subscribe: Daily Newsletter
search the site
Tips for beefing up wireless network security
The issue of security continues to represent a headache for those wanting to invest in and leverage off wireless networks.
This is the view of Paul Luff, country manager, SMC Networks South Africa, who adds that the company, a global provider of LAN hardware and broadband connectivity devices, has some advice that will help users address this key aspect of network management.
According to Luff, security remains a sizeable challenge to the rate of adoption and integration of wireless network infrastructure. However, he believes that by following several technical steps, the user can eradicate many of the problems that are encountered with regards to ensuring a safe, entirely secure wireless infrastructure.
The first of these steps is to disable the Network Name (SSID). To make it easy for wireless receivers to find their transmitter, most wireless devices are configured by default to broadcast a beacon known as a Service Set Identifier (SSID). This SSID or network name can be changed to a private name and can also be hidden (not broadcasted). This way, only receivers that know the correct SSID will be able to connect to the wireless network.
The second step covers MAC Address Filtering. “As a form of physical security, it is possible from the router to only allow specified networks users to access the wireless network by identifying their unique Ethernet MAC address associated with each network device. This gives a level of security similar to staff access cards and identification badge,” Luff explains.
A third step involves WEP/WPA/WPA2. According to solution developers and expert suppliers at SMC Networks these abbreviations refer to three different encryption standards that can be used to secure a wireless network:
* Wired Equivalent Privacy (WEP) is not considered secure anymore and should only be used with legacy equipment that does not support WPA/WPA2.
* WiFi Protected Access (WPA) offers a higher level of wireless security, making sure that the data will remain private and access to the network is restricted to authorized users.
* WPA2 has replaced WPA and uses a stronger encryption standard called Advanced Encryption Standard (AES).
The standards IEEE802.1x The IEEE802.1x standard describes how to provide authentication and authorization using an authentication server that keeps usernames, passwords and user rights to access a network in a central database.
“This way, a wireless router/ access point will contact the authentication server first when a device wants to connect to the wireless network. The server checks the user credentials against the database and informs the wireless router/ access point if the relevant user is allowed to access the network or not, and what are the relevant user rights,” adds Luff.
SMC Networks advocates the next step to disable DHCP Server Disabling. The rationale behind this move is due to fact that the DHCP Server of a wireless router will stop it from automatically assigning IP addresses to new devices, including potential hackers. Instead, the network administrator has to configure new devices manually with valid IP address information.
Step six involves IP Subnetting. IP addresses and subnets in home wireless networks are normally configured so that 254 users can have a valid IP address. For example: Router IP: 192.168.2.1 Computer IPs: 192.168.2.2 to 192.168.2.254 Subnet Mask: 255.255.255.0 For additional security, the router could also be configured with a subnet that allows to assign 6 IP addresses only. For instance: Router IP: 192.168.2.1 Computer IP: 192.168.2.2 to 192.168.2.6 Subnet: 255.255.255.248. This way the maximum number of devices in the LAN is limited and external customer will need to know the subnet used in the network to be able to connect.
Following this move, the next step covers user name & password of router admin.
“After being connected wireless or wired to the network, the admin interface of the router can normally be accessed by entering its IP address in a web browser. With the help of a username and a password, all router settings can be changed. In order to avoid an intruder to be able to login to the network router and make configuration changes in the network, it is recommended to change the username (if possible) and the password of the router admin web interface,” Luff continues.
Then the user should change the default IP address range. Experts at SMC Networks suggest that wireless routers normally are, by default, configured with an IP address like this 192.168.x.x (for SMC Networks Routers 192.168.2.1)
“If you are thinking in disabling the DHCP server so that the router will not assign IP addresses to devices, you might want as well to change the range of the IP addresses used in your whole network. For example: 10.0.x.x Router: 10.0.0.1 Other devices: 10.0.0.2-254 This way, possible intruders will not know the IP address range and it will be more difficult for them to get connected,” says Luff.