Wireless networking goes against the normal flow of IT devices and technology.  For years if you had it at work you wanted it at home, fast printers, fast internet connection, big monitor etc.  Wireless networking functions at layers 1 and 2 of the OSI model.  However, the decisions come from a layer I like to call Layer 8 (politics).  With the desire for wireless networking being driven by the users and their SOHO mentality for ease of use and configuration forcing WiFi on the enterprise, we need to ensure that the SOHO security model does not get forced into the enterprise as well.  It is to that end that we must begin to educate users about WiFi security.  If they have a higher level of security understanding, when they demand WiFi at work, they should also recognize the security concerns introducing WiFi should have.  Increasing the average users WiFi security thinking is the goal of this information.

Given the widespread home use of 802.11 wireless networks, the discussion of wireless security for the home and small office is worth having. The following document will recommend some best practices for home wireless security. Securing the Enterprise use of 802.11 wireless is not dissimilar to securing the Small Office Home Office (SOHO) network use of 802.11 wireless. However, budgets and scale are quite different in comparison. The scope of this writing will not cover the Enterprise, but rather focus on SOHO 802.11 based wireless network security.

802.11 wireless networks are an exact opposite flow of technology when compared to other Information Technology (IT) topics. Most IT technology develops in the office and is later desired in the home. For example, years ago a 5 page per minute laser printer would cost well over $1,000.00. The quality was far superior to the old impact printers. The higher quality print made the laser printer desirable in the work place. As more and more offices started to use the laser printers, the cost dropped and people began to expect that quality everywhere, even at home. Today laser printers can be purchased that are capable of 15 or more pages per minute at a price under $250.00. Thus, the home user and SOHO environment can have the speed and quality printing previously only found in a larger office. The same basic story holds true for network speed. The faster speeds were in the work place and much slower dial up speed were all one could expect at home or in a SOHO environment. Today high speed connections are available in the home at reasonable rates. The trend in 802.11 networking is in the reverse flow. Infrastructures in the Enterprise are costly, due to switches, cable drops, management overhead, deployment nightmares and of course security among other factors. In the SOHO world, an Access Point (AP) can be purchased in the $50.00 range and matching Wireless LAN (WLAN) cards for a matching price or included with a laptop. A SOHO user need only plug in the AP and start using it, with little or no thought of security or office politics. This low cost and ease of implementation makes users believe the same should hold true in the Enterprise, simply buy and plug in the devices. So, it is easy to see how Enterprise use of 802.11 wireless is being driven from the SOHO users in the exact opposite of all other IT device use.

With the easy access and deployment of SOHO devices in mind, we will now discuss their security or lack of security as most often found. As easily as the SOHO devices are purchased they can be set up for use in the home or small office environment. These low cost devices will function right out of the box with little to no configuration required. A user simply plugs the RJ-45 connector into the WAN port of the AP and the connector on the other end of the CAT 5 cable into their network or cable/DSL router adds power and they are up and away using 802.11 networking. The default settings in use are not secure. Most SOHO AP’s use Open Authentication by default, which will allow any Station (STA) attempting to connect to be authenticated without any special credentials. Also, most SOHO AP’s use all data rates available, are set to use the maximum transmit power level, transmit the vendors default Service Set Identifier (SSID) in the Beacon frames and are set on channel 6 in the 2.4 GHz spectrum causing Co-Channel interference with neighboring AP’s. Another security risk found in SOHO devices with the out of the box configuration is the ability to gain access to the management interface via a wireless connection. The administrator account on the SOHO AP is typically called admin and uses well documented passwords. If you ever need to know the defaults of a device, one can download the setup utility from the manufactures web site or search the internet for the information. The goal of all of the simple default settings is to allow the legitimate user of the device to set it up as quickly as possible assuming the average SOHO user is not an IT professional with vast 802.11 experience. These SOHO devices are easily acquired, easily setup but are infrequently configured properly for function or security.

Why should any of this matter to a SOHO user with few to no network resources to protect? There are several reasons to protect a SOHO network beyond just the network resources being at risk. An anonymous user accessing an unsecured SOHO AP may only surf the internet. This seems to be a fairly safe allowance on the part of the SOHO user. However, there is no guarantee that the anonymous user is not viewing pages that are illegal or inappropriate in some form. The following story illustrates this point and was related to me by one of the Federal Bureau of Investigation (FBI) agents involved in the case. An Internet Service Provider (ISP) contacted the FBI to let them know that one of their clients had been downloading a large amount of child pornography. The FBI chose to investigate the report. As part of the investigation, the FBI went to the person’s home with a warrant to search their computers and home for the illegal materials. After hours of looking throughout the home, and searching through the computers in the home, the FBI could find no evidence supporting the claim made by the ISP. However, the home owner had an unsecured 802.11 wireless network, a SOHO AP with the default configurations. The FBI found in the association history of the AP that a device not belonging to the home owner had been associated to the AP and was probably the device used to download the illegal materials via the innocent home owner’s internet connection. Imagine sitting in your own home when the FBI arrives for a search like this. Other things can cause problems for your unsecured SOHO network as well, such as bouncing spam through your connection identifying you as the source resulting in your connection being terminated by the ISP. Others connecting to your network will slow the network down due to the additional contention for the medium. However, the potential abuse of your network by others is more than enough reason to secure your SOHO wireless, even if the slowing is acceptable to you.

