It would be reasonable to assume that a vast majority of home internet users have some kind of wireless accessibility for their network of computers, tablets, printers, TVs, etc. In the past, wireless was seen as a convenient, yet risky solution for larger corporations and government entities – When weighing accessibility against security, the latter would most definitely win any given battle. As network technologies bring advancement to the common workplace it appears that accessibility may have won the war. That’s not true – instead we could say that a ceasefire has been drafted. It’s becoming more and more possible to provide accessibility AND security.
Let’s take a look at the original wireless infrastructures: most began with complete insecure wide open systems, whose role was literally to provide Layer 2 wireless access to a network and nothing else. If you wanted security, you would be forced to implement some 3rd party policing to already connected clients – This was less than ideal, since physically gaining access to an inside network is probably the hardest task that attackers undertake. Then WEP was provided, which was a bit better – let’s face it: something is better than nothing. The problem with WEP was that it allowed for the passwords for be transmitting in plain text; easy pickings for anyone monitoring the frequency.
First, I want to say that wireless is not really the best option when wired is available (especially when lurking on the DarkNet). There is exception to this: if you are out in public making an effort not to use TOR from home, then this risk can be well worth it; however you should be using VPN, as well as TOR when using wireless In public or at home. By design, Wireless is so much more susceptible to infiltration. To potentially infiltrate wireless traffic you need to be in range and have the capability to listen, collect and eventual decrypt that traffic. For a wired connection, someone would have to physically splice into the fiber, copper, etc. to gain the same advantage. Wireless infiltration is not only dangerous because people might crack your network – an attacker or LE could perform a “Man-in-the-Middle” attack. This involves intercepting, monitoring or even changing packets sent from point A before they reach their destination. So what are the dangers here? Someone might “listen in” on your traffic; or (LE) setting up a honeypot and posing as your destination network. What if a major Intelligence Agency has a suspicion that you’re using DNMs and have paid to set up a site that looks and acts exactly like Agora? You’re in shit, that’s what. If they know enough they could even play Man-in-the-Middle with traffic before it ingresses your first TOR node.
There’s not a lot of point going into the differences between WEP and WPA, but I will say that if you are on WEP, then do whatever you need to do to get your security upgraded to WPA. WEP can be easily sniffed and cracked in a matter of a few minutes by injecting de-authentication packets, sniffing the re-authentication and then easily cracking the password using a dictionary attack. This can be done with a $30 wireless interface that supports packet injection and the aircrack suite, or some other freely available software. just know that WEP is next to useless these days and because of the hundreds of WEP cracking tutorials online a beginner can crack. WPA-Personal uses much better algorithms and encryption methods for pre-shared keys. If you want ultimate security then you would want to set up WPA-Enterprise/802.1x authentication. This relies on a 3rd party authentication server such as a domain controller, RSA server, etc. These CAN be set up at home, but it’s not quite as easy as setting a strong WPA-Personal PSK (pre-shared key).
Let’s start with some basics for Wireless Security that can be addressed on most, if not all, consumer grade wireless routers – Many of you might know to do those, so this is for those who do not. The first thing you want to do is tackle the “ease of use” features like WPS and SSID Broadcast. WPS, which stands for Wi-Fi Protected System, provides an easy way for non-technical people to push a big button, produce a pin and use said pin to connect to wireless. I’m surprised by the amount of people I visit who, when asked for the home’s wireless key, shrug their shoulders. Ok, so maybe you have a phenomenal key and just have it memorized? Many people even tell you where to find it and have to check a sticker they’ve placed on the bottom of the router, or else it’s written in a book or notepad beside it. In many cases I see people using the 10 digit numerical password originally programmed by their ISP. Someone with knowledge of the standard ISP passwords and a good working knowledge of rainbow tables could narrow down your password exponentially. Maybe you can say it but don’t know what it is, but we can get to that later. If enabled, WPS can EASILY be exploited (more easily thank cracking a captured WPA key), so TURN IT OFF.
