course TOC

8.4. Wireless Setup & Security [src]

One issue with both home and corporate wireless networks is the need for security. Many early access points could not discern whether or not a particular user had authorization to access the network. Although this problem reflects issues that have long troubled many types of wired networks (it has been possible in the past for individuals to plug computers into randomly available Ethernet jacks and get access to a local network), this did not usually pose a significant problem, since many organizations had reasonably good physical security. However, the fact that radio signals leak outside of buildings and across property lines makes physical security largely irrelevant to Piggybackers – people that make unauthorized use of a WLAN.

Concerns

Anyone within the geographical network range of an open, unencrypted wireless network can capture or record the traffic (called sniffing), gain unauthorized access to internal network resources as well as to the Internet, and then possibly send spam or do other illegal actions using the wireless network's IP address. All of these are significant concerns for any office network. For home networks the biggest problems are the potential loss of personal privacy and unauthorized use of your network and ISP to gain Internet access – thus reducing your available bandwidth. How big the problem is for home or office depends largely on who lives nearby and how likely "war driving" (searching for open WLANs) is in your area.

 WiFi area
Wi-Fi leakage
By Paul Mullins: constructed

If router security is not activated or if the owner deactivates it for convenience, it creates a free hotspot. Most current laptop PCs have wireless networking built in and it may be enabled by default. Depending on settings, the laptop may automatically connect to open wireless networks (as well as broadcast the laptop's accessibility to any computer nearby) without the owner's knowledge, i.e., they may not even know they are using your network.

Modern operating systems such as Mac OS, or Microsoft Windows make it fairly easy to set up a PC as a wireless LAN 'base station' using Internet Connection Sharing, thus allowing all the PCs in the home to access the Internet via the 'base' PC – your PC acts as a gateway/router. However, lack of knowledge about the security issues in setting up such systems often means that someone nearby may also use the connection. Such "piggybacking" is usually achieved without the wireless network operators knowledge; again, it may even be without the knowledge of the intruding user if their computer automatically selects a nearby unsecured wireless network to use as an access point.

A related problem is that hackers not only use free, open WiFi hotspots to harvest your private data... they create them for you to use. Hackers can easily setup a free WiFi hotspot and be pretty certain that people will start to use it — just by giving it a place-appropriate name. (Previous information on hotspots.)

  1. Don't use open WiFi!
  2. If you ignore (1), make sure it is an official site
    1. Use encryption for everything you do: HTTPS, VPN, etc.
    2. Don't use it for anything sensitive, like banking.
  3. And, don't forget that if the Donut Shop gives everyone the same password they have used for years, you have to think of it as an open network.

Security options

Access Control at the Access Point level

Home users, businesses and organizations typically use access control at the access point level. The intention is to provide a "closed network". The most common method is to configure various access restrictions in all of the access points. Most of these are quite simple to accomplish and all can be used in combination.

The simplest option is to disable ESSID broadcasting — that's the "name" of the network. This will prevent automatic connection by unaware users and make the access point difficult for casual outsiders to detect. However, anyone with the proper tools – we're thinking of hackers here – will be able to detect the network anyway. And, your friends will be able to "add" then network when you tell them the SSID.

Another fairly simple technique is to enable wireless encryption. Client devices have to authenticate (logon) and the encryption prevents spying. Once a client device is setup and given the pass phrase, it usually remembers it and reconnects automatically as needed. Wi-Fi Protected Access (WPA2) is quite secure when a reasonable pass phrase is chosen — use at least 14 randomly selected characters, or a lengthy phrase (up to 64 characters). The primary differences between a pass phrase and a password is that passwords have to be remembered and typed in often. Example: (don't use it)

Alice's Right Foot! Esq@Hearthrug, Near the fender - good book

Note that although this is based on a quote from Alice in Wonderlandmangle your own quote – the capitalization is different, with punctuation added, and it ends with a short phrase not in the book. At 62 characters, it is long. But, you usually only have to type in the password once for each device — and, for home use, you can post the pass phrase on the fridge (or if you're more security-minded, leave it in a desk drawer). A final note on encryption: Wired Equivalent Privacy (WEP) should not be used. The U.S. FBI has demonstrated the ability to break WEP protection in only three minutes using tools available to the general public (see aircrack).

