Setting Up A WiFi LAN? Please Protect Yourself!

With an Ethernet LAN, you run cables within your home, and connect your computers and your Internet service. You might run a cable out the back, to your shed or other second building (but please, seriously, plan such connection carefully). But would you run a cable next door, to your neighbor? How about to the neighbor down the block, whom you have yet to meet?

I would bet you just answered "No" to both questions.

Well, with a WiFi LAN, if you don't secure it properly, you might be doing all of the above, and more.

Read about Walter Nowakowski, in Toronto, a couple years ago. Don't expect all of your wireless neighbors to be this stupid. And here's an ongoing Asian story WiFi networks as good targets for exploitation.

The point here is, you need to protect a wireless LAN with more precautions than just the NAT protection on the router. The wireless neighbourhood near you is just as dangerous as the internet around you.

  1. Don't waste time with spells and incantations. Both hiding the SSID, and MAC address filtering, are elaborate forms of security by obscurity. Understand your vulnerabilities.

  2. Require both authentication and encryption for any wireless device. WPA is the minimum level of protection acceptable. Use non-trivial values for encryption. Don't just use words from the dictionary, like the legendary Linksys default "My dog has fleas". Use a properly generated random key.

  3. Enable the router activity log, and examine it regularly. Know what each connection listed represents - you? a neighbor?. Act accordingly.

  4. Don't disable SSID broadcast - some configurations require the SSID broadcast. But change the SSID itself - to something that doesn't identify you, or the equipment.

  5. Change the router management password, and disable remote (WAN) management.

  6. Change the subnet of your LAN - don't use the default.

  7. Disable DHCP, and assign an address to each computer manually.

  8. Install a software firewall on every computer connected to a wireless LAN. Put manually assigned ip addresses in the Local (highly trusted) Zone. Open the firewall for file sharing, only in the Local Zone.

  9. Harden your file sharing security policies, in general.
    • Use non-trivial account names and passwords on every computer connected to a wireless LAN.
    • Disable or delete the Guest userid, if possible (a computer with XP Home is a bad choice for a wireless LAN, connected wired or wireless).
    • Rename Administrator, to a non-trivial value, and give it a non-trivial password.
    • Never use the Administrator renamed account for day to day activities, only when intentionally doing administrative tasks.

  10. Use a Layered Defense on all computers connected to a wireless LAN - not just the ones connected wirelessly. If a wardriver connