6 Steps to Secure Your Home Wireless Network

Discussion in 'other firewalls' started by mack_guy911, May 10, 2010.

Thread Status:
Not open for further replies.
  1. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    That article starts out better than most because it clearly shows that encryption is the most important part of securing a wireless network and that WEP is worthless as an encryption method. 99%+ of wireless security comes from using either WPA-AES or WPA2, with a strong key.

    The other points are less good, which have been discussed here in previous threads.

    On the upside for the remaining points, at least he states in item 2 (Changing the SSID name) that it provides no security. Changing the name is a good idea if only to identify your network for convenience sake in an area where there may be a large number of overlapping wireless networks.

    Item 3 (Disable SSID broadcast) is very weak. It provides no security and it often causes inconvenience when trying to troubleshoot access issues when connecting a new machine to the wireless network. It's so much easier when you can easily see the wireless network, double-click for quick connecting, and seeing the signal strength and what security level is set.

    Item 4 (Enable MAC filtering) is bad. His statement that "...a very determined hacker may still get access to your network" and implying that somehow MAC filtering will save the day, is way wrong. WPA-AES or WPA2 (with strong key) is unbreakable as yet, today. Any hacker able to crack through either encryption method would never be deterred by MAC filtering. With access to the actual data packets, (assuming you've broken the encryption or are scanning an unencrypted network), you can immediately determine the allowed MAC addresses. It is than trivial to clone a valid MAC address and get right into the network. Again - the encryption is the 99%+ part of the security.

    Item 5 (Change password for Web Access) should have been placed way up as item 2. Never leave a router (or any manageable device) with the factory default password as those are well known and easily obtainable.

    Item 6 (Disable administrative access through web) is always a good idea. However, it is less important once you've enabled strong encryption. To manage the wireless router from the web side, you'd still have to hack the encryption to get access. Since the encryption is many orders of magnitude harder to crack than brute-forcing the router password (assuming you change from the default as mentioned in previous item), the ability of someone ever getting to the router login screen is nil if you've implemented the encryption properly. However, this item does have value if the network you are providing, encryption and all, will be made available to the public or large groups of people, not all of whom are fully trusted. (Meaning, if you will be allowing some unknown or possibly untrusted people to access you wireless network, you won't necessarily want them to have access to your router management login page. They could start brute-forcing the password and you might never know until they've gained access and reconfigured the router for some evil purpose.)
     
  3. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,050
    Location:
    USA
    Item 4 (Enable MAC filtering)
    Keep in mind that MAC ID's are sent in plain text anyway. I have read before that MAC filtering is the most work for the least security, and I agree.
     
  4. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    Patch the OS
    Update the drivers on the NIC
    Use WPA2 / AES and good SSID, Change the Passcode monthly and check the signal layer. Do a walk around with a wireless laptop on your property and see what's out there. I found 3 APs that are not secured and still on 802.11b.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    To sum it up

    1. Change admin and user password first
    2. Rename SSID for ease of use and setting automatic connect in clients
    3. Add encryption with WPA (preferably 2).

    Optionals
    4. WPA mode look at wireless setup section of router
    When your Router facilitates WPA2, make sure you choose WPA2 and not AUTO, because this allows WPA and WPA2, so you think you have WPA2 but router also allows clients with WPA to connect.

    5. DHCP reservation look at network setup section
    DHCP gives clients always the same IP address based on MAC address of the client's networkcard (and/or computer name depending of the luxury of your model). This provides the ease of use of DHCP (dynamic host configuration protocol) while having the advantage of fixed IP addresses (without the more complex manual setup).

    Next look for something called access control in the advanced setup. Allow only the IP addresses to access the router and deny all others. This has teh same effect as Mac Address control, with an additional IP address restriction

    Advantage:
    Mac Addresses can be spoofed, so when your router also offers other ID (like computer name) this will raise the threshold (a little) for hackers and man in the middle network hacks. When you are hacked, it also provides some room for counter measures when you still can use IP addresses (hacker will try to control all). At least when you roll out a normal cable and add at least one non-wireless client to the list and keep this fixed cable as an emergency access to the router (I have it unplugged lfrom the PC and the rolled up cable laying besides my router). Also when you never look at your routers logs, forget about this option 5

    Regards Kees
     

    Attached Files:

    Last edited: May 10, 2010
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I don't know if this will help or not, but Cisco has a free tool which will help secure wireless networks.

