How to Secure Your Wireless Network?

Almost all of us have jumped onto someone else's unsecured Wi-Fi network. There's little harm in that if you're just an honest soul looking for an Internet connection.

But if you're the owner of an unsecured network, you should be aware that the world's not made up entirely of honest souls--and it's not hard for the dishonest ones to see exactly what you're doing on your network. Sound scary? Here's how to fix the problem.

Q. What are WEP and WPA encryption, and which should I use?

A. The first line of defense for your Wi-Fi network is encryption, which encodes the data transmitted between your PC and your wireless router. Unfortunately, most routers ship with encryption turned off, and many users don't turn it on, leaving themselves completely exposed. If you haven't already, enable your router's encryption, and use the strongest form supported by your network. The Wireless Protected Access (WPA) protocol and more recent WPA2 have supplanted the older and less-secure Wireless Encryption Protocol (WEP).

Go with WPA or WPA2 if at all possible, since WEP is relatively easy to crack. (You have to use the same form on all devices on your network; you can't mix WEP and WPA.) The keys used by WPA and WPA2 change dynamically, which make them nearly impossible to hack. Use a strong password for your encryption key, such as a combination of letters and numbers of 14 characters or more.

If you have an older router that supports WEP only, you'll be safest if you use 128-bit WEP keys--but also check the manufacturer's Web site for a firmware update that will add WPA support. If it doesn't look like an update is likely, consider replacing old adapters and routers with newer models that support WPA. Look for a router that supports the hybrid WPA + WPA2 mode, which lets you use the stronger WPA2 encryption with adapters that support it, while still maintaining compatibility with WPA adapters.

Make sure you change the default network name and password on your router. Doing so will make it much more difficult for hackers to break into your router and commandeer its settings.

Q. If my router has a firewall, why do I need these added security measures?

A. The firewall built into your router prevents hackers on the Internet from getting access to your PC. But it does nothing to stop people in range of your Wi-Fi signal from getting onto your network--and with the latest high-performance equipment, your Wi-Fi signal could reach clear down the block. Without encryption and other protective measures, anyone can use readily available tools to see all your Wi-Fi traffic.

For extra protection, you should run software firewalls on the individual PCs on your network. Some good options are Zone Labs' ZoneAlarm, available as a free download or in the ZoneAlarm Internet Security Suite 2006, and Agnitum's Outpost Firewall Free.

Q. How can I secure my notebook at public Wi-Fi hotspots?

A. Since public hotspots generally don't use encryption, you should assume that anyone can see your Internet traffic unless you take precautions.

• Make sure it's a legitimate hotspot: Nefarious types have been known to set up pirate routers with familiar SSID names like "wayport" or "t-mobile," and then use them to capture unsuspecting users' log-on information and other private data.
• Verify that your PC's software firewall is turned on, and that Windows' file-sharing feature is off; it's off by default in Windows XP with Service Pack 2. To check this setting, open Control Panel and choose Windows Firewall (you may have to clickSecurity Center first in XP or Security in Vista). In XP, select the Exceptions tab, and look in the Programs and Services to make sure "File and Printer Sharing" is unchecked. In Vista, click Change settings, then select the Exceptions tab and follow the instructions for XP.
• Never send bank passwords, credit card numbers, confidential e-mail, or other sensitive data unless you're sure you're on a secure site: Look for the lock icon in the bottom-right corner of your browser, as well as a URL in the address bar that begins with https. Such sites build in their own encryption.
• Always turn your Wi-Fi radio off when you're not at a hotspot: Hackers can use it to create peer-to-peer Wi-Fi connections with your computer and access it directly.
• For better security, consider signing up for a paid subscription to a hotspot network such as Boingo or T-Mobile. Both companies provide connection software that encrypts your sessions automatically.

Q. What's a VPN, and how do I get one?

A. The best way to protect a public wireless link is by using a virtual private network, or VPN. VPNs keep your communications safe by creating secure "tunnels" through which your encrypted data travels. Many companies provide VPN service to their mobile and offsite workers, so check with your IT department for connection instructions.

You can also use a paid service such as Boingo's Personal VPN (free trial with Boingo subscription, $30 to keep), JiWire Hotspot Helper (10-day free trial, $25 per year) orWitopia personalVPN ($40 per year). All three of the services are simple to install and use.

You have one more security option: If you don't mind connecting through your home or office PC, you can log in to a public hotspot securely by using such remote-access programs as LogMeIn or GoToMyPC.

Steps

1. 
   1
   Connect to your router via your browser, by inputting something called a Gateway IP Address.
   • To find your Gateway IP Address and connect to it in Windows
     
