This chapter looks at how to configure the basic security settings on the four most popular access points currently deployed for wireless home use (Linksys WAP11, BEFW11SR, and WRT54G, and the D-Link DI-624). It covers the practical steps for implementing wireless security for home systems.
There are four very simple steps that are sufficient for most home users:
The Linksys Wireless Access Point (WAP) 11 802.11b access point was one of the first access points deployed by a large number of people. The WAP11 was the wireless access point many users purchased that already had a home network with a router set up. The WAP11 requires a separate router in order to allow access to any non-wireless devices, to include Internet access. This section details the minimum steps you should take to configure the WAP11 securely. All of the steps outlined in this section should be done from a computer that is connected to your wired network. This is because as you make changes the access point will need to reset. When the access point resets, you will likely lose your wireless connection momentarily.
The first step you need to take is to set a unique SSID for your access point. When you log in to your access point, by default there is no username assigned to the WAP11 and the password is admin. This brings up the initial setup screen (Figure 20.1).
In the AP Name field, choose a name for your access point. This is NOT the SSID, but it is prudent to set this to a unique name. Many access points are named after the address of the owner or the company name, making them easier for an attacker to target. Next, replace “Linksys” with a unique SSID. This can be anything that you want, though it is not a good idea to use your address, phone number, social security number, or any other information that identifies you specifically. Figure 20.2 depicts the setup screen after a unique AP Name and SSID have been chosen.
Once these are set, click Apply and your changes are stored. Setting a unique SSID is a good first step for practicing security, but without taking additional steps it is relatively useless. A unique SSID will contain a combination of upper- and lowercase letters, numbers, and special characters. Additionally, using nonprintable characters will cause some WarDriving applications to crash or identify the SSID incorrectly.
After you have set a unique SSID on your access point, the next step is to disable the SSID broadcast. By default, access points transmit a beacon to let wireless users know that they are there. Active scanners such as NetStumbler rely on this beacon to find access points. By disabling the SSID broadcast, you have effectively placed your access point in stealth, also known as cloaked, mode.
To disable the SSID broadcast, first click the Advanced tab on the initial setup screen. This will take you to the screen shown in Figure 20.3.
Next, click the Wireless tab to bring up the advanced wireless settings, as shown in Figure 20.4.
Select the Disable radio button, and then click Apply to save your settings. Passive scanners, such as Kismet and AirSnort, have the ability to detect cloaked access points, but disabling SSID broadcast is one more step toward an effective overall security posture.
After you have set a unique SSID and disabled SSID broadcast, the next step is to enable WEP encryption. The flaws associated with WEP have been widely publicized and discussed. Inasmuch, because it is possible to crack WEP keys, you should not rely on WEP alone, but use WEP as a part of your overall security posture.
Although WEP is flawed, actually cracking the WEP key is not a simple process on a home network, for two primary reasons.
It usually requires at least 1200 Weak IVs to be collected before a WEP key is cracked. On a home network it can take days, weeks, or even months to generate enough traffic to capture that many Weak IVs. It is highly unlikely that an attacker will invest that amount of time into attacking a simple home network, especially when there are so many networks that don’t have WEP enabled.
Many vendors have also developed firmware upgrades that reduce or eliminate the number of Weak IVs that are generated. This further increases the amount of time it takes to successfully crack a WEP key.
To enable WEP on the Linksys WAP11, on the main setup screen select the Mandatory radio button, as shown in Figure 20.5.
Next, click WEP Key Setting to open the WEP Key Setting window, as shown in Figure 20.6.
In the WEP Key Setting window, change 64Bit to 128Bit in the drop-down box (as shown in Figure 20.7) to require 128-bit WEP keys. As the number of bits implies, 128-bit WEP provides a stronger, harder to crack key than 64-bit.
Leave the Mode set to HEX and choose a strong passphrase to generate your keys. A strong passphrase consists of a combination of upper- and lowercase letters, numbers, and special characters. Once chosen, enter your passphrase in the Passphrase text box and click Generate. This will create four WEP keys. See Figure 20.8.
Since four keys are generated, you need to decide which one your client should use. Set the Default TX Key to the number (1–4) that you want to use on your network. Once you have generated your WEP keys and chosen the key to transmit, click Apply to save your settings.
Information on configuring your client software is provided later in the “Configuring Security Features on Wireless Clients” section of this chapter.
