Securing Wireless Networks for CompTIA Network+
Networking has evolved over the years to make interconnecting computing devices easier. This means that more and more people are able to both acquire networking devices and install them in a network[md] and these networks, once built, can be used to share information. However, the problem is it is hard to ensure that you are only sharing your information with select individuals and devices. Even in wired networks using copper-based interconnectivity, this is hard to guarantee. When you add Radio Frequency-based access points and wireless network cards to the mix, things become even more problematic. The danger is that virtually anyone can eavesdrop on our communications unless you employ some very basic preventative measures to secure the wireless network.
Change the Default Password
Linksys wireless access points and routers are shipped with a factory default password. This password is what you will be challenged with when you first login to the device to make configurations changes. As a general rule the default password use by Cisco for the Linksys Series of routers will be “admin.” The problem here is that this information is common knowledge, and therefore will be the first password a cyber-criminal would use if they tried to access your equipment illicitly. To prevent this eventuality, it is suggested that the password be changed from the default at the earliest opportunity.
On a Linksys router, the web-based setup page is where you will find the Administration tab. Once this tab has been selected, you will be presented with the option to enter a new password in both the Router Password and Re-enter to confirm fields. This change can be made permanent by clicking Save Settings and the Continue button on the next page.
Change the SSID
All wireless network devices have a default Service Set Identifier (SSID) that will have been set at the factory. This SSID will be the name of our Linksys wireless network by default, and can be up to 32 characters long. Cisco’s Linksys products all use linksys as the default SSID. Again, this is a situation where a cyber-criminal can attempt to use this default information to join a wireless network illicitly. It is suggested that the SSID be changed to something unique that does not relate to the networking products employed in the network. As an additional suggestion, it is best practice to rotate the SSID on a regular basis in order to hamper anyone that may have obtained it in the past through interaction with the network. This simple process can deter future penetration attempts.
On a Linksys router, the web-based setup page is where you will find the Wireless tab. Once this tab has been selected, you will be presented with the option to enter a new Network Name (SSID). This change can be made permanent by clicking Save Settings and the Continue button on the next page.
Enable WPA Encryption
Encryption allows protection for data that is transmitted over a wireless network. Wired Equivalency Privacy (WEP) and Wi-Fi Protected Access (WPA) offer different levels of security for wireless communication. WPA is considered to be more secure than WEP, because it uses dynamic key encryption. As a general rule, the highest level of encryption that is supported by your network equipment should be used when securing your wireless network. This means in most cases WPA will be the encryption of choice.
WPA uses dynamic key encryption, which means the key is constantly changing and makes penetrating its security more difficult than WEP. Within WPA, there are two versions that utilize different processes for authentication:
- Temporal Key Integrity Protocol (TKIP) creates a dynamic key encryption and mutual authentication. TKIP provides the security features that fix the limitations of WEP. Since the keys are always changing, it provides a very high level of security for your network.
- Extensible Authentication Protocol (EAP) provides message exchange during the authentication process. It utilizes the 802.1x protocol to authenticate users via a RADIUS server (Remote Authentication Dial-In User Service). This provides industrial strength security for your network, but requires a RADIUS server to operate.
WPA2 is the second generation of WPA and it is backwards compatible with products that only support WPA. The main difference between the original WPA and WPA2 is that WPA2 requires Advanced Encryption Standard (AES) for encryption of data, while the original WPA only uses TKIP. AES provides enough security to meet the high level standards of many federal government agencies. Like the original WPA, WPA2 supports both an enterprise and home version. WPA2 is strongly recommended if your router and computers can support this security enhancement emphasizing the rule to use the strongest encryption mechanism possible.
To configure the wireless security settings on our Linksys you will select the Wireless tab first and then the Wireless Security subheading. This will reveal the Security Mode drop down menu. This menu is where you select the WPA, WEP or RADIUS security modes, and the passphrase that will be used by the process. This passphrase will typically be 8-63 characters long. Any changes can be made permanent by clicking Save Settings and the Continue button on the next page.
Disable SSID Broadcast
By default the majority of wireless devices broadcast their SSID. This means that anyone can easily join the wireless network with just this information. This extends to cyber-criminals, so unless you are setting up a hotspot for public use, it is best practice to disable the broadcasting of the SSID. Many people think it is convenient to broadcast the SSID to make joining a given network virtually “plug-and-play”; however, this same behavior can be setup on a computer without requiring the SSID to be broadcast.
On a Linksys router the web-based setup page is where you will find the Wireless tab. Once this tab has been selected, you will be presented with the Basic Wireless Settings page. At the bottom of this page there are two radio buttons next to the SSID Broadcast field. Select Disable to turn off the feature. This change can be made permanent by clicking Save Settings and the Continue button on the next page.
Filter MAC Addresses
A Linksys router has the ability to enable MAC (Media Access Control) address filtering. With MAC address filtering enabled, you can select the computers that can access your network. This makes it extremely difficult for a cyber-criminal to access your network using an unspecified MAC address.
MAC addresses are unique sequences of numbers and letters assigned to a physical network interface based on the manufacturer or vendor. MAC address filtering allows only devices with specified MAC addresses to attach to a wireless network.
On a Linksys router, the web-based setup page is where you will find the Wireless tab. Once this tab has been selected, you will be presented with the Wireless MAC Filter sub-tab. Once this is selected you will be presented with radio buttons to enable or disable the feature. Once the feature has been enabled you must chose to prevent or permit the MAC addresses in the Wireless Client List to connect to the network. Any changes can be made permanent by clicking Save Settings and the Continue button on the next page.
Conclusion
In this article we have looked at the five essential configuration changes needed to secure a wireless network. These are by no means all the features available, but all five are absolutely necessary if any level of security to be established, and forms the first line of defense against viruses, spam email, and identity theft.