This is going to be a long one. It comes from a debate I had on irc a few days ago. I've heard this time and time again, to increase security, disable SSID broadcast. It's true, if you want to be absolute in your wifi network security, you should disable SSID broadcast. Now let me tell you why I don't.
I like things to work: Yes, in a nutshell this is my primary reason. I like it when I know my Wii can see my wifi network. I like it when my mother brings her iPod over and it works seamlessly. There is something to be said about technology doing what it was designed to do, making my life easier and improving the quality of it. I dislike having to stop what I am doing to troubleshoot a wifi connection, if the device can see the SSID, then I know the hardware is at least functioning somewhat properly. It saves time and effort, something geeks like to do.
How do I secure my wifi network? Simple steps will always work:
1. Change the default password on your router.
This should be the first thing you do. All it takes is determining the router type and someone can lookup the factory username and password. Once they get into your router, find your connected IP, turn off your SPI firewall, and lock you out, well, it's game over. Seriously speaking this keeps so much from happening. Usually you cannot change the default username, but make your password strong. Letters + Numbers + Capitals and for grins throw in a !@#$%& character or two. Make it more than 8 characters too.
2. Change the SSID broadcast name.
Do this as soon as you have changed the default password.
3. Set the radio encryption level to high.
It boils down to this, a wifi network still uses plain old fashioned radio waves for communication (which is why you have channels on your router). Just like regular radio waves they can be intercepted by anyone with the basic knowledge and equipment. Encryption of the radio signal is crucial! When you set the encryption of a router you are encrypting the radio transmission and reception, the information floating (waving) through the air is encrypted. This protects against interception. The current standard for high encryption is WPA2, go as high as you can. This will not stop a determined person, but it will make it extremely difficult, which is the basics of security.
4. Use MAC Filters.
Here is where I depart from the "standard". Each and every device which connects to a network uses a media access control address (MAC). Most modern routers allow a person to setup a list of MACs which will be allowed on the network. If the MAC isn't on the list, it is not allowed on. Now here is the problem with MACs, they can be spoofed, easily spoofed. Here is the counter argument. Most will not take the time to try and discover the connected MACs, they will move on to another target. Spoofing a MAC requires someone to take the time and effort to capture radio traffic, find the correct MAC, and spoof it. Remember if you have done the previous steps, this is just another road block in the way of a intruder. It is better to have it than to not have it. It should not be implemented on its own as a security plan, rather it should be implemented as a part of a security methodology.
5. Check your logs/activity.
So many people do not take the time to review their router. I do mine about once a month, but I take security very seriously. At least check it every few months. There are ways to set routers to email you when certain activity happens. Do so! Just like you check your windows and door by looking at them, do the same for your network.
No comments:
Post a Comment