How to secure a wireless network: Part 1 of 5 - Enabling WPA on a wireless router
This is the first part in a series of five blogcasts (video demonstrations showing you "how to") that look at how to secure a wireless network by configuring Wireless Protected Access (WPA) on both the Access Point (AP) and Vista/XP clients.
Note: These instructions are appropriate for typical home networks and very small offices as a static "Pre Shared Key" is used for all devices. Once you move past a handful of machines this approach becomes difficult to manage and less secure as gaining physical access to one device (machine or Access Point) gives an attacker the ability to compromise the entire wireless network.
Note: The demonstration is for a wireless router made by a company named SMC simply because it's the device that I happen to use at home. There are many other comparable wireless routers and pretty much all of them support Wireless Protected Access (WPA) - their configuration is often similar.
Dispelling some myths:
There are many myths about how to secure wireless networks. Some "experts" advocate hiding the wireless network name (SSID) to improve security - this doesn't really gain you a great deal as the SSID is broadcast on the network anyway so an attacker could easily discover it using any easily available wireless network hacking tool. Some people even think that the SSID is used for authentication and therefore by hiding it you can prevent unauthorised people from accessing the wireless network - this is nonesense - the SSID is merely an Identifier - a descriptive name for the network. To authenticate something or someone's identity you typically (though not always - there are other methods) need to both know a secret that no-one else knows - using something that's in the public domain (an identifier) breaks this premise.
Another myth is that changing the wireless network name (SSID) gains you some security as if a attacker knows which device you have then they may be able to exploit know vulnerabilities (if they exist) for your Access Point to circumvent it's security. Each network device ships with a built in unique identifying number - known as a (MAC) address. The MAC address of the wireless router is transmitted in clear text on the network and therefore is easy for an attacker to see. Each hardware vendor is allocated a range of MAC addresses - these are available in the public domain. It's pretty straightforward for an attacker to determine the hardware manufacturer of your wireless network simply by "listening to the network traffic".
I like to change the name (SSID) of my wireless network simply to make it easy to see which is my network and to make it easier for friends to connect to it when they visit.
The last myth I'll explore here is that MAC address filtering provides sensible security for a home wireless network. Just like the SSID, the MAC address is an identifier - it's not intended to be used for authentication. The MAC address of each device is transmitted in clear text hence an attacker can easily "listen in" and find out which addresses are allowed to connect to the access point. It's trivial to change (spoof) the MAC address of most devices - many network cards can be configured to use an alternative MAC address simply by editing their properties via the Windows Control panel. In addition there are many freely available tools that can be used to reconfigure a device's MAC address.
Note: MAC address filtering can provide a little benefit IF you have an operational access point without any connected clients - hence the attacker wouldn't be able to find out which client MAC addresses are allowed to connect to the access point.
Transcript of how to enable Wireless Protected Access (WPA) for an SMC router:
Sign into the router using the default password
Change the admin password – using a passphrase
Enable Wireless Protected Access using a PreShared Key – another passphrase
Save the settings
Comments
Anonymous
January 01, 2003
This post follows on from How to secure a wireless network: Part 1 of 5 - Enabling WPA on a wirelessAnonymous
January 01, 2003
This post follows on from How to secure a wireless network: Part 1 of 5 - Enabling WPA on a wirelessAnonymous
January 01, 2003
This post follows on from How to secure a wireless network: Part 1 of 5 - Enabling WPA on a wirelessAnonymous
January 01, 2003
I heard yesterday that Steve has done these and that they had gone down very well, so thought I wouldAnonymous
January 01, 2003
This post follows on from How to secure a wireless network: Part 1 of 5 - Enabling WPA on a wirelessAnonymous
January 01, 2003
This post follows on from How to secure a wireless network: Part 1 of 5 - Enabling WPA on a wirelessAnonymous
January 01, 2003
Thanks JohnAnonymous
January 01, 2003
Steve Lamb puts together an excellent five part series on securing a wireless network. He starts with the process of enabling WPA -- or Wireless Protected Access. Then goes into a great conversation on SSID's, enabling them, hiding them, and the limitedAnonymous
January 01, 2003
This post has been replaced by a series of five blogcasts as quite a bit has changed since I wrote thisAnonymous
January 01, 2003
I've just bought the cheapest wireless router I could find to share my hotel broadband connection withAnonymous
August 17, 2007
There are other reasons for not disabling the SSID, especially in a roaming configuration where you have a wireless area provided by more than one AP. WPA-PSK isn't 100% secure either. Look up cowpatty! Ensure your passphrase contains some special characters, numbers and sufficient "mumbo-jumbo" that a dictionary attack would fail. MAC address filtering can be useful to prevent the opportunist, but any hacker can get around it in seconds - just like Steve said. If you're wireless kit supports WPA2-PSK then go for that as it uses AES, which is securer than TKIP used in WPA-PSK. More and more hardware is starting to support WPA2. Worth checking if there is a firmware update that makes it available as an option on your choosen router. Regards John