A friend of mine moved to a new house and had to change his internet provider as well. The room with the computer and the one with the phone line were not close to each other and he decided to buy a wireless lan router and use it to connect to the internet.
We had to do a scan of the surroundings of course and found lots of unsecured wireless lan networks. I don´t know why people keep these unsecured, maybe its laziness, maybe they simply don´t know the risks involved. Its like leaving your doors open when you leave your house. Lots of things can happen..
Others could use your internet connection to surf the web, to spam, download copyrighted files or hack other servers, and do even worse stuff. All using your connection. Guess on whose door the police will be knocking ?
Router / Access Point
This is your main configuration unit. If someone gets access to it he will be able to change lots of preferences like passwords, encryption and mac address. Most routers have default passwords and SSID´s which have to be changed by their owner to make the entire system more secure.
1. Default Login
Your first task is to change the default user login to something else. Routers normally have default usernames and passwords like admin / 0000 or similar. You normally configure your wlan router using a web browser and the routers ip. Those are the username and password you enter when you want to change the configuration.
2. Updates
Visit the manufactures website and look for updates for your router / access point. Often those updates include security updates as well, recommended to to every once in a while.
3. Infrastructure / Ad-Hoc
With infrastructure mode enabled all deviced connected to the wireless lan communicate through the access point / router while the Ad-Hoc mode allows for direct communication. Disable Ad-Hoc mode if available.
4. SSID
The SSID, Service Set Identifier, identifies your router. Companies use default ones like wireless or wlan which are easy to guess. Choose a more secure password, best is a combination of letters and numbers.
Disable the SSID Broadcasting, which transmits its name to everyone in range.Wireless stations searching for a network connection can ‘discover’ it automatically, not needed if you know the SSID and configure your computers the way. It does not make sense to change the name but leave broadcasting on.
Note its still possible to sniff the SSID, its still send in clear text when a client associates with the router / access point.
5. Pings
Turn of Broadcast pings on the access point / router this makes it invisible to 802.11b analysis tools.
6. Mac Address Filtering
Every network device has in theory a unique MAC address. You can configure your access point / router the way that it only accepts connections from the mac address(es) you specify. Its possible to sniff your mac addresses and fake them, don´t rely on this alone.
On windows open the command prompt and enter ipconfig /all
The Physical Address is your MAC address, make sure you selected the right device, a wlan pci card for example.
If you are not using windows go to this website, it explains how you find it on your operating system.
7. Remote Management
Disable if not needed.
8. WPA, WPA2 or WEP
If your access point offers WPA2 encryption use it. WPA2 uses AES encryption. If you have an older access point use WPA and as last resort use WEP. Make sure you chose passwords that are more or less immune against dictionary attacks and chose the highest available encryption option (232 ->104 -> 40)
9. Wlan Coverage
It does not make sense most of the time to provide wlan coverage for a wider area than your own appartment. You can experiment with lowering the transmit level and the use of directional antennas to reduce the area your wlan covers.
Its a good idea to change the encryption keys and the SSID every now and then. The best protection is of course to turn your wireless network off if you don´t need it.
