Blog Bazaar Forum Index Services Info Companions

Image1

 


http://www.applemacpunk.com
applemacpunk@cox.net 

by Kale Feelhaver

Protected Airspace: Securing Your Home Wireless Network, Part I

In the modern world of wireless communications, almost everyone is using wireless networks on a daily basis. From cellular phones to 802.11 (Free Internet) Hot Spots to Bluetooth headsets, wireless is all around us every day. Most laptop users have a home wireless network so they can have the freedom to move around their living space and still reach the Internet. Apple’s Airport is the preferred network device for most Mac users because of it’s easy setup and tight integration with Mac OS X. The Airport is a great wireless networking device, but with a few easy steps, it can be secured to greatly reduce unauthorized access. This article is Part I of a two-part series focused on securing your home wireless network. Part I will cover configuration (software) changes, which can be used to secure the network, and Part II, will cover hardware changes that can be used to secure the network.

For this article, I will use an Apple Airport (non-Extreme) running version 4.0.9 of the Apple Airport software, and version 4.2 of Apple’s Airport Admin Utility. The newer Airport base stations have a few additional options, but the general theory is the same. This theory can also be applied to non-Apple products made by vendors like Linksys and Netgear.

1. Close the Network

The first thing to do is to create a closed wireless network. A closed network is one in which the Service Set Identifier (SSID) is not broadcast. Have you ever walked into a Starbucks, opened your laptop, and seen a wireless network pop up and ask you to join? That means the SSID is being broadcasted. If you create a closed network, the SSID will not be broadcast, and users will have know the network exists in order to join it. The will also need to know the network name (see Section 3 below) Using the Apple Airport Admin Utility, select the “Create a Closed Network” check box.

Image2

2. Change the Defaults

The next thing to do is to change the default device name, username (if it has one), and password. No matter what type of network device you are using, this is a good security practice. Keep this in mind… every Linksys router ships with the same default network name, username, and password. Therefore, anyone who has ever purchased one knows the defaults. There are lists of default passwords that are downloadable off the Internet. If a hacker finds out what type of device he’s connecting too, he may already have the default username and password. The same is true of every Netgear router, and every Sonicwall Firewall, and every Apple Airport Express, and so on. Always, always, always change the device name, username (if available), and password on EVERY network device you purchase. Using the Apple Airport Admin Utility, the name and password can be changed in the Base Station section.

Image3

3. Enable Encryption

Next, we want to make sure that we change the network name (NOTE: network name is different from base station name above) encrypt the network traffic with a password. This means people will need a password to join the network, and the network traffic will be encrypted to and from the base station. They will also need to know the network name (SSID) of the network as discussed in Section 1 above. There are several types of encryption used on wireless networks.

Among them are Wired Equivalent Privacy (WEP) and Wi-fi Protected Access (WPA). WPA is much more secure the WEP, but many older base stations do not support it. WEP is a relatively easy encryption to break, but it is still better than no encryption at all. As a general rule, you want to use the highest level of encryption that your base station will support. In the screenshot below, this base station is configured for 128-bit WEP. This is configurable in the Airport Network (Wireless Security) section of the Airport Admin Utility.

Image4

Image5

4. Disable DHCP

If you are comfortable with TCP/IP Networking and IP addressing, you may want to proceed with this section. If you are not comfortable with these things, you may want to skip this section. Dynamic Host Configured Protocol (DHCP) is used to dynamically distribute IP addresses to hosts on a network. DHCP allows for little configuration from the end user, which is why it is so popular. However, this can be a bad move from a security standpoint, because anyone can automatically gain an IP address on your wireless network (NOTE: This setup works best when the base station is not configured as the Internet router, which will be covered in part II). By disabling DHCP (Distributed IP addresses), in conjunction with the suggestions above, you have now forced users to enter an SSID, password, and IP address to gain access to your network. You can further restrict the IP address pool by using classless subnetting. For example, you can restrict the address pool to only a handful of addresses, limiting the potential for several concurrent connections. This is beyond the scope of this tutorial, but I may go into it in a future article. Again, if you are not comfortable with TCP/IP Networking, you may want to skip this section. This configuration is done in the Network section of the Airport Admin Utility.

Image6

5. Restrict Access by MAC Address

This section also requires a little knowledge about TCP/IP networking. If you are not comfortable with networking, you may want to skip this section as well. Every computer has a unique hardware address called a Media Access Control (MAC) address. A MAC address is a series of six two-digit identifiers separated by colons. A typical MAC address looks something like this: 00:2e:0a:ef:22:1c. You can find your Mac’s MAC address in System Preferences under the Network pane. Then you can use the Airport Admin Utility to restrict access to just the MAC addresses of the systems you’ve approved. All computers have MAC addresses, including Windows computers. Using this method, you can restrict access to the hardware addresses of your computer, and your friend’s/family’s computers.

Image7

Once all these steps are completed, a user must know the SSID, password, IP address, and MAC address (of an approved machine) to access your wireless network. Even with these precautions, your network is still hackable. A properly trained person can break into any wireless network. That is the nature of wireless… it’s quite hackable. However, the object is not to make your network un-hackable… the object is to make your network less hackable than your neighbor’s network. There are plenty of unsecured wireless networks out there… a hacker is not going to target a secured network, when there are unsecured ones within a few blocks. Using these techniques, along with some hardware techniques, which will be discussed in Part II, you can make your network secure enough that hackers will avoid it.

---------------------------------------------
TOC - Next Article

Ever-Green Energy Resource Center


Visit StepHouse Networks. Broadband DSL for Apple Users



Contact Us | ©1996-2007 MPN LLC.