184 Part III: Installing a Wireless Network
No security at all!
The vast majority of wireless LAN gear (access |
that up to 60 percent of all access points that |
|
points, network cards, and so on) is shipped to |
they encounter have no security methods in |
|
customers with all the security features turned |
place at all. |
|
off. That’s right: zip, nada, zilch, no security at all. |
Now, we should add that some people pur- |
|
Just a wide-open access point, sitting there |
||
posely leave their access point security off |
||
waiting for anybody who passes by (with a Wi- |
||
in order to provide free access to their neigh- |
||
Fi–equipped computer, at least) to associate |
||
borhoods. (We talk about this in Chapter 16.) But |
||
with the access point and get on your network. |
||
we find that many people don’t intend to do this |
||
|
||
Now this isn’t a bad thing in and of itself; initially |
but have done so unknowingly. We’re all for |
|
configuring your network with security features |
sharing, but keep in mind that it could get you in |
|
turned off and then enabling the security features |
trouble with your broadband provider (who |
|
after things are up and running is easier than |
might cancel your line if you’re sharing with |
|
doing it the other way ’round. Unfortunately, |
neighbors). If you don’t want other people on |
|
many people never take that extra step and acti- |
your network, take the few extra minutes that it |
|
vate their security settings. So a huge number of |
takes to set up your network security. You can |
|
access points out there are completely open to |
test your network — to make sure WEP is really |
|
the public (when they are within range, at least). |
enabled — by using a program like Network |
|
Folks who’ve spent some time wardriving (which |
Stumbler (which we discuss at length in |
|
we describe in this chapter’s introduction) say |
Chapter 16). |
|
|
|
No network security system is absolutely secure and foolproof. And, as we discuss in this chapter, Wi-Fi networks have some inherent flaws in their security systems, which means that even if you fully implement the security system in Wi-Fi (WEP), a determined individual could still get into your network.
We’re not trying to scare you off here. In a typical residential setting, chances are good that your network won’t be subjected to some sort of determined attacker like this. So follow our tips, and you should be just fine.
Assessing the Risks
The biggest advantage of wireless networks — the fact that you can connect to the network just about anywhere within range of the base station (up to 300 feet) — is also the biggest potential liability. Because the signal is carried over the air via radio waves, anyone else within range can pick up your network’s signals, too. It’s sort of like putting an extra RJ-45 jack for a wired LAN out on the sidewalk in front of your house: You’re no longer in control of who can access it.
Chapter 10: Securing Your Wireless Home Network 185
General Internet security
Before we get into the security of your wireless LAN, we need to talk for a moment about Internet security in general. Regardless of what type of LAN you have — wireless, wired, a LAN using powerlines or phonelines, or even no LAN — when you connect a computer to the Internet, some security risks are involved. Malicious crackers (the bad guys of the hacker community) can use all sorts of tools and techniques to get into your computer(s) and wreak havoc.
For example, someone with malicious intent could get into your computer and steal personal files (such as your bank statements that you’ve downloaded using Quicken) or mess with your computer’s settings . . . or even erase your hard drive. Your computer can even be hijacked (without you knowing it) as a jumping off point for other people’s nefarious deeds; as a source of an attack on another computer (the bad guys can launch these attacks remotely using your computer, making them that much harder to track down); or even as source for spam e-mailing.
What we’re getting at here is the fact that you need to take a few steps to secure any computer attached to the Internet. If you have a broadband (digital subscriber line [DSL], satellite, or cable modem) connection, you really need to secure your computer(s). The high speed, always-on connections that these services offer make it easier for a cracker to get into your computer. We recommend that you take three steps to secure your computers from Internet-based security risks:
Use and maintain antivirus software. Many attacks on computers don’t come from someone sitting in a dark room, in front of a computer screen, actively cracking into your computer. They come from viruses (often scripts embedded in e-mails or other downloaded files) that take over parts of your computer’s operating system and do things that you don’t want your computer doing (like sending a copy of the virus to everyone in your e-mail address book and then deleting your hard drive). So pick out your favorite antivirus program and use it. Keep the virus definition files (the data files that tell your antivirus software what’s a virus and what’s not) up to date. And for heaven’s sake, use your antivirus program!
Install a personal firewall on each computer. Personal firewalls are programs that basically take a look at every Internet connection entering or leaving your computer and check it against a set of rules to see whether the connection should be allowed. After you’ve installed a personal firewall program, wait about a day and then look at the log. You’ll be shocked and amazed at the sheer number of attempted connections to your computer that have been blocked. Most of these attempts are relatively innocuous, but not all are. If you’ve got broadband, your firewall might block hundreds of these attempts every day.
