Home Wireless Security Settings Tips

ENABLE WIRELESS ENCRYPTION

Enabling Wireless encryption is essential otherwise every one within your Radio Frequency (RF) range (and remember the Wireless network
world record distance is 125 miles!), at best can capture your traffic compromising surfing habits, gathering usernames and passwords and at
worst sharing illegal images or hacking over your Wireless network for which you are legally responsible.

DO NOT USE WEP (WEP is trivially broken)

DO NOT USE A DICTIONARY BASED WORD FOR YOUR WPA/WPA2 PSK

DO USE WPA2 (BEST) or WPA (NEXT BEST) WITH A NON-DICTIONARY PSK

Linux

Linux tools, Howtos

Tools Index
Wireless Commands
Note: Use AES encryption where you can, it's the strongest available.
DISABLE SSID BROADCAST
FC6 Build Howto Ensure you disable the SSID broadcast on you Access Point this will hide your Wireless access point from casual WARDRIVERS. While it is still
trivial for a proficient WARDRIVER to determine the SSID it makes him/her work that little bit harder and there may be easier targets in the
FC5 Build Howto neighbourhood.

FC4 Build Howto

Live Linux Distros
ENABLE MAC FILTERING
Ensure you configure your MAC filters, this will tie your access point down to only those devices with the MAC addresses you specify.
Site Search

Search

Windows

WIN32 tools, Howtos

Tools Index
CONS: MAC addresses can be spoofed fairly trivially in both Windows and Linux.
UPDATE FIRMWARE
It is essential to keep you Access Points firmware up to date. Vulnerabilities are discovered daily and it could just happen that your Access Point
is compromised through a newly discovered exploit this is not restricted to Wireless attacks and may even occur via a wired interface

General

Miscellaneous WI-FI

Default WI-FI Settings

Rogue AP Howtos ENABLE SECURITY FEATURES

WI-FI Certifications
While this may seem obvious ensure all of you
802.11 Standards
Access Points security features have been
STEP BY STEP Guides
enabled, many Access Points security settings
Formats / Extensions
default to non-enabled for functionality
WI-FI Home Security
purposes.
Useful Links

CHANGE DEFAULT PASSWORD

The default password for your Access Point should be

changed at the earliest opportunity, to a strong non-
dictionary based word to ensure no attackers are able
to reconfigure settings.

ENABLE HTTPS
Management of the access point should be carried out via HTTPS (which is encrypted) in preference to HTTP (which passes traffic in clear text)
to prevent your Access Point management username and password from being compromised.

LOGGING
Ensure that logging is enabled (it is too often disabled by default) on your Access Point and check those logs regularly. Logs will hopefully give
you an indication of whether or not you have an unwelcome visitor.

PARANOID?

We believe that the 7 settings already discussed (if carried out as described) will make your Access Point more than reasonably secure. For the
truly paranoid (and we count ourselves among them) however, we have 2 more.
DISABLE THE DHCP SERVER
Rather than have the Access Point's DHCP server issue wireless clients (which could include a wireless attacker) with all the configuration
necessary to join the network (and thus the Internet) we prefer to statically configure these settings on the client. We also prefer to use a IP
range that is not easily guessed (i.e. not 192.168.0.X or 192.168.1.X etc.) whist still in the private address range.

POWER OFF WHEN NOT IN USE

If you're going away for the weekend or on holiday, turn off that Access Point. If its not active, it's not going to be compromised.

Disabling wireless client machines when not is use is equally important. For example an Access Point with no clients can make discovering a
hidden SSID truly challenging.

The images displayed are taken from a Linksys WRT54G Wireless Access point and are included as a rough guide as to the settings discussed.

GLOSSARY

DHCP

Dynamic Host Configuration Protocol (in this instance) is used to issue wireless clients with their IP address, subnet mask, default gateway and
DNS server settings (Basically all the configuration settings that clients require to access the Internet).

Private Address Range

Private IP addresses provide a basic form of security, it is not possible for the outside world (Internet) to establish a connection directly to a host
using these addresses:

10.0.0.0 through 10.255.255.255

172.16.0.0 through 172.31.255.255
192.168.0.0 through 192.168.255.255
 PRE-SHARED KEY also known as a PASSWORD or PASSPHRASE

SSID

A Service Set Identifier (SSID) is essentially a wireless network name that identifies a wireless network, it must be configured on all wireless
devices what which to use the network.

WARDRIVER

"Someone that takes part in Wardriving, an activity consisting of driving around with a laptop in one's vehicle, detecting Wireless networks. It is
similar to using a scanner for radio. Most Wardrivers will use GPS devices to find the exact location of the network found and log it on a website.
For better range, antennas are built or bought, and vary from omni-directional to fully directional. Software for Wardriving is freely available on
the internet, notably, NetStumbler." -Wikipedia

© Copyright 2010 Wirelessdefence.org. All Rights Reserved.