Sunday, March 4, 2012

How to protect your home wireless

Nowadays most, if not all, of the small routers provided to connect a DSL or Cable connection includes a wireless access-point. Developed to facilitate the connection of multiple devices, it also changed the security landscape by extending the area of reception.

With a wired network, it is easy: in order to connect to a network, you need a physical access to a port on a hub, a switch or a router. This limits the possibility for someone outside a house to connect: in order to do that, that person would have to run a cable, going through walls and concrete.

However, with a wireless network, those boundaries don't exist anymore: the radio waves can get through brick, walls, glass and wood and still be demodulated by a wireless card.As a result, some layers of protection are needed to prevent any undesired presence on a home wireless network.

First, what are the risks? Well, you have the risk that someone abuses your wireless network to commit some abuse on the Internet: visits to less than reputable web sites, downloads of protected material, spam, distribution of malware. The list is almost endless. In addition to that, someone on your internal network may also abuse your local resources, and for example abuse a network printer, access your files or plant a virus on your computer.

The first protection that was devised for wireless devices is WEP (Wired Equivalent Privacy). A key is entered on both the access-point and the network clients to allow the access. Unfortunately, a flaw was present in the design and can be exploited to "crack" a network and find the key.

All recent devices offer another mode, called WPA (Wi-Fi Protected Access), followed by WPA2. It avoids WEP's flaw by using  proven encryption algorithms, such as TKIP or AES. WPA/WPA2 requires a key shared between the access-point and the networked clients. That key, of course, needs to be robust and selected as a password: although it is tempting to use something easy, this also facilitates an intruder's job by making guesses based on a list of common words.

In addition to that, almost all devices offer a way to filter what devices connect to the network, based on its MAC address. This latter is the physical identity of a network card and is unique worldwide.

To do
  • Select WPA/WPA2 instead of WEP
  • Set a strong and secure password for the pre-shared key
  • (optional) Create a MAC filter and allow only your devices

Happy Surfing!