Once you have set a unique SSID, disabled SSID broadcast, and required the use of WEP encryption, you should take at least one more step: filtering by Media Access Control (MAC) address. To enable MAC address filtering on the Linksys WAP11, from the main setup screen click the Advanced tab to display the Advanced wireless settings (Figure 20.9). Click the Enabled radio button to enable MAC address filtering. Next, select the radio button for Only Allow PCs With MAC Listed Below To Access Device. Finally, in the text boxes labeled MAC 1 thru MAC 10, list the MAC addresses of any wireless clients that are allowed to access your wireless network. Click Apply to save and enable your settings. Instructions for finding the MAC address of your card are provided in the “Tools & Traps” sidebar in this chapter.
Tools & Traps…
Finding the Media Access Control (MAC) Address of Wireless Cards
Finding the Media Access Control (MAC) address of your wireless card is a simple process. The easiest way is to look at the back of the card itself, as every wireless card has a label on the back that provides information like: the FCC ID, the encryption standard that is supported, and the MAC address. Figure 20.10 shows this label.
Figure 20.10. Finding the MAC address on the card label
Windows 2000 and XP users can find the MAC address using the ipconfig/all command.
The Physical Address highlighted in Figure 20.11 is the MAC address for the wireless card. Linux users can determine the MAC address of their card using ifconfig <interface> command.
Figure 20.11. Using ipconfig/all in Windows to determine the MAC address
The highlighted HWaddr shown in Figure 20.12 is the MAC address of the wireless card.
Figure 20.12. Using ifconfig to determine the MAC address in Linux
The most popular 802.11b access point currently deployed is the Linksys BEFW11SR Access Point/Router. The BEFW11SR gained popularity because it combined both a wireless access point and a wired router into one device. This section details the minimum steps you should take to configure the BEFW11SR securely. All of the steps outlined in this section should be done from a computer that is connected to your wired network. This is because, as you make changes, the access point will need to reset. When the access point resets, you will likely lose your wireless connection momentarily.
The first step you need to take is to assign a unique SSID to your access point. When you log in, you’ll find, by default, that BEFW11SR has no username and the password is admin. This brings up the initial setup screen (see Figure 20.13).
Next, enter a unique SSID in the SSID textbox, as shown in Figure 20.14.
Finally, click the Apply button to save your new SSID.
After you have assigned a unique SSID to your BEFW11SR, you should disable SSID broadcast. Disabling SSID broadcast prevents active wireless scanners like NetStumbler from finding your access point.
From the initial setup screen, select the Disable radio button next to SSID Broadcast. Next, click the Apply button to save your settings and disable SSID broadcast, as shown in Figure 20.15.
Once you have set a unique SSID and disabled SSID broadcast, the next security measure you should enable is WEP encryption. On the initial setup screen, select the Mandatory radio button next to WEP, as shown in Figure 20.16.
Next, click the WEP Key Setting button to open the WEP Key Setting window. Enter a strong passphrase in the Passphrase textbox and click the Generate button. This generates a WEP key for your network, as shown in Figure 20.17.
Next, click the Apply button to save your settings. You also need to configure any wireless clients that use the BEFWllSR with the same WEP key. Instructions for setting up wireless clients are presented in the “Configuring Security Features on Wireless Clients” section later in this chapter.
After you have set a unique SSID, disabled SSID broadcast, and enabled WEP, your next step is to filter by Media Access Control (MAC) address. Filtering by MAC address allows only wireless clients with pre-determined MAC addresses to connect to the access point.
From the initial setup screen, click the Advanced tab. This brings up the advanced settings window. Next, click the Wireless tab to open the advanced wireless settings window, as shown in Figure 20.18.
Select the Enable radio button next to Station MAC Filter, as shown in Figure 20.19.
Then, click the Edit MAC Filter Setting button to open the Wireless Group MAC Table window, shown in Figure 20.20.
Next, enter the MAC addresses of the clients that are allowed to access your wireless network in the MAC Address textboxes and select the Filter checkbox next to each of them, as shown in Figure 20.21.
Finally, click the Apply button on the Wireless Group MAC Table window, the Advanced Wireless Settings window, and the initial setup screen to save your settings.
The most popular 802.11g device is the Linksys WR.T54G 802.11b/g Access Point/Router. The WRT54G gained popularity in 2003 as 802.11g devices became more common and affordable. 802.11g devices operate on the 2.4 GHz band, like 802.11b, but offer speeds up to 54 megabits per second (Mbps). Additionally, 802.1 lg devices are compatible with 802.1 l b cards. This section details the minimum steps you should take to configure the WRT54G securely. All of the steps outlined in this section should be done from a computer that is connected to your wired network.
The first security measure you should enable on the Linksys WRT54G is setting a Unique SSID. When you log in to the WRT54G, by default, there is no username required and the password is admin. This brings up the initial setup screen (see Figure 20.22).
In the SSID textbox, enter a unique SSID, as shown in Figure 20.23.
