbor's router actually has a better signal in that room, your wireless NIC might try to roam onto your neighbor's router, unless you instruct it not to.

You do not want your laptop unintentionally hopping over to your neighbor's wireless router whenever it sees a stronger signal or for whatever reason loses connectivity with your own router.

Using the Linksys NIC management utilities (such as WLAN Monitor), this is pretty easy. Simply do not add your neighbor's wireless SSID as a profile.

When using Windows XP to manage wireless connections, an additional step is required:

Now, if the wireless NIC sees your neighbor's wireless router, it will not try to connect to it because it is not in the list of preferred networks.