Securing a SOHO Wireless Network
CompTIA wants administrators of small office, home office (SOHO) networks to be able to secure those networks in ways that protect the data stored on them. This objective looks at the security protection that can be added to a wireless SOHO network, while the one that follows examines similar procedures for a wired network.
The wireless network is not and never will be secure. Use wireless only when absolutely necessary. If you must deploy a wireless network, here are some tips to make some improvements to wireless security:
- Change the default SSID.
- Disable SSID broadcasts.
- Disable DHCP or use reservations.
- Use MAC filtering.
- Use IP filtering.
- Use the strongest security available on the wireless access point.
- Change the static security keys every two to four weeks.
- When new wireless protection schemes become available (and reasonably priced), consider migrating to them.
- Limit the user accounts that can use wireless connectivity.
- Use a preauthentication system, such as RADIUS.
- Use remote access filters against client type, protocols used, time, date, user account, content, and so forth.
- Use IPSec tunnels over the wireless links.
- Turn down the signal strength to the minimum needed to support connectivity.
- Seriously consider removing wireless access from your LAN.
Change Default Usernames and Passwords
In addition to those created with the installation of the operating system(s), default accounts are also often associated with hardware. Wireless access points, routers, and similar devices often include accounts for interacting with, and administering, those devices. You should always change the passwords associated with those devices and, where possible, change the usernames.
If there are accounts that are not needed, disable them or delete them. Make certain you use strong password policies and protect the passwords with the same security you use for users or administrators (in other words, don’t write the router’s password on an address label and stick it to the bottom of the router).
Changing the SSID
All radio frequency signals can be easily intercepted. To intercept 802.11a/b/g/n traffic, all you need is a PC with an appropriate 802.11a/b/g/n card installed. Many networks will regularly broadcast their name (known as an SSID broadcast) to announce their presence. Simple software on the PC can capture the link traffic in the wireless AP and then process this data to decrypt account and password information.
You should change the SSID—whether or not you choose to disable its broadcast or not—to keep it from being a value that many outsiders come to know. If you use the same SSID for years, then the number of individuals who will have left the company or otherwise learned of its value will only increase. Changing the variable adds one more level of security.
Setting Encryption
The types of wireless encryption available (WEP, WPA, WPA2, etc.) were discussed in Chapter 6, “Networking Fundamentals.” It’s important to remember that you should always enable encryption for any SOHO network you may administer, and you should choose the strongest level of encryption you can work with.
Disabling SSID Broadcast
One method of “protecting” the network that is often recommended is to turn off the SSID broadcast. The access point is still there and can still be accessed by those who know of it, but it prevents those who are looking at a list of available networks from finding it. This should be considered a very weak form of security because there are still ways, albeit a bit more complicated, to discover the presence of the access point besides the SSID broadcast.
Enable MAC Filtering
Most APs offer the ability to turn on MAC filtering, but it is off by default. In the default stage, any wireless client that knows of the existence of the AP can join the network. When MAC filtering is used, the administrator compiles a list of the MAC addresses associated with the users’ computers and enters them. When a client attempts to connect, an additional check of the MAC address is performed. If the address appears in the list, the client is allowed to join, otherwise they are forbidden from so doing. On a number of wireless devices, the term network lock is used in place of MAC filtering, and the two are synonymous.
Antenna and Access Point Placement
Antenna placement can be crucial in allowing clients to reach the access point. For security reasons, you do not want to overextend the reach of the network so that people can get onto the network from other locations (the parking lot, the building next door, etc.). Balancing security and access is a tricky thing to do.
There isn’t any one universal solution to this issue, and it depends on the environment in which the access point is placed. As a general rule, the greater the distance the signal must travel, the more it will attenuate, but you can lose a signal quickly in a short space as well if the building materials reflect or absorb it. You should try to avoid placing access points near metal (which includes appliances) or near the ground. They should be placed in the center of the area to be served and high enough to get around most obstacles.
Radio Power Levels
On the chance that the signal is actually traveling too far, some access points include power level controls that allow you to reduce the amount of output provided.
Assign Static IP Addresses
While DHCP can be a godsend, a SOHO network is small enough that you can get by without it issuing IP addresses to each host. The advantage to statically assigning the IP addresses is that you can make certain which host is associated with which IP address and then utilize filtering to limit network access to only those hosts.