Then, click the Apply button to save your settings.
After you have set a unique SSID, disable the SSID broadcast. From the initial setup screen, select Disable from the SSID Broadcast drop-down box, as shown in Figure 20.24.
Then, click the Apply button to save your settings and disable SSID broadcast.
Once you have set a unique SSID and disabled SSID broadcast, you need to require the use of 128-bit WEP encryption. From the initial setup screen, choose the Enable radio button next to WEP to require WEP encryption, as shown in Figure 20.25.
Next, click the Edit WEP Settings button, opening the WEP Keys window. Select 128 bits 26 hex digits from the WEP Encryption drop-down box to require 128-bit WEE Type a strong passphrase in the Passphrase textbox. This is the passphrase that will be used as the basis for generating WEP keys. Click the Generate button to generate four WEP keys, as shown in Figure 20.26.
Next, select the key (1–4) that you will initially use by choosing the appropriate radio button next to Default Transmit Key. Finally, click Apply on both the WEP Keys window and the initial setup screen to save your settings.
After you have set a unique SSID, disabled SSID broadcast, and enabled WEP encryption, you need to filter access to the WRT54G by MAC address.
First, from the initial setup screen click the Advanced tab to display the Advanced Wireless screen (see Figure 20.27).
Next, select Enable from the Wireless MAC Filter drop-down box. This will reveal the MAC filter options, as shown in Figure 20.28.
Choose the Permit Only PCs Listed Below To Access The Wireless Network radio button, and click the Edit MAC Filter List button to display the MAC Address Filter List window (see Figure 20.29).
Enter the MAC addresses of wireless clients that are allowed to access your wireless network in the provided textboxes and then click Apply, as shown in Figure 20.30.
Finally, click Apply in the Advanced Wireless window to save your settings and enable filtering by MAC address.
Although Linksys has a sizable share of the home access point market, D-Link also has a large market share. D-Link products are also sold at most big computer and electronics stores such as Best Buy and CompUSA. This section details the steps you need to take to enable the security features on the D-Link 624 AirPlus 2.4 GHz Xtreme G Wireless Router with 4-Port Switch. The DI-624 is an 802.11g access point with a built-in router and switch similar in function to the Linksys WRT54G.
The first security measure to enable on the D-Link DI-624 is setting a unique SSID.
First, you need to log into the access point. Point your browser to 192.168.0.1. Use the username admin with a blank password to access the initial setup screen (see Figure 20.31).
Next, click the Wireless button on the left side of the screen to bring up the Wireless Settings screen, as shown in Figure 20.32.
In the SSID textbox, enter a unique SSID, as shown in Figure 20.33, and click Apply to save and enable the new SSID.
After you have set a unique SSID, you will need to enable 128-bit WEP encryption.
First, choose the Enabled radio button next to WEP, as shown in Figure 20.34.
Next, choose 128Bit from the WEP Encryption drop-down box, as shown in Figure 20.35.
Then, you will need to assign a 26-character hexadecimal number to at least Key1 (see Figure 20.36). A 26-digit hexadecimal number can contain the letters A–F and the numbers 0–9.
Finally, after you have assigned your WEP keys, click Apply to save your settings. Any wireless clients that connect to the DI-624 must be configured to use this WEP key.
After you have set a unique SSID and enabled 128-bit WEP encryption, you should filter access to the wireless network by MAC address.
First, click the Advanced tab, as shown in Figure 20.37.
Next, click the Filters button on the left side of the screen, as shown in Figure 20.38.
Then choose the MAC Filters radio button. This makes the MAC Filtering options visible, as shown in Figure 20.39.
Finally, select the Only Allow Computers With MAC Address Listed Below To Access The Network radio button and enter the MAC address of each client card that is allowed to access the network. You must also enter a descriptive name, of your choice, for each client in the Name textbox (see Figure 20.40). Note that you must click Apply after each MAC address entered.
After you have set a unique SSID, enabled 128-bit WEP, and filtered access by MAC address, you need to disable SSID broadcast.
From the Advanced Features screen, click the Performance button, as shown in Figure 20.41.
Select the Disabled radio button next to SSID Broadcast and click Apply to save your settings, as shown in Figure 20.42.
After you have configured your access points to utilize security features, you will then need to configure each wireless client to work with your access points. This means that each wireless client needs to be configured with the correct SSID and have the appropriate WEP key entered and selected.
For Windows XP Clients, double-click the Wireless Network Connections icon on the taskbar to bring up the Wireless Network Connection Properties window (see Figure 20.43).