The least simple, but most restrictive, technique is to only allow access from known, approved MAC addresses – recall that each wireless NIC has a "unique" MAC address – making this equivalent to specifying the devices that are allowed access your network. By itself, however, this approach gives no security against sniffing (spying), and client devices can easily spoof a MAC address, so this should be used in combination with the measures described above.

For businesses, Wireless Intrusion Prevention Systems can be used to provide additional wireless LAN security.

Commercial hotspots, such as coffee shops, want to broadcast the ESSID and can't readily manage MAC address restrictions, so they tend to be either completely open, or use encryption alone. With any encryption scheme, all clients in the network know the pass phrase and can read all the traffic. This makes a "secure" hotspot open to spying by anyone else that is using the hotspot. You should never use a hotspot for secure communication, like banking or, for that matter, Facebook, Twitter or email.

Commercial Providers and large organizations

For these larger organizations, the preferred solution is often to have an open and unencrypted, but completely isolated wireless network. The users will at first have no access to the Internet nor to any local network resources. Commercial providers usually forward all web traffic to a captive portal which provides for payment and/or authorization. Another solution is to require the users to connect securely to a privileged network using VPN. (At SRU, you need to authenticate or login to use wireless.)

For complete security

Wireless networks are inherently less secure than wired ones because of the lack of physical security (leakage). However, in many offices, intruders can easily visit and hook up their own computer to the wired network without problems, gaining access to the network; and it's also often possible for remote intruders to gain access to the network through backdoors like Back Orifice. One general solution (for wired & wireless) may be end-to-end encryption, with independent authentication on all resources that shouldn't be available to the public.

The solution may be encryption and authorization in the application layer, using technologies like HTTPS (using TLS/SSL), PGP and similar techniques, as discussed earlier. As a user, you can restrict your own use of a hotspot to applications that allow you to use secure HTTP (https) for all transactions. Note that these can be used in addition to the WLAN security measures discussed above. (If you use HTTPS in an wireless hotspot, others can only spy on IP addresses – that is, they know where you are connecting to, but not the content of the messages.)

The problem with encryption on the router level (IPsec) or VPN is that a switch encrypts all traffic as it leaves the LAN. Others on the LAN can still see the traffic.

The disadvantage with the end to end method is, it may fail to cover all traffic. End-to-end encryption requires each service/device to have its encryption "turned on". (If it is difficult, it may not be used.) For sending emails, every recipient must support the encryption method. For Web browsing, not all web sites offer HTTPS, and even if they do, the browser sends out IP addresses in clear text.

What should you do?

Home WLANs

You should be using WPA2 encryption with a good pass phrase. Other will be able to "see" the network, but not able to connect without cracking it. That is, only a successful cracker will be able to spy on your activities, access your Internet connection, or gain access to your computer or other network resources. (Obviously this excludes anyone you have given the pass phrase to.)

You will have prevented casual and accidental access, as well as most nosey neighbors. Your traffic on the Internet is not protected, though you can use HTTPS for browsing and PGP for email. (Or, an anonymizing service.)

Small Office

In addition to the home security methods,

  • You should not broadcast the WLANs SSID. They may be able to find it, but why advertise its presence.
  • You should limit access to known MAC addresses. Again, why make it easy for the cracker.
  • Guest access should be provided using a secured portal, it at all. (Many routers now offer such a guest network automatically.)
  • Any connection to a home, or other office, should use a VPN.

Others

Larger organizations and those with more strict security needs, like health care providers, should consult an IT security professional.

The Argument for Open Access Points

Today, there is almost full wireless network coverage in many urban areas — the infrastructure for the wireless community network, which some consider to be the future of the Internet, is already in place. One could roam around and always be connected to the Internet if the nodes were open to the public, but due to security concerns, most nodes are encrypted. Many people consider it proper etiquette to leave access points open to the public, allowing free access to Internet, although some users don't know how to disable encryption. Others think encryption provides substantial protection, at small inconvenience, against dangers of open access that they fear may be substantial, even on a home router.

The density of access points can even be a problem — there are a limited number of radio channels available, and they partly overlap. Each channel can handle multiple networks, but in places with many private wireless networks (for example, an apartment complex), the limited number of Wi-Fi radio channels might cause slowness and other problems.

