This is going to be a long one. It comes from a debate I had on irc a few days ago. I've heard this time and time again, to increase security, disable SSID broadcast. It's true, if you want to be absolute in your wifi network security, you should disable SSID broadcast. Now let me tell you why I don't.
I like things to work: Yes, in a nutshell this is my primary reason. I like it when I know my Wii can see my wifi network. I like it when my mother brings her iPod over and it works seamlessly. There is something to be said about technology doing what it was designed to do, making my life easier and improving the quality of it. I dislike having to stop what I am doing to troubleshoot a wifi connection, if the device can see the SSID, then I know the hardware is at least functioning somewhat properly. It saves time and effort, something geeks like to do.
How do I secure my wifi network? Simple steps will always work:
1. Change the default password on your router.
This should be the first thing you do. All it takes is determining the router type and someone can lookup the factory username and password. Once they get into your router, find your connected IP, turn off your SPI firewall, and lock you out, well, it's game over. Seriously speaking this keeps so much from happening. Usually you cannot change the default username, but make your password strong. Letters + Numbers + Capitals and for grins throw in a !@#$%& character or two. Make it more than 8 characters too.
2. Change the SSID broadcast name.
Do this as soon as you have changed the default password.
3. Set the radio encryption level to high.
It boils down to this, a wifi network still uses plain old fashioned radio waves for communication (which is why you have channels on your router). Just like regular radio waves they can be intercepted by anyone with the basic knowledge and equipment. Encryption of the radio signal is crucial! When you set the encryption of a router you are encrypting the radio transmission and reception, the information floating (waving) through the air is encrypted. This protects against interception. The current standard for high encryption is WPA2, go as high as you can. This will not stop a determined person, but it will make it extremely difficult, which is the basics of security.
4. Use MAC Filters.
Here is where I depart from the "standard". Each and every device which connects to a network uses a media access control address (MAC). Most modern routers allow a person to setup a list of MACs which will be allowed on the network. If the MAC isn't on the list, it is not allowed on. Now here is the problem with MACs, they can be spoofed, easily spoofed. Here is the counter argument. Most will not take the time to try and discover the connected MACs, they will move on to another target. Spoofing a MAC requires someone to take the time and effort to capture radio traffic, find the correct MAC, and spoof it. Remember if you have done the previous steps, this is just another road block in the way of a intruder. It is better to have it than to not have it. It should not be implemented on its own as a security plan, rather it should be implemented as a part of a security methodology.
5. Check your logs/activity.
So many people do not take the time to review their router. I do mine about once a month, but I take security very seriously. At least check it every few months. There are ways to set routers to email you when certain activity happens. Do so! Just like you check your windows and door by looking at them, do the same for your network.
Wednesday, September 15, 2010
Monday, September 13, 2010
Fall Personal Project: Update 1
So the fall home NIDS project is going well. I have removed the old router and replaced it with a newer Netgear b/g/n router. I also took the opportunity to do some cable management.
There is one feature I wish manufacturers would add to the routers and that is to export the machine address ACL to a file. It would have been really nice. As it s I just copied the table from the html, but still, since I use MAC ACL filters, it would make things easier.
So the 10/100 hub is on the way, I will order my dell zino this week after I finish some papers which are due. I would really like to thank all the folks over at the snort forums for their assistance and guidance in this project. They really know what they are doing.
I spent some time this weekend looking up the literature in some major journals on snort usage. I'm almost positive that my final dissertation will somehow involve the use of snort, but I'm not sure how yet.
More updates as the equipment comes to me. I will post a topology diagram later on the next update once I make sure everything is running.
There is one feature I wish manufacturers would add to the routers and that is to export the machine address ACL to a file. It would have been really nice. As it s I just copied the table from the html, but still, since I use MAC ACL filters, it would make things easier.
So the 10/100 hub is on the way, I will order my dell zino this week after I finish some papers which are due. I would really like to thank all the folks over at the snort forums for their assistance and guidance in this project. They really know what they are doing.
I spent some time this weekend looking up the literature in some major journals on snort usage. I'm almost positive that my final dissertation will somehow involve the use of snort, but I'm not sure how yet.
More updates as the equipment comes to me. I will post a topology diagram later on the next update once I make sure everything is running.
Tuesday, September 07, 2010
Fall Personal Project
So this fall's personal project will be to install a personal IDS at my home, then try like crazy to penetrate it. Snort snort snort. After writing several papers on the software I have come to respect it even more.
I often check the basics of a site or of a home network setup by using the "shields up" but I know that my router kills the majority of the traffic which the service tests for in a vulnerability test. I am looking to setup a fully functioning DMZ with a snort based NIDS and then slam it until I can break it (without cheating of course). I have ordered a new router simply because I have been a little lapse on keeping my encryption as strong as I can and it's time to do so. I also reall like some of the new functions in netgear's newer routers which allows the creation of a DMZ out of the box.
Also, I will probably use Ubuntu and some sort of small form factor like a mac mini or a dell zino since I need power to be a consideration. I would love to keep it in the ubuntu family line though, I need to beef up my skills in administrating one since it has been almost a year since I set a box up with ubuntu.
We will see how it goes. I will post to a page here or keep it updated in the blog.
Subscribe to:
Posts (Atom)