Now that we have discussed potential risks to the SOHO 802.11 network, we will discuss some very basic things that can be done to secure SOHO devices to avoid these ugly occurrences. First, do not use any default settings. Default settings are insecure and are published on the manufacturer’s web sites. Second, upgrade the devices to the latest firmware. New devices could have been sitting on shelves in stores on in warehouses for quite some time before you made your purchase and may not be using the latest firmware. They could be several versions behind, missing valuable security and feature enhancements. On the surface these two things seem quite simple, but have several sub layers which introduce complexity that the SOHO user is not accustomed to seeing. The following should clear these up quite a lot. When setting up a SOHO AP, you should go to the manufacturer’s web site and download the most current firmware for your particular model number of device. Most manufacturer’s web sites will include step by step instructions on how to upgrade the devices and often include list of issues addressed by the upgrade. This is also true of the wireless LAN card in your STA as well. The upgrade usually involves a reboot of the device. With that done, per the makers instructions, you can proceed to securing the device properly. Connect to the AP via a cable. You should avoid wirelessly configuring an AP, most Enterprise quality AP’s do not allow this but most SOHO devices do by default. Turn off the ability to remotely administer the AP. This stops neighbors and drive by wireless assailants from configuring your AP to their specifications. Change the admin accounts password from the default to a rather complex password which you can document and or remember. If possible, also change the admin name. Turn off Dynamic Host Configuration Protocol (DHCP) server service on the LAN side of the AP and use static addressing on your STAs. Change the default LAN side IP address. Most SOHO devices use 192.168.0.1 or something very close. Implement the strongest authentication mechanism that the AP and STAs can commonly use. Turn on WPA2 with AES encryption if possible. If you are using a Preshared key are Passphrase, it should be as long and as complex as the devices will allow. Do NOT use your name, address or location of the AP in the SSID. For SOHO environment you may also wish to disable the broadcast of the SSID in the Beacon frame to make it harder for neighbors of novice wireless stature to find your network. This would force your STAs to use active probes which an advanced wireless user could see with a sniffer and could cause poor roaming in an Enterprise environment. This is not about securing the Enterprise though. Implement a Media Access Control (MAC) address filter which only allows your STAs MAC addresses to associate. The MAC address is transmitted in the clear and this would not stop an advanced attacker but would add an additional layer of security to the SOHO AP and probably stop most novice wireless users from gaining access to your AP. Turn the Power setting down on the AP as low as you can while still providing the coverage required for your intended use. There is no need to transmit down the street; exposing your network to attackers you can not see several houses or offices away. Properly orient your antennae. If you need to cover areas on the same floor as the AP use the antennae in a vertical position. If you need to cover an area on another floor use them in a horizontal position. However, antenna diversity, using multiple antennae to combat Multipath signaling problems, should not be used to increase the coverage area. Another properly configured AP would be a better solution. Use a non overlapping channel that is not already in use in your area. For example, if a neighbor is on channel 6 you should use either channel 1 or 11 as they do not overlap with channel 6. In general, within the SOHO environment try to avoid the use of channel 6 even if there are no other networks detected in your area. A neighbor could buy an AP and power it up for use without properly configuring it. Again, most SOHO APs are set to use channel 6 by default. Change your Physical structure (PHY) and use an 802.11a (5GHz OFDM) device network if possible. Most SOHO networks use the 2.4GHz range systems HR-DSSS or ERP-OFDM (802.11b or 802.11g respectively). Using a 5GHz system will avoid possible interference from other SOHO networks, cameras, baby monitors, walkie-talkies, game controllers and microwaves, which all share the 2.4GHz space. As an added security bonus, most SOHO users do not even have an 802.11a (5GHz OFDM) card, giving you extra security by obscurity. Place the AP in a secure location. If you do not have physical security you do not have security at all. Do not share your configuration with others you do not want on your network. Remember, the best way to keep a secret is not to tell anyone. Although all of the configurations above are easily accomplished, a novice user may have difficulty in setting up a secure network. When in doubt, contact a professional to set up the network if budget allows.

The following recommendations are a good starting point for SOHO security but are not a guarantee of a perfectly secured network, if such a thing can exist.

1. Update the firmware on the AP and on all of the STAs.
2. Change the administrator’s password to a very complex one that you can remember and or document.
3. If the AP allows you to do so, change the name of the administrator’s account.
4. Disable DHCP on the LAN side of the AP and use Static IP addressing on the STAs.
5. Change the default IP address of the AP to something that will work for your STAs.
6. Use the strongest authentication and encryption that the AP and STAs can all use.
7. Turn off the broadcasting of the SSID in the Beacon frame.
8. Use a non default SSID that neither identifies you, your business, your location, or the location of the AP.
9. Place a space or two at the end of the SSID. (War Drivers will not see them)
10. Implement a MAC filter allowing only your STAs to connect.
11. Turn the transmit power down on the AP to just what is required for desired coverage.
12. Use a non-overlapping channel, preferably not channel 6.
13. Change your PHY to 5GHz if possible.
14. Use Anti-Spyware on your STAs.
15. Use a personal firewall on the STAs.
16. Use end point protection software if possible.
17. Install the AP in a physically safe location.
18. Do not disclose your configurations to others.
19. Limit the number of allowed associations to just your STAs.
20. When not in use, turn off the AP.
21. If there is a breach in security, change all security settings as soon as possible.
22. If you are unable to configure the AP securely, consult a trained and certified professional to do so on your behalf.

Bryan Harkins

Training and Development Manager

AirDefense

Comments (6)

Subscribe to this comment's feed

Name

Comment

Write the displayed characters

Add Comment