According to the advocates of Open Access Points, it shouldn't involve any significant risks to open up wireless networks for the public:

Pro Con
The wireless network is, after all, confined to a small geographical area. A computer connected to the Internet and having improper configurations or other security problems can be exploited by anyone from anywhere in the world, while only clients in a small geographical range can exploit an open wireless access point. Thus the exposure is low with an open wireless access point, and the risks with having an open wireless network are small. This argument is basically that if there is a big threat (the Internet), you shouldn't worry about a smaller threat (your WLAN). But, the illegal or unethical activities of the "kid" next door – no hacking required – will lead directly back to you, not him or her.
Also, an open wireless router will give access to the local network, often including access to file shares and printers.
The only way to keep communication truly secure is to use end-to-end encryption. For example, when accessing an internet bank, one would almost always use strong encryption from the web browser and all the way to the bank — thus it shouldn't be risky to do banking over an unencrypted wireless network. The need to use HTTPS for secure web transactions is well established, but that is not a "pro". It is a preemptive argument against "why let everyone see what you are doing?"
In the (mostly wired) Internet, hackers can gain access, so end to end encryption is necessary for some transactions. That doesn't mean you should broadcast (literally) all of your transactions, including those not requiring secure connections.
The argument that anyone can sniff traffic applies to wired networks also, where system administrators and possible crackers have access. Also, anyone knowing the keys for an encrypted wireless network (like other customers in a hotspot) can gain access to the data being transferred over the network. A secured hotspot should, indeed, be treated as an open WLAN. In your home or office WLAN only those you trust – a trust you can revoke by changing the pass phrase – are given access. That a cracker might access data in wired networks is not an argument for giving everyone nearby access.
If services, like file shares, access to printers etc., are available on the local net, it is advisable to have password authentication for accessing it — one should never assume that the private network is not accessible from the outside. Correctly set up, it should be safe to allow access to the local network to outsiders. Unfortunately, some folders/resources are preset for sharing and users may not be aware of it. Or, they may have set it up for temporary use and forgotten it. With a properly secured WLAN you don't have to use access control – although you should. Why not use encryption and access controls?
With WEP (still used by many), a sniffer will usually be able to compute the network key in a few minutes. Use WPA2 with a well-selected pass phrase.
It is very common to pay a fixed monthly fee for the Internet connection, and not for the traffic — thus extra traffic will not hurt. A couple of neighbors watching Netflix movies will greatly diminish your available bandwidth (download speed). Also, see discussion of net neutrality below.
Where Internet connections are plentiful and cheap, freeloaders will seldom be a prominent nuisance. "Cheap" is a key word... Historically, this has not proven to be the case. People frequently tap into public utilities (water, electric) or their neighbors connection (phone, cable) and pirate satellite feeds. Frankly, would you pay for an Internet connection if your neighbor provided it for free?

In some countries including Germany, persons providing an open access point may be made (partially) liable for any illegal activity conducted via this access point. Also, many contracts with ISPs specify that the connection may not be shared with other persons.

Net neutrality

The argument for net neutrality is that once a contract with an ISP that specifies (up to) 8 Mbps is signed, the home user should be able to use that bandwidth for whatever they want, including using services that compete with the ISP. For example, watching Netflix movies online and Skype for phone calls rather than the cable provider's video on demand or VoIP phone service. One current non-neutral scheme is for an ISP to make a deal with a service provider, like a particular search engine, to make traffic to and from that site faster than any other search provider — essentially creating a fast lane that you can only get into if you use the service that is paying your ISP for the privilege.

For the past several years net neutrality (in the US) has been in the news a lot, with the FCC attempting to control what actions an ISP is allowed to take in terms of blocking services or throttling customer bandwidth and informing customers of billing structures. They did this by categorizing ISPs as "common carriers", and (like telephones and other utilities) subjected them to basic rules. The FCC imposed different rules for home or stationary ISPs (DSL and cable) and cellular or mobile ISPs. The Republicans in Congress have pledged to reverse those rules through legislation.

The counter argument is essentially that there have yet to be any major abuses and that an open, free market will prevent abuse. (Of course, this argument assumes that the consumer has multiple choices for Internet service.) The rest of the argument is big business vs. government regulation. Opponents characterize rules that all traffic be treated equally as government intervention and "controlling the Internet".