     • Click Start > Run > type 'cmd' > Click 'Enter'
     • Once the Command Prompt window opens, type 'ipconfig /all' and hit 'Enter'
     • Locate the line labeled 'Gateway' and make note of the number that follows. It will look similar to '192.168.1.1'
     • Open Internet Explorer (or your favorite browser)
     • Enter the Gateway IP Address into the address bar and click 'Enter
   • To find your Gateway IP Address and connect to it on a Mac
     • Open your Finder and run 'Terminal' inside of Applications > Utilities
     • Once the terminal window opens, type 'ipconfig -a' and hit 'Enter'
     • Locate the line labeled 'Gateway' and make note of the number that follows. It will look similar to '192.168.1.1'
     • Open Safari (or your favorite browser)
     • Enter the Gateway IP Address into the address bar and click 'Enter'
2. 
   2
   Enable encryption on your access point. Using 128-bit encryption or higher makes your Wireless Network more secure. WEP and WPA are entirely different encryption schemes. WEP has been proven insecure and can be cracked in a few minutesusing free utilities that can be downloaded from the Internet. Using at least WPA is recommended, because it is much more secure, but is sometimes a bit harder to set up correctly than WEP is, and isn't completely secure.^[1][2] Some older access points or wireless cards do not support WPA2. If you have one of these, it is recommended that you purchase a newer one that supports WPA2, depending on how important you consider your security. However, WPA2 still uses static Pre-Shared Key, which is easy to capture and break. You have an option to use a very long network password (at least 10 alphanumeric characters) or use a RADIUS server and the WPA2-Enterprise mode that uses username/password combination and generates a temporary session encryption key. As it might be challenging to configure your own authentication server, you might want to use a commercial Virtual RADIUS server.^[3]
3. 
   3
   Set the router access password. Anybody who gains access to the router configuration settings can disable the security you have set up. If you forget the password, most routers have a hardware reset that will restore all of the settings to factory defaults. The best option is to use a random sequence of the maximum length of characters - you only have to type that once, so it is not a big thing. When you connect to the router via LAN cable while setting it up, you can copy and paste the password onto the router and onto your local setting, so you never need to type it again.
   • Use a secure password. Don't use easily guessed passwords for your WPA2 or router access passwords, such as "ABC123", "Password", or a string of numbers in order. Use something hard to guess that contains both upper and lowercase letters as well as numbers. Special characters such as !@#$% are not supported by some routers. The longer the key, the better, although the WPA2 key has a minimum and maximum length. Try to make a little mental effort -- good passwords might be hard to remember, but they are harder to crack.
   • If you use a weak key then even WPA and WPA2 can be easily cracked within a day using a combination of special precomputed tables and dictionary attacks. The best way to generate a secure key is to use an offline random number generator or write the entire alphabet in uppercase and lowercase and numbers 0-9 on separate pieces of paper, mix the paper up and randomly pick up pieces and return them, mixing them up again each time; each character you pull out becomes a character in your key. You can also try throwing a pair of dice and using the resulting numbers as your password.
4. 
   4
   Change the Service Set Identifier (the network name or "SSID") from the default to something unique. A default SSID indicates to hackers that the network was set up by a novice and that other options (such as the password) are also left as the default. Use a name you can remember and identify, as the SSID has no influence on the security of your network (not even if you choose not to broadcast it).
5. 
   5
   Enable MAC Address filtering on your Access Point or router. A MAC (not to be confused with the computer model 'Mac') address is a code unique to every wireless networking card in existence. MAC Address filtering will register the hardware MAC Address of your networked devices, and only allow devices with known MAC Addresses to connect to your network. However, hackers can clone MAC addresses and still enter your network, so MAC address filtering should not be used in place of proper WPA2 encryption.
6. 
   6
   Don't disable the 'SSID Broadcast'. Do not disable the 'SSID Broadcast' feature of your Access Point or router. This seems counter-intuitive, but it is actually a bad idea.^[4] Although this would make your network invisible to your neighbors, any determined hacker can still sniff out your SSID; and you are implicitly forcing your computer to shout out your SSID anywhere you are, while it is trying to connect to it. Anyone could then impersonate your router with that SSID, and get your credentials that way.
7. 
   7
   Disable remote login. The first router worm brute forces its way into the router in this manner. Most default usernames are set to Admin. It isn't hard for a virus/worm to crack the password if the username is known. The good thing is that routers normally have this disabled by default. Be sure to confirm that it is disabled when you first set up your router and periodically thereafter. If you need to update your router setting remotely, only set up access for the time you are going to be connected.
8. 
   8
   Disable wireless administrating. Finally, change the setting that allows administrating the router through a wireless connection to 'off' (meaning that you need to connect with a LAN cable for administration). This disables any wireless hacking into the router.

Tips

• You need to set the same WPA2 Settings on your computer and router.
• Check your Access Point or Routers' documentation on how to enable or disable security features.
• You may need to upgrade the Firmware of your Access Point or Router if it doesn't have any of these features. In some situations, you will need to purchase a new Access Point.

Warnings

• Disable 'File and Printer Sharing' in the wireless 'Connection Properties' for your portable computer. Only use the 'Client for Microsoft Networks' half of Microsoft's file sharing. This means that your portable must connect to a machine that shares file/folders in order to access things, and that OTHER computers can't ask to connect to your portable to access files on your machine. At least not through Microsoft's 'File Sharing'. Other running services and back doors may exist.
• A user with a 'cantenna' can access your wireless network from a very long way off. Just because your notebook doesn't get a signal on the porch doesn't mean someone else can't access or monitor your network from a mile away, meaning that even though you don't think anyone in your neighborhood would break into your network, someone far away might.
• Certain versions of Windows don't have individual wireless settings for different wireless domains. This means that the settings that 'share' files at home with your LAN will 'share' files with anybody else's wireless network, even a wireless network masquerading as one you trust.
• Be sure to register all devices on your network, including computers, laptops, media players, and networked storage if you are using MAC filtering. Also, be sure to enter the MAC addresses correctly as if you enter the wrong ones, you will not be able to connect the computer to the router to change them back and you will need to reset the router. Some routers allow you to save them while they are connected.

Watch this video for more information:





 By: Wejdan Al-Tuwairqi