RE: home wireless router good practices for security

[Francisco Mário Ferreira Custódio <fcustodio () eda pt>]

Hi there Steve!

 

-----Original Message-----
From: Steve [mailto:securityfocus () delahunty com] 
Sent: terça-feira, 30 de Dezembro de 2003 17:33
To: security-basics () securityfocus com
Subject: home wireless router good practices for security

So I went out and purchased a wireless router (Linksys 802.11b) for home
since it was so inexpensive and actually less cost than the wireless access
points I was trying to get via eBay.  Got it home, installed my wireless
network card (SMC), powered on the router, attached it to a port on my other
wired linksys router, and boom it worked great.  Then about 5 minutes after
I sent an instant message to my neighbor (fellow IT friend) he was on my
network.  So I took the steps that Linksys recommends below, seems good (to
me).
    Change the default SSID
    Disable SSID Broadcasts
    Change the default password for the Administrator account
    Enable WEP 128-bit Encryption
Linksys also recommends these other measures, I have not implemented:
    Enable MAC Address Filtering
    Change the SSID periodically
    Change the WEP encryption keys periodically.

My Questions:

1) Anyone know how much enabling 128-bit encryption will hurt my wireless
performance?

> > In your case, you will not have any dramatic change in the performance.
The changes in the wireless performance are only noticed when you have a
really big and busy wlan. (the more packets you have...more crypto
calculations have to be done per second).

2) Does setting the SSID for my wireless NIC then keep me from getting onto
other wireless networks like when traveling?  I ask since that setting was
set to ANY before I changed it to the SSID that I set for my wireless
router.

> > When you enter the SSID on your nic, you are forcing the NIC to work with
a particular network only. When the SSID is set to "any", your NIC will scan
for SSID broadcasts and gives you the chance to select the network you want
to associate.

3) What else should I really do to protect my home network?

> > It depends on what options the Linksys gives to you. Using the same WEP
key, is unsecure. Changing WEP keys from time to time, gives you more
security. It's easy to sniff (tools like AirSnort) your WLAN and within a
day or 2 the bad guys have your WEP keys. Normally the most secure way is
the use of IEEE 802.1X. 802.1x offers you authentication and traffic user
controll to a protect network and the dynamic WEP keys. 802.1X uses EAP
(extensible authentication protocol). EAP gives you multiple authentication
methods (token cards, Kerberos, one-time passwords, certificates ...).
Sounds crazy to be paranoid at this level with a home wlan, but you have to
be paranoid if you want to secure your stuff. 

Check your Linksys to see if it supports IEEE 802.1x. If not, I advise you
to use MAC filtering and to change WEP keys periodically. When setting your
SSID, you should keep in mind that the SSID does not have to be an easy
string. Like the SNMP communities, people always use easy to find diccionary
words. I apply to the SSID's the same principle I use when choosing a strong
password (be paranoid!). Always use a strong SSID (special chars, numbers,
upper and lower case chars). For example, instead of using "homelan" for
SSID, you should use "#h0M3 L4n#". (The space between is to be used also, in
some lab test i've done...when a space is used on the SSID, the NIC's seem
to have difficulty finding it...even with SSID broadcast enabled).

Besides the WLAN, you should also take care of any resources on your
network. Access control and authentication. What is the purpose of using a
super secured wlan, when you have "Everyone" FULL CONTROL on your private
folders? 

Well...I hope I helped you!

Cheers and good luck,

Francisco.


---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------