Even more basic than that I find an alarming amount of people who haven’t touched a thing on their router/wireless access point – this includes the default username and password to manage the device. If left to the default, these can easily be identified on the manufacturer’s websites and some have even compiled lists of all brands and models with their respective default credentials. Don’t just change the password, but change the username as well to something not obvious (don’t use admin, root, manager, your first or last name, etc).
Have a look at the other onboard features that come with your router. If you have something running DDWRT then it offers a rudimentary firewall as well as access restrictions. If you travel a lot or are concerned about hackers when you’re not home or sleeping, you can usually put access restrictions based on time and day of the week. These can be used to stop connectivity to certain destinations during these timeframes, so if you were clever with it you could block the use of certain protocols or access to certain IPs during these time frames.
Another simple way to mitigate attacks on your wireless network: don’t let people know it’s there! Sure if someone knows their stuff they’re going to find you either way, but if some beginner is sitting trying to crack your WLAN using their built-in Intel interface, not broadcasting your SSID is going to make things much harder for them. By the way, wireless password interception doesn’t take special gear or even special skills really. It takes a bit of Linux knowledge, a live CD/DVD distro, and a wireless interface capable of packet injection (available for about $30). As mentioned above, disable “SSID Broadcast” and know your SSID’s name and password so that you can provide these to people you do want on your network.
This last suggestion for onboard router security can be a bit time-consuming and requires additional maintenance: MAC address filtering. If your main concern is security and you don’t often have new devices connecting to your network then MAC filtering might be worth your while. You’re basically providing your router with a whitelist of MAC addresses (hard coded NIC hardware addresses) and saying ‘only allow access to these devices. Now, if you have friends and family coming and going, then maintenance will be high and you will find yourself constantly editing that whitelist, as MAC filtering on consumer routers is not particularly easy to manage without constant editing. I will also point out that MAC spoofing is extremely easy – it’s as simple as downloading a free app and changing the appearance of your MAC. A knowing attacker could presumably sniff your wireless network and see all connected MACs so in this scenario it might be more trouble than its worth.
Most necessary wireless security can be handled right on the router, however there are some 3rd party options that will increase your WLAN’s security quite a bit. If you happen to have a server on your network, then you might find a way to leverage certificates with PSKs if this is something your router could accommodate or even support. There are basic VLAN options available on router ROMs like DDWRT. Combine that with a basic manageable switch and you could easily split out your wired and wireless networks. VLANs (virtual LANs) are not only a good way to limit broadcast traffic and support multiple subnets on your network, but they can also be used to segregate traffic. If you put all of your wired traffic on VLAN 10 and all of your wireless traffic on VLAN 20, you could potentially make it so that they cannot talk to each other at all. Just be aware that having two separate VLANs on separate networks will require a device that can have multiple gateways and route multiple networks. You may also need a firewall to actually segregate the two VLANs using separate zones. If you do decide to take this route, then you will have granular controller over what communication can and cannot happen between the two networks. If security is a top concern than I recommend finding a cheap used manageable switch, like a Cisco Catalyst 2960 and a cheap used firewall. Sonicwall, Juniper, Checkpoint – Any will do however I find the Cisco ASA 5505 to be a good balance between user-friendly and powerful.
Today everyone wants wireless on all devices and they just want it to work. Although I do agree that wireless provides an incredible solution to many network problems, and it’s extremely convenient; it’s nowhere near as safe and reliable as a good old Ethernet cable. If I had it my way, any device with an Ethernet card would always use a wired connection first, then only use wireless if absolutely necessary. But, people want convenience and they want it now. This article may seem pretty simple to many readers but everyone has to start somewhere. If you’re content with a moderate level of security on your wireless network then the suggestions within should be plenty to keep you safe. If you’ve got something on your network that you need to keep safe at all costs, then that will be a totally different discussion. If you’re willing to spend a little money and learn some fundamentals, you can take your network security to a whole new level, wireless or otherwise.