Wireless networking can be kind of scary from a security standpoint. It opens up whole new attack vectors that were not present with wired network infrastructures. That doesn’t mean you can’t do it securely, however, and I aim to give you some ideas that can help you in that regard.
Many of these tips are likely to be inapplicable to a lot of people. For instance, if you’re running a wireless network that has to allow connections from a changing lineup of computers so that the specific computers on the network will not be constant, the point about restricting access by MAC address is unlikely to do much good. As always, you must exercise some common sense when reading through a list of security tips like this. You have to determine what options apply to you, and whether the fact that your plans make a given suggestion unusable means your plans are wrong or the suggestion simply is not relevant in your case.
- Use a strong password. As I pointed out in the article A little more about passwords, a sufficiently strong password (on a system with decent password protection) makes the likelihood of cracking the password through brute force attacks effectively impossible. Using a sufficiently weak password, on the other hand, almost guarantees that your system will be compromised at some point.
- Don’t broadcast your SSID. Serious security crackers who know what they are doing will not be deterred by a hidden SSID — the “name” you give your wireless network. Configuring your wireless router so it doesn’t broadcast your SSID does not provide “real” security, but it does help play the “low hanging fruit” game pretty well. A lot of lower-tier security crackers and mobile malicious code like botnet worms will scan for easily discovered information about networks and computers, and attack those that have characteristics that make them appear easy to compromise. One of those is a broadcast SSID, and you can cut down on the amount of traffic your network gets from people trying to exploit vulnerabilities on random networks by hiding your SSID. Most commercial grade router/firewall devices provide a setting for this.
- Use good wireless encryption. WEP is not exactly “good” encryption. With a freely available tool like aircrack, you can sniff wireless traffic protected by WEP and crack security on that network in a matter of minutes. WPA is the current, common encryption standard you should probably be using — though, of course, you should use something stronger as soon as it becomes available to you. Technology is advancing every day, on both sides of the encryption arms race, after all.
- Use another layer of encryption when possible. Don’t just rely on wireless encryption to provide all your security on wireless networks. Other forms of encryption can improve the security of the systems on the network, even if someone happens to gain access to the network itself. For instance, OpenSSH is an excellent choice for providing secure communications between computers on the same network, as well as across the Internet. Using encryption to protect your wireless network does not protect any communications that leave the network, so encryption schemes like SSL for dealing with e-commerce Websites is still of critical importance. The fact you’re using one type of encryption in no way suggests you should not be using other types of encryption as well.
- Restrict access by MAC address. Many will tell you that MAC address restriction doesn’t provide real protection but, like hiding your wireless network’s SSID, restricting the MAC addresses allowed to connect to the network helps ensure you are not one of the “low hanging fruits” that people prefer to attack. It is best to be effectively invulnerable to the expert security cracker, but there’s nothing wrong with being less palatable to the amateur as well.
- Shut down the network when it’s not being used. This bit of advice is even more dependent on specific circumstances than most of them. If you have the sort of network that does not need to be running twenty-four hours a day, seven days a week, you can reduce the availability of it to security crackers by turning it off when it isn’t in use. While many of us run networks that never sleep, and cannot really put this suggestion into practice, it is worth mentioning if only because one of the greatest improvements to the security of a system you will ever encounter is to simply turn it off. Nobody can access what isn’t there.
- Shut down your wireless network interface, too. If you have a mobile device such as a laptop that you carry around with you and use in public, you should have the wireless network interface turned off by default. Only turn it on when you actually need to connect to a wireless network. The rest of the time, an active wireless network interface is nothing more than another attack vector for malicious security crackers to use as a target.
- Monitor your network for intruders. You should always make sure you have an eye on what’s going on, that you are tracking attack trends. The more you know about what malicious security crackers are trying to do to your network, the better the job of defending against them you can do. Collect logs on scans and access attempts, use any of the hundreds of statistics generating tools that exist to turn those logs into more useful information, and set up your logging server to email you when something really anomalous happens. As a certain cartoon military SpecOps team from the 1980s would tell you, knowing about the danger is half the battle.
- Cover the bases. Make sure you have some kind of good firewall running, whether on a wireless router or on a laptop you use to connect to wireless networks away from home. Make sure you turn off unneeded services, especially on MS Windows where the unneeded services that are active by default might surprise you. In fact, do everything you can to secure your system regardless of OS platform, mobility of the system, or type of network.
- Don’t waste your time on ineffective security measures. Every now and then, I run across some technically deficient end user handing out free advice about security based on things overheard and half-understood. Generally, this advice is merely useless, though often enough it can be downright harmful. The single most common bit of bad advice I hear from such people with regard to wireless networking is the admonition that when connecting to a public wireless network, such as in a coffee shop, you should only connect if the network uses wireless encryption. Sometimes these people get the advice half right, and recommend only connecting to networks protected by WPA — it’s half right only because WPA is the wireless encryption you should use, if you are going to use wireless encryption at all. There is no point in trying to “protect” yourself by connecting to a public access point only if it uses encryption, however, because the fact that the encryption key will be handed out to anyone that asks for it completely obviates the supposed protection you expect. It’s a bit like locking the front door of the house, but leaving a big sign on the door that says “The key is under the welcome mat,” which only protects against illiterate burglars. If you want your network to be available to everyone that walks onto the premises, just leave it unencrypted, and if you need to connect to the Internet in some public location, don’t worry about encryption. In fact, if anything, the wireless encryption might more properly serve as a deterrent rather than an enticement to using that particular wireless network, because it reduces convenience without effectively improving security at all.
Most of the security tips one can offer about wireless networking are the sort of thing someone might call “common sense”. Unfortunately, there’s an awful lot of “common sense” floating around out there, and it’s not easy to keep it all in mind all the time. You should always check up on your wireless networks and mobile computers regularly to make sure you aren’t missing something important, and you should always double-check your assumptions to make sure you aren’t wasting your energy on something not only unnecessary, but entirely useless, when more effective security measures could use your attention.