Saturday, 4 September 2004

Lock down your WLAN

SecurityFocus reports (syndicated in The Register) on a man prosecuted for 'war spamming' - driving past buildings, connecting to unprotected wireless networks in order to launder his spam messages.

You should protect your WLAN as strongly as you can. Failing to do so is like putting a network port on the outside of your building with a flashing neon sign pointing to it saying 'Free Internet Here!' or 'Please Attack!'.

There are several steps you can take. First, change your service-set ID (SSID) from the default. The SSID identifies your network. You can also stop the access points from broadcasting the SSID - an attacker would then have to guess it in order to connect - at the cost of having to type it in to all your devices.

Secondly, encrypt your traffic. Pick the strongest method your hardware supports:

  • Wireless Protected Access (WPA) using certificates. Impractical unless you've already got a public-key infrastructure, so this is really restricted to corporates
  • Wireless Protected Access with Pre-Shared Key. The strength of the encryption depends on the length of the key, but you might find some disagreement on how long it can be. My router thinks the maximum is 63 characters but Windows thinks 64.
  • Wired Equivalent Privacy (WEP) using 128-bit key.

WEP using a 40-bit key is basically useless - WEP is known to have holes and a 40-bit key can be broken quite quickly.

If you have Windows XP SP2, try the Wireless Network Setup Wizard in Control Panel. You'll probably have to type (or paste) the keys into the access point configuration, though.

That's pretty good protection, but if you want to go further, some access points also offer access-control; only devices with particular hardware MAC addresses - essentially the network card's identity - will be allowed to connect. However, some cards allow the MAC address to be overridden in software, so this protection could be defeated. The attacker doesn't know what might be a valid MAC, though, so he'll have to try lots of possibilities.

Finally you may want to change the router's password to stop someone changing the configuration. This is actually quite low priority, IMO, because the attacker must already have connected.

My feeling is that routers shouldn't work out-of-the-box with WiFi enabled, or if they do, that each router manufactured has a different default SSID and has WPA enabled with a different default key. The router would be supplied with a label and a USB key-drive containing the settings. On-by-default is just too insecure.

1 comment:

Anonymous said...

Nice summary there - just a couple of points to add...

SSID's and MAC addresses can both be sniffed from the traffic of other hosts, so hiding them or using ACL's isn't foolproof. You could argue that anyone proficient enough to do this will be determined to bypass anything.

Certificate-based security can be achieved using self-signed certs generated using something like openssl; in fact there are scenarios where this is better than using Globalsign/Verisign/etc signed certs.

Changing the router password can help if they provide SNMP services, which plenty of models do. Quite often a hacker can reconfigure the router via SNMP without having to bypass any of the regular client machine protections.

At the end of the day - are you protecting your traffic, or your network? For the former it's as simple as using secure protocols only (SSH, IMAPS, etc). For the latter, prepare for some hoop-jumping is all I can say :-)

-- oliver g (with his hat on).