    It will only work with Linksys hardware, though, so it says in the site (the free version).

    http://www.purenetworks.com/product/basic.php

    The download is for the Pro version, but if you decide not to buy it, it will revert to the free version, which offers more than enough for home users.

    Might be helpul.


    Regards
     
  7. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    My router is using "WPA-PSK".

    Am I at risk?

    The only options it gives me is:

    WPA-PSK

    WPA2-PSK

    WEP
     
  8. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    I changed from WPA to WPA2. Then saved to router. Then rebooted. But once the router rebooted, it reverted back to WPA.

    Why?
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    It depends on whether it's TKIP or AES. If it doesn't say in the management interface, look for help links or help files in the interface, or, lookup the router brand and model online to see what security it offers.

    TKIP implementations in WPA have some flaws based on attacks developed in the last year or two. The flaws allow for some packet injection into the network that can mainly be used to disrupt network usage (ARP attacks, DOS, etc.)

    If your router is using AES in its WPA, then you are fine.

    The PSK part simply refers to how the key is distributed among the units on the network. PSK means Pre-Shared Key. (That means you type the key into the router configuration and also type the same key in when you connect a PC to the wireless network - as if it were an access password.)

    This is a different matter. It could be a bug or some complexity you haven't worked through in reconfiguring the router. if it supports WPA2, then you ought to be able to reconfigure it to use it. In this case, also check online by router make, model and firmware version. There might be known issues and fixes/work-arounds available.
     
  10. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    That's network magic! You don't need to use that even if you are still on XP. Xp has some hidden features that just need to be enabled. Vista and 7 don't need Network Magic either. They have features like that already.
     
  11. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    Each router has it labled differently. WPA2-PSK is what I have also but if you look deeper you'll see it's AES also. WPA2 comes it all types of flavors also. DLINK, Belkin, EnGenius, Sitcom, Netgear, Linksys, Trendnet, TP-LInk, ASUS an etc. Have the Web Admin layout differently.

    I see some of you can change the user name, but most of us it's built-in. You can change the password. Some make it harder than others. There is also the Guest SSID mode. Some have Hotel Like Web Interface that prompts you for the passcode or Hot Spot or just join to wireless network A, B, C. You would give your friend or family guest the passcode. That Guest mode has the same type of encryption but under the Guest mode they can't access your LAN just the WAN (internet) Make sure such a feature is disabled if you're not using it.

    That is another security hole.

    I use: Xrrius Wi-Fi Inspector (free), Wireless Mon (trial of 30 days then pay for) and inSSIDer (free) Out of the 3 I like inSSIDER then Xrrius. This is a must for anyone running wireless. The program will tell you how secured your wi-fi is besides helping find the right location for your AP Router or AP or Repeater or WDS or WB or WBC.
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    As I was trying to point out. Some routers have two settings you need to change. WPA-PSK means WPA pre-shared mode. You have the WPA-Mode problably still on auto. Look whether you can change it to WPA2 only as shown on the pic.

    You should also change it at the wirless device on teh client
     

    Attached Files:

  13. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    Not sure but my download quota has not been affected so it looks OK for now. And I am thinking that I may need to tell Vista BEFORE I change the router to use WPA2. Because in Vista it says WPA is being used.

    If I notice GB's of data being "taken" away from my account, then I will know someone hacked my router.

    What's the WORSE that can happen if someone hacks my router? They just steal my bandwidth right?
     
    Last edited: May 11, 2010
  14. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    My router is the Billion 7401VGP R3. So it's using AES? Because in Vista, it says:

    Security Type: WPA-Personal

    Encryption Type: TKIP

    But I have option to change "Security Type" to: WPA2-Personal. Maybe I need to change that in Vista FIRST? Maybe that's why my router keeps reverting back to WPA?

    And I can change "Encryption type" to: AES. Currently it says: TKIP in Vista.

    Do I need to change Encryption Type in Vista to WPA2-Personal BEFORE I change the settings in my Router to WPA2?

    And should Encryption type be TKIP or should I change it to AES in Vista?
     
  15. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    My billion router doesn't have those features you showed in that pic.
     
