Wireless (802.11) Security Recommendations

The Problem

Many homes and businesses now have 802.11 wireless local area networks (LANs). Usually consisting of a wireless "router" connected to a cable modem or other Internet connection, these allow users of PDAs, laptops, and other devices to have convenient high-speed access to the Internet without connecting a cable. The problem is, the easiest and most common ways to set up a wireless LAN are the most dangerous!

Wireless signals easily penetrate most walls. That is an advantage within your home or office, but the signals penetrate the outside walls just as easily as the inside. That means that your wireless network is accessible to others outside your home or office unless you take security precautions.

Worse yet, most wireless LANs broadcast their presence to make it easy for your devices--and hackers!--to connect. The practice of looking for unsecured wireless LANs is so common that it has a name: "war driving."

If you do not take security precautions, you are at risk of the following:

Others may use your Internet connection for free. Your Internet connection speed will suffer. It is said that people living in an apartment complex don't have to pay for Internet because there is nearly always someone close by with an unsecured wireless LAN.
Hackers who access your unsecured wireless LAN can also potentially access your computers. Implications:

your personal information may be compromised, resulting in identity theft.
if you use a wireless LAN for your business, that means that your customers' personal information may be compromised. In addition to the obvious bad publicity and liability, failure to protect customer data is a crime in most states.
the hacker may place spyware and other malware on your computer. In some cases, your computer becomes part of a "botnet" used to attack other computers, send out SPAM, etc.

Note that using a free hotspot that doesn't have security is at least as dangerous as using your own LAN without security. Hackers often hang out at such sites looking for victims. If the network is not secure, the hacker can easily monitor network traffic to pick up passwords and other sensitive information. In some cases, the hacker will set up an "evil twin" network that pretends to be the business' hotspot. Persons who log into that have all of their network communications go through the hacker's computer!

Solutions

Unfortunately, there is no easy way to have high security on an 802.11 wireless network, although it's getting easier. The two main security protocols require extra setup on all your devices, and they have advantages and disadvantages as follows:

WEP (Wired Equivalent Privacy): most wireless devices are capable of implementing WEP without great difficulty. Unfortunately, any hacker or war driver worth his or her salt can usually break into WEP-protected systems. However, WEP systems can be made safer if you follow the recommendations given below.
WPA2 (Wi-Fi Protected Access): this is universally recognized as the safest way to set up a wireless LAN, and WPA2 security is generally regarded as very good (particularly if implemented with AES-based CCMP encryption). This has mostly replaced the older WPA protocol. Individuals usually use WPA2 in "personal" mode; businesses may choose to use "enterprise" mode. Unfortunately, many older devices do not support WPA2.

SFA faculty, staff, and students please note: both the "SFA-Wireless" and the "SFA-Lawn" networks use WPA2. Instructions for how to connect to SFA-Wireless are given at http://www.sfasu.edu/tsc/ . The instructions refer to WEP, but the network is actually WPA2. Use the Vista instructions if you have Windows 7.

Recommendations

Businesses that transmit and/or store sensitive or personal information (company secrets, credit card numbers, etc.) obtain the best security with wired networks. If wireless is necessary, WPA2 security is essential and can be improved by implementing a virtual private network (VPN). Setup assistance from a wireless security expert is recommended. Businesses should not ordinarily use WEP, and should never use WEP if sensitive or personal information is transmitted wirelessly or stored on computers accessible over the network.
Individuals should implement WPA2 on all devices in your wireless network. The following steps are recommended for the best security (setup steps vary with device):

When you set up the router, change the router's name and administrator password from the default to something random or otherwise hard to guess. If you don't, a hacker can simply change your security settings to access the system.
Use a random password ("key") or have the router generate one.
Select AES or CCMP encryption. TKIP encryption is not as good.
Do not use short or common words/phrases or your name or house number for a password, since these might be guessed.
Set the network name to something random or otherwise hard to guess. Never use the default network name.
Important: turn off SSID broadcast. This action will make it much harder for war drivers to find your network. The price you pay for doing this is that your devices will no longer automatically connect. With SSID broadcast off, a device can only connect to your network if you manually create a connection and specify the network name and WPA2 password.

If you cannot implement WPA2, implement WEP with the following settings. While not 100% secure, this is usually adequate for homes situated such that you are likely to notice someone attempting to access your system (setup steps vary with device):

When you set up the router, change the router's name and administrator password from the default to something random or otherwise hard to guess. If you don't, a hacker can simply change your security settings to access the system.
Set the WEP "key" length to 128 bits (the largest possible).
Use a random password ("key") or have the router generate one.
Do not use short or common words/phrases or your name or house number for a pass phrase, since these might be guessed.
Set the network name to something random or otherwise hard to guess. Never use the default network name.
Important: turn off SSID broadcast. See notes under WPA2 above.

For both WPA2 and WEP, if you have only a limited number of devices that should access the system, further security can be gained by either limiting the number of connected devices or by specifying the device identification of authorized devices. See the router's user guide for details.
To make sure your protection is working, periodically access your router and check the list of devices that have connected. If there is a device you don't recognize, your system may have been compromised.
If you access the Internet from a public hotspot, obtain detailed connection instructions to ensure that you connect to it and not a hacker's "evil twin." Also make sure it has security (WEP at a minimum). Your wireless laptop or other device will usually have a way to check the settings of the current connection. If there is no security, disconnect ASAP!
If you need to connect to your organization over the Internet, find out whether a VPN is available and use it whenever possible.

The steps necessary to accomplish the above settings vary according to device. Check your device's user guide or "help".

Good luck!

Send comments and corrections concerning this page to:

wfisher@sfasu.edu

Last updated March 2, 2012