Home Network Security Part 4 – Wireless Networks

Wireless networks are great things – you can take your laptop pretty much anywhere in or around your house and still be connected to the Internet with no wires.  I remember when they were first beginning and a wireless card for your laptop cost almost $300, not to mention the cost of a wireless router.  CMU was one of the first schools to have a completely “wired” wireless campus – that meant that pretty much anywhere you were on campus, you could reach a wireless access point.  Wireless Andrew was my first experience with wireless networking, although I had heard of it previously.  And students could get a subsidized PCMCIA card for about $150.

Now, wireless networks are *everywhere*, and a lot cheaper.  Most cable modems or FIOS routers come with wireless enabled – and it’s a lot faster than it was.  When we first moved to our house, it took Verizon almost 3 weeks to get our FIOS installed (they had to increase the capacity at our neighborhood’s main connection point before they could connect us), but “helpful” neighbors had wide open access points, so we could still get on-line from home.  I’m not sure they ever knew we “borrowed” their connection for a while.

So what does this have to do with security?  A wireless access point that is incorrectly configured can be a legal liability for you, an access point into your network, as well as just plain annoying.  YOU are legally responsible for all Internet traffic that travels through your cable modem/FIOS router/phone line/whatever.  So, if someone decides to download/upload a pirated movie using your network, you are the one who will get the cease and desist order or court summons. You can fight it, but you still have to fight it in the first place.  If you don’t limit access to your wireless access point (router), someone sitting on the street could cause you a lot of headaches.

What is a correctly configured router?  One where you have a reasonable idea of who is connecting to your network and what they have access to – limiting access to authorized users.  The way most corporations do this is by requiring a corporate account or guest username/password (not network password) to access the wireless network.  If you’ve been in a hotel that you have to type your room number and last name into a web page before accessing the Internet, that’s what I’m talking about.  Most home routers do not have this capability.  If yours does, I suggest you look into using it.  A way that might look like a good idea is MAC address filtering.   It’s not a bad idea, but it won’t stop someone from connecting – it’s too easy to fake MAC addresses.  So don’t depend on it as the only mechanism.

The best method available to home users is to configure your network to use WPA2 with AES encryption, and a strong network key.  If you have older equipment (Nintendo DS…), it may not support WPA2, in which case, use WPA if you can, only using WEP as a very last resort.  WPA and WEP can both be broken in less than 3 hours (almost instantaneously for WEP).  It’s dependent on how much traffic goes across your network – but attackers can generate the traffic themselves.  WPA2 is a little harder, but not impossible to break.  Once an attacker has the network key, they can keep coming back to use your network for free.

If you’re router supports WPS (wi-fi protected setup), it’s a nice feature, but creates a vulnerability that someone can exploit to get access to your network more quickly.  Once you’ve setup your laptop/desktop – turn it off.

In addition to possibly opening you up to legal problems, someone able to access your wireless network can access systems on your home network, potentially compromising your confidentiality and integrity.  They can also affect your availability by using up all of your bandwidth.

For home users, this suggestion is not completely practical, but should definitely be implemented for small businesses.  Separate your wireless network from your “wired” or corporate network – by a firewall.  That means that folks on your wireless network (whether allowed or not) can only access the Internet.  Authorized users should use whatever your company’s remote access method is to access the internal network from the wireless network.  Home networks can implement this as well, but you’ll have to have some kind of remote access solution – like OpenVPN, or LogMeIn, etc.

Other Posts in this Series

Tell me your thoughts