We like ZoneAlarm — www.zonelabs.com — for Windows computers, and we use the built-in firewall on our Mac OS X computers.
186 Part III: Installing a Wireless Network
Turn on the firewall functionality in your router. Whether you use a separate router or one integrated into your wireless access point, it will have at least some level of firewall functionality built in. Turn this function on when you set up your router/access point. (It’ll be an obvious option in the configuration program and might well be on by default.) We like to have both the router firewall and the personal firewall software running on our PCs. It’s the belt-and-suspenders approach, but it makes our networks more secure.
In Chapter 12, we talk about some situations (particularly when you’re playing online games over your network) where you need to disable some of this firewall functionality. We suggest that you do this only when you must. Otherwise, turn on that firewall — and leave it on.
Some routers use a technology called stateful packet inspection firewalls, which examine each packet (or individual group) of data coming into the router to make sure that it was actually something requested by a computer on the network. If your router has this function, we recommend that you try using it because it’s a more thorough way of performing firewall functions. Others simply use Network Address Translation (NAT, which we introduce in Chapter 2 and further discuss in Chapter 16) to perform firewall functions. This isn’t quite as effective as stateful packet inspection, but it does work quite well.
There’s a lot more to Internet security — like securing your file sharing (if you’ve enabled that) — that we just don’t have the space to get into. Check out Chapter 11 for a quick overview on this subject. To get really detailed about these subjects, we recommend that you take a look at Home Networking For Dummies, by Kathy Ivens (Wiley Publishing, Inc.) for coverage of those issues in greater detail.
After you’ve set up your firewall, test it out. Check out this great site that has a ton of information about Internet security: www.grc.com. The guy behind this site, Steve Gibson, is a genius on the topic, and he’s built a great tool called ShieldsUP!! that lets you run through a series of tests to see how well your firewall(s) is working. Go to www.grc.com and test yourself.
Airlink security
The area that we really want to focus on in this chapter is the aspect of network security that’s unique to wireless networks: the airlink security. In other words, these are the security concerns that have to do with the radio frequencies being beamed around your wireless home network.
Traditionally, computer networks use wires that go from point to point in your home (or in an office). When you’ve got a wired network, you’ve got physical control over these wires. You install them, and you know where they go. The physical connections to a wired LAN are inside your house. You can
Chapter 10: Securing Your Wireless Home Network 187
lock the doors and windows and keep someone else from gaining access to the network. Of course, you’ve got to keep people from accessing the network over the Internet, as we mention in the previous section, but locally it would take an act of breaking and entering by a bad guy to get on your network. (Sort of like on Alias where they always seem to have to go deep into the enemy’s facility to tap into anything.)
Wireless LANs turn this premise on its head because you’ve got absolutely no way of physically securing your network. Now you can do things like go outside with a laptop computer and have someone move the access point around to reduce the amount of signal leaving the house. But that’s really not going to be 100 percent effective, and it can reduce your coverage within the house. Or you could join the tinfoil hat brigade (“The CIA is reading my mind!”) and surround your entire house with a Faraday cage. (Remember those from physics class? Us neither, but they have something to do with attenuating electromagnetic fields.)
Some access points have controls that let you limit the amount of power used to send radio waves over the air. This isn’t a perfect solution (and it can dramatically reduce your reception in distant parts of the house), but if you live in a small apartment and are worried about beaming your Wi-Fi signals to the apartment next door, you might try this.
Basically, what we’re saying here is that the radio waves sent by your wireless LAN gear are going to leave your house, and there’s not a darned thing that you can do about it. Nothing. What you can do, however, is make it difficult for other people to tune into those radio signals, thus (and more importantly) making it difficult for those who can tune into them to decode them and use them to get onto your network (without your authorization) or to scrutinize your e-mail, Web surfing habits, and so on.
You can take several steps to make your wireless network more secure and to provide some airlink security on your network. We talk about these in the following sections, and then we discuss some even better methods of securing wireless LANs that are coming down the pike.
Introducing Wired Equivalent
Privacy (WEP)
The primary line of defense in a Wi-Fi network is Wired Equivalent Privacy (WEP). WEP is an encryption system, which means that it scrambles — using the encryption key (or WEP key, in this case) — all the data packets (or individual chunks of data) that are sent over the airwaves in your wireless network. Unless someone on the far end has the same key to decrypt the data,