So, I've got a wireless network at home. You've probably got one. And now, my mother-in-law, who up until the other day was operating on Windows 95, wants one. (I thought the world was safe, but I guess not.) You may even have one in your business.

Practitioners may have been preaching for a long time, but wireless security is, well, dull. However, wireless security is more important than wired security because there are fewer controls. For example, by the time some freak can tap into my ethernet cable at home, they might as well walk away with the computer as well. Whereas wireless doesn't hang out behind closed and locked doors, or even confine itself to your property. If you live in an apartment or have neighbors within a reasonable distance, your wireless connection probably bleeds into their living area or lawn. (In fact, last year, I wandered around my mother-in-law's yard looking for broadband wireless access since she only has dial-up. I found one or two points.)

It's the Name, Stupid!
The access point or router you bought has a default user name and password. Whether it's Linksys, Netgear, Cisco, Buffalo or whatever, it's safe to assume that every other unit that company manufactures has the same default user name and password. Change these right away. My former neighbors had a horrible dog that barked all hours of the night. I couldn't get the police to do anything about it and the neighbors didn't care. They also had wireless internet. On numerous occassions, I opened up their router's configuration page using the default user name and password and considered shutting off their access. But I didn't. (I wish I had, however.)

Particularly if you're in a corporate environment, don't name your critical access point something obvious (e.g. Server Room, Headquarters). Doing so, is like walking down a seedy street with a t-shirt that says "I'm loaded!" If you're setting up a wireless network at home, just name your network something more interesting than the Joneses. For creativity sake, please.

Don't Be Easy Prey
Next, if at all practical, shut off the SSID broadcast. This is security through obscurity, nothing more. The SSID broadcast simply yells out to all devices listening in the vicinity the equivalent of "I'm here. My name is blank." By shutting the broadcast off, you will prevent average joe from using your bandwidth.

Filter your MAC addresses, if you can. MAC stands for Media Access Control, but it's really an address that each connection point on a computer or device is given. A computer with a ethernet card and a wireless card will have two different MAC addresses. Again, this is security through obscurity. Understandably, if you have a many different users and devices checking in and out on an irregular basis, doing anything with MAC addresses might be a big hassle. However, if you have a relatively stable user and device group, you'll stop anyone from accidently stumbling on the network.

Look, honestly, I don't care whether my neighbor uses my internet. I've got more than enough bandwidth with my dsl connection. In fact, if we were closer, in familiarity and proximity, I might even offer it up. But, you don't want somebody you don't know getting on your network. They might not care enough or be smart enough to access data or learn passwords, but if they go visit an inappropriate website, the activity could be traced back to your router. And, dealing with an investigator would suck.

Getting yourself to this level of security will stop a lazy, harmless individual from using your bandwidth. If you suspect your network might be exposed to those who are more industrious or ill-intentioned you'd better go further.

Get Strong(er)!
Encrypt your data. Most wireless routers and access points have WEP, which stands for Wireless Encryption Protocol. WEP can be cracked fairly easily. In fact, in just a few packets

A stronger protocol is WPA, or Wi-Fi Protected Access, which is sometimes also referred to as WPA2. The router provided by my DSL carrier only has WPA-PSK (Wi-Fi Protected Access Pre-Shared Key), sometimes referred to as WPA. WPA-PSK was rolled out before WPA became a standard. It has only the Pre-Shared Key feature of WPA, and is not as secure. WPA-PSK can be cracked by a dictionary attack.

WPA has not, to my knowledge, been cracked. At least, the tools to do so are not yet widespread. If your router has WPA, use it. If it doesn't, properly assess your data and the environment around you. If you're honest with yourself, you'll probably find that you are not at a high risk.

Wear Layers
Remember how your mom said to wear layers? That's good advice when it comes to wireless security too. MAC filtering and encryption will keep all but fairly skilled and bored hackers at bay.

Encryption of the data itself travelling will provide an extra layer of protection, making it more difficult for a hacker. If you're really paranoid, buy a newer router, one with WPA. Or, stay wired.

Performance Issues
I've noticed that by simply adding the MAC filter and shutting off the SSID broadcast, the Linksys wireless card on my desktop at home is slower, initially, to pick up a signal, perhaps by as much as 5 minutes. Shutting off the SSID broadcast can lead to some connectivity issues, but I've never noticed this with any other devices, including Windows laptops, Mac laptops, Mac desktops, Palm handhelds. This latency may just be an anomaly, or the delay may have something to do with the desktop configuration. Admittedly, this is my first wireless Windows desktop.

When encrypting data, you'll see some slowdowns in performance. Most studies show that the slowdown amounts to about 30%. In all likelihood, you won't notice this too much. Try it, see if you can tolerate it. That's my advice.

Advertisements