This is a good area for you to watch or even become involved in — it's happening now. One thing to watch is the services provided by smartphone carriers; almost all have gone to "tiered" data plans that charge different amounts based on the amount of data you use per month. (Inherent in the open WLAN argument above that extra traffic will not impact the network owner's bill, is that most ISPs currently limit bandwidth, but not total data usage.)
wikipedia icon net neutrality in the US search icon news "net neutrality" video icon net neutrality

Setting up a wireless home network

Most new wireless routers come with wi-fi protected setup that makes setting up a protected (encrypted) network easy, although you still have to take additional steps to fully secure the network.

Almost all routers come with simple set up instructions, but in the past they often defaulted to open, unsecured access. Here are some steps that may help you in setting up a wireless network once you have secured access through an ISP. If you have a setup guide, follow the instructions there.

Preliminary Steps

If you are using DSL, you will need your account ID and password. Contact your service provider. Occasionally, you will also need other information such as the IP address of your primary gateway and DNS servers. These are also given to you by your ISP, but are usually automatically detected.

If you are using an old router, you may have to reset the modem to factory settings and/or determine the IP address the router uses. Instructions for doing this should be in the documentation or you can search for your modem online (perhaps using your smartphone).

Generic Instructions
  1. Make sure all of the network nodes (laptops, PCs, network printers, etc) have a network adapter (NIC).
  2. Turn off power to all equipment.
  3. Connect the broadband (cable or DSL) modem to the ISP data connection. (Look on DSL modem for a label like "DSL" – a cable modem will have a coax connection.)
  4. Connect the data port on the modem with an Ethernet cable to the wireless router port. (Typically, there are several Ethernet ports for devices with the modem port separate, possibly labeled "modem" or "WAN".)
  5. Connect the router to a computer using an Ethernet cable.
  6. Turn on power to the broadband modem and wait 5-10 minutes for it to connect and set up. (Indicator lights should show that the connection is established, usually without blinking.)
  7. Turn on the router and wait 2-5 minutes for the modem to find the modem and connect. (Indicator lights should show that the connection is established, usually without blinking.)
  8. Turn on the connected computer. (Indicator light on router should show a data connection.)
  9. Typically, you will insert the router CD at this point, which will automatically start setup software. If not, you may have to start a browser and enter the IP address of the router.
  10. Select router set up and security.
  11. If asked, select DHCP. This allows automatic assignment of IP addresses.
  12. If possible, change the administrator password. Write it down and keep it (perhaps taped to the router, if in a home).
  13. Select an innocuous name (SSID) for your network (perhaps "linguini"). Since broadcasting the SSID does not seriously impact security, leave it set to broadcast. (This will make connecting devices a bit easier.) Do not leave the default name, so potential crackers don't know what kind of device you are using.
  14. Select encryption: WPA2. This may be labeled PSK or Pre-Shared Key. (That's your pass phrase.) Do not use WEP unless it is the only option available. "Mixed mode" allows the use of WEP and should be avoided unless necessary.
  15. Select a good pass phrase that is at least 32 characters (up to 64). You will have to enter this (only) once for each wireless device. Write it down! (Also can be taped to the router or, for easy sharing, to the fridge, if in a home.)
  16. You're done, unless you want to use MAC filtering. (More difficult to allow a guest to use the network and only recommended if you need the added security.)
  17. If you setup the router using a laptop, disconnect the Ethernet cable.
  18. For each wired device, plug in the Ethernet cable to a port on the router. (No pass phrase needed – it's not using wireless.)
  19. For each wireless device, turn it on and search for your wireless network. (The SSID you gave it.) Enter the pass phrase. You should be connected.
Wireless Networking has been a hot topic for the Lab Rats
video icon
#70 Home Network Security 101

video icon
#65 Home Network Basics

video icon
#6 Home network primer

video icon
#7 Setup a Wireless Home Network

video icon
#1 Wireless router security

video icon
#167 WPA2 revisited - setting up wireless security on your router

video icon
#185 Router Maintenance 101


video icon
#14 MAC Address Filtering
video icon #9 Network File Sharing video icon #177 Network Attached Storage Demystified video icon #172 Printing to the network
course TOC

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
Attribution: Dr. Paul Mullins, Slippery Rock University
These notes began life as the Wikiversity course Introduction to Computers.
The course draws extensively from and uses links to Wikipedia.
A large number of video links are provided to labrats.tv. (I hope you like cats. And food demos.)