Next, click the Add button to add a new preferred network. Enter the SSID of your network in the SSID textbox, and un-check The Key Is Provided For Me Automatically. Then, enter the WEP key for your wireless network in the Network Key and Confirm Network Key textboxes, as shown in Figure 20.44.
Finally, choose the appropriate key index (1–4) and click OK. If your settings are correct, you will be connected to your access point.
Unlike Windows XP, with Windows 2000 you will need to configure the wireless client software that came with your wireless card. The examples shown in this section are for the ORINOCO client manager. The exact steps for other client managers may differ, but the basic idea is the same.
To create a wireless profile for your access point, double-click the client manager icon on the taskbar to open the Client Manager. Choose Actions | Add/Edit Configuration Profile to open the Add/Edit Configuration Profile window, as shown in Figure 20.45. Select the radio button next to a blank profile and enter the name of the profile.
Next, click the Edit Profile button. On the Basic screen, enter the SSID of your access point in the Network Name textbox. Then, click the Encryption tab, as shown in Figure 20.46. Choose the Use Hexadecimal radio button and enter your WEP keys (1–4).
Finally, click OK to save your settings. Your wireless client is now configured for use with your access point.
Configuring wireless clients for use with your network after security features have been enabled is a simple two-step process.
First, you need to edit the /etc/pcmcia/wireless.opts file (see Figure 20.47).
Ensure that the four lines starting with the line that reads START SECTION TO REMOVE have been commented out by placing a pound sign (#) in front of each, as shown in Figure 20.48.
Next, find the appropriate section for your wireless card. Enter the SSID your access point uses in the ESSID section. Then, enter the WEP key for your wireless network in the KEY section, as shown in Figure 20.49, and save your changes.
Before your settings take effect, you need to restart the Personal Computer Memory Card International Association (PCMCIA) services. The method for restarting PCMCIA services varies and depends on the Linux distribution you are using. In Slackware, Linux PCMCIA services are restarted by issuing the following command:
If you are unsure how to restart PCMCIA services on your distribution, you can reboot. When the system restarts, your settings will take effect.
Notes from the Underground…
Enabling Security Features on the Xbox
Many Xbox owners like to take advantage of the Xbox Live feature. Xbox Live allows gamers to connect their Xbox to the Internet and play selected games against online opponents. Since the Xbox is often connected to a TV that isn’t necessarily in the same room with most of the household computer equipment, wireless networking is a natural choice for this connection.
There are several wireless bridges (like the Linksys WET Wireless Ethernet Bridge) available that will connect the Xbox to a home network. These devices must be configured to use the wireless network’s security features.
First, log in to the WET 11. By default, the WET 11 is configured to use the IP address 192.168.1.251 (see Figure 20.50).
Figure 20.50. The Linksys WET 11 initial setup screen
Enter the SSID for your wireless network in the SSID textbox, and then select the Enable radio button next to WEP (see Figure 20.51).
Figure 20.51. Set the SSID and enable WEP
Click WEP Settings button to open the Shared Keys window (see Figure 20.52). Select 128 bit 26 hex digits from the drop-down box and then enter the WEP keys that your wireless network uses. The WEP keys can be entered in either of two ways:
- Generate the keys using the same passphrase used to generate the keys on your access point.
- Manually enter the WEP keys that your access point uses.
Figure 20.52. Enter the WEP keys
Next, click the Apply button on the Shared Keys window and the initial setup to save your settings. Finally, add the MAC address of your WET 11 to your allowed MAC address list on your access point.
Regardless of the particular brand or model of access point that you choose for your home network, by default it is set up very insecurely. At a minimum, four basic security measures should be enabled:
These steps are enough in most cases to protect low-traffic wireless networks used at home. It is important to use all four of these measures in order to deploy your wireless network using a layered security approach. While it is true that no network is completely secure, enabling these security measures on your wireless network reduces the risk of becoming an easy target and increases the likelihood that a prospective attacker will move on to a wireless network that does not employ the same precautions.
These have been consolidated because they are the recommendations for securing any AP/router and are not specific to a particular hardware.
Windows XP clients are configured using the Wireless Connection Properties and the Windows XP Wireless Client Manager. To associate with your access point once the security features have been enabled, your access point must be added as a Preferred Network. You need to enter the SSID and the WEP key during the configuration process.
Windows 2000 does not have a built-in wireless client manager like Windows XP. You need to enter the SSID and WEP key into a profile in the client manager software that shipped with your wireless card.
Linux users need to configure the /etc/pcmcia/wireless.opts file in order to access a wireless network with the security features enabled. The SSID and WEP key need to be entered in the appropriate section of the /etc/pcmcia/wireless.opts file. Restarting PCMCIA services or rebooting allows these settings to take effect.