  16. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Select WPA2 personal, if you have the option choose "AES" only as Chyper (and not TKIP). Then go to VISTA and remove the connection and make it again from stratch. Done.

    Do not rely on what VISTA says, if you have selected WPA2 and AES in the router then you are fine. OS may not always correctly display your wireless security settings.

    Fax
     
  17. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    Fax, I cannot select WPA2 on my router because as soon as it reboots, it reverts back to WPA and I have no idea why it does this and have no idea of the solution.

    And when I change from TKIP to AES in Vista, all of a sudden my Laptop won't connect to my router and I need to change it back to TKIP and then it connects again.

    Vista complains something about "This setting does not match the settings of the network".

    WHY?

    Anyone?

    It seems the only thing that works is WPA + TKIP. Nothing else works as when I change anything to AES or WPA2, my laptop disconnects from my router.

    Solution?
     
    Last edited: May 11, 2010
  18. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    GOOD NEWS everyone!

    I figured it out all by myself.

    What I had to do was exactly these steps because if I didn't do things in this order it wouldn't work.

    1. Login to my Router and change to WPA2-PSK. Then my Laptop would disconnect. NOT REBOOT ROUTER as this reverts router back to old password!

    2. Then change settings in Vista to WPA2-Personal + AES.

    3. Then laptop connected to router.

    And the reason why my router kept reverting back to WPA is that I needed to change Vista WPA to WPA2 BEFORE I rebooted my router, otherwise the router keeps revering back to WPA.

    I wish someone had have told me to do it these exact steps so I would have saved a lot of time playing around with this :p It's funny that a noob as myself figured this out and you experts couldn't tell me :p

    Suffice to say, I feel a lot better now running WPA2 + AES :)

    But I do have another problem... I am unable to change my wireless password in the router as that also reverts back to the old password. And if I change it in Vista FIRST, then it looses connection between router and laptop and I am unable to connect to router to change the password in the router :(
     
    Last edited: May 11, 2010
  19. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    The bit where you were told was in fax's post, here:

    philby
     
  20. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    What he forgot to mention was "DO NOT REBOOT ROUTER UNTIL YOU CHANGE THE PASSWORD IN VISTA" :)

    That was what I was doing wrong. I ws rebooting router BEFORE I changed password in Vista, hence the router would revert back to old password.
     
  21. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    I wanted to ask an important question..seeing I have now changed to using WPA2 and AES, is it crucial I change my old wireless password? Can someone still use that old password to login to my laptop and steal all my harddrive data?

    The reason I ask is that I am unable to change my wireless password for reasons mentioned above.
     
  22. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    AFAIK, you shouldn't have had to reboot the router providing you had saved the new setting in the router's GUI.

    I've read back but can't see why you can't change your password...?

    If it were me, I'd do a factory reset and start again, nice and clean.

    philby
     
  23. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    Let's assume someone had FULL ACCESS to my wireless connection when I had WPA + TKPI, what kind of data and information would they have right now?

    What if someone hacked my wireless password. What exactly can they do once they have your password?

    And can someone login to my laptop and steal all my text files and important documents stored on my laptop's hard drive?

    Or can they only intercept the information flowing through the air from my laptop to my router? If so, can they have read my passwords I enter when I visit my Netbank etc?
     
  24. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Yes, correct :thumb: :D

    No, not needed. Router can/must reboot :)
    On Vista was enough to remove the existing connection and create a new one.

    Anyway, you found your way. But I would still:

    1. Connect via ethernet (cable) to the router
    2. Update the router with latest firmware (if you have not yet done it),
    3. Fully reset it (30-30-30 seconds method)
    4. Change default router access password
    5. Setup connection and/or WIFI (WPA2 AES)
    6. Use another wireless password
    7. On VISTA: Remove any old wifi configuration, discover again the router, add it.
    8. Done

    Cheers,
    Fax
     
  25. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Huh? Completely not related. There's no need to change password on your OS before changing on the router, actually it won't do a thing. Change settings in router/AP..and apply. Give the router/AP a few seconds to reload those changes and start broadcasting...and then give your PC a minute or so for the wireless config to pickup those new broadcasts...and then run through the easy peasy connection wizard where you will apply the new wireless security password, and you'll be connected.
     
Loading...
Thread Status:
Not open for further replies.