The Henna Page Tech Pages
"Got WiFi? Lock it down...NOW!!"
Security basics for your home office wireless LAN

by Roy Jones © 2007


Wireless is one of the great enabling technologies of recent years. With wireless devices, you can do anything on a local network or on the Internet that you can do using a stationary wired connection. The key word is “convenience,” but anyone who knows me knows that when I see the word convenience and anything about computers or data networks on the same page, my first thought is “security breach.”

Don’t get me wrong...I love wireless. I use it. I help administer a wireless network on my job. I even wrote my master’s dissertation on wireless networks. All the same, I know that wireless is dangerous when handled improperly and current statistics show that most people using wireless on their home and small office networks aren’t handling their wireless systems properly at all.

If you have a wireless access point or wireless router, did you reset the default username and password before you put it into service? If not, you are among the estimated near 50% of home wireless users whose networks are wide open to bandwidth thieves, snoopers and spammers. Wireless makes it easy for you to access your home or small office network and all the data you have stored there and all the devices you have connected. An unsecured wireless network is just as easily accessed by anyone who happens to be nearby with a wireless laptop and this puts your data and your network account at risk.

“Wardrivers,” hackers who drive around looking for open wireless networks, can access your network connection through an open wireless access point. Some wardrivers are just in it for the sport and might send a couple of e-mails to their colleagues to prove they were able to access the network, but they could just as easily use your network to send a few thousand spam e-mails which, if traced back to you from the header information , could get you in hot water with your Internet service provider.

Unsecured wireless is an invitation to identity theft because of the amount of personal data that so many people leave on their desktop and laptop machines. Personal data exists in the files you leave on your system and in the browser cache and history files, the “Recent” folder, temp files, system logs, swap files and many other places the ordinary computer user would never suspect. If your wireless access point is “open to the public” anybody can locate and copy all of that data in minutes and examine it at leisure and you would never know your system had been breached.

Part of the problem of wireless security is the number of wireless access points and routers that are running in their “out of the box” configuration, which means they are all using the same userid and password, so means that any hacker who examines your access point will identify the make and model and then try the default userid and password that were installed at the factory.

I could go on, but I hope I’ve scared you enough that you’ve begun looking for the user’s manual for your wireless router or access point to see if you followed the setup instructions correctly. Details vary as to how to secure your wireless hardware, but here are three elementary steps that you should take toward locking down your wireless connection.

  • Change the default administor username. Make sure you change it to something that isn’t obvious. That means avoid using your family or business name or any part of your address or phone number as your username.

  • Configure your access point to use WPA-PSK security and change the default password. The standard recommendation for passwords is a minimum of 8 random characters, although 10 characters makes a significant difference in the "strength" of a password. Note that I recommend random characters. We humans like patterns too much to be capable of producing a truly random sequence on our own, so find a random character generator...either on a reliable Website or in software...and let the machine do the job for you.

  • It's been an article of faith for sometime in the popular press on wireless that disabling SSID broadcasts is a "best practice" for wireless security. The SSID or "Structure Set IDentifier" is the name you assign to your wireless LAN and the SSID broadcast is what makes it possible for your wireless laptop or desktop to "find" the access point to your network, or any other nearby network. Intuitively, it makes sense to shut off the SSID beacon as a way of putting your wireless LAN in stealth mode, and I admit I believed in turning off the SSID beacon for all the reasons I've read in a number of books and articles on wireless. However, in a piece on the ZDNet site, wireless expert George Ou makes a strong case for not disabling the SSID beacon and he's made a believer out of me.

Three other things you should do to help secure your network.

  • Change the router's default IP address. Most manufacturers ship their broadband routers with the IP address set to 192.168.0.1. Care to guess what address even the dumbest hacker will look for when he's "footprinting" a network looking for a potential victim?

  • On your router put port 113 in “stealth” mode. Ports are local addresses used to connect to specific applications on your computer. All unused ports should be in stealth mode to keep them from being compromised by hackers. For reasons too complex to go into in this article, port 113 is open on many broadband routers. This was once necessary but not any longer, so close it. Go to the Gibson Research Website to find out more, to test your router and for instructions on closing port 113 if it’s open. Gibson research is a good site to know. Have a look at their other tutorials and free diagnostic tools.

  • Look in your router’s control panel for a setting called “Deny Inbound ICMP,” “Drop Wanside ping” or something similar. Ping is an ICMP (Internet Control Message Protocol) application used to test whether a device is live on the network. If I ping your PC’s address and it’s up and running, it will send back a response to my PC, something like answering a knock at the door. The problem is that hackers looking for computers to compromise will use “ping sweep” tools that can run through thousands of addresses to look for likely targets. If your PC doesn’t answer, it’s less likely to be attacked. While you're at it, make sure your router is configured to drop all anonymous connection requests. This will help keep other network hosts from opening clandestine sessions on your computer.

  • If you must keep sensitive data on your desktop or laptop, encrypt it. Windows and Mac OS both have built-in security that you can invoke on any folder on your system. You can also make selected folders invisible and inaccessible to anyone but you. Windows users,have a look at this article on the Tech Republic Website to get started. Mac OSX users can read this series on desktop security. Only use encryption on data folders, never on applications or any part of your operating system.

Be aware that there is no such thing as perfect security in the online world. Most personal computers are used as communication devices which means they’re at least partially open to allow data can flow in and out, so your PC and your network are never absolutely locked down. What the steps I’ve laid out here will accomplish is to make it more difficult for someone with bad intent to get into your system and get his hands on your stuff. The more conscientious you are about data and network security, the less likely you’ll be to find you’ve been “owned.”

You can e-mail specific computer questions to Roy Jones at streetleveltech@hotmail.com.


Back to The Henna Page Tech Pages Index

Can't find what you want here?  Try The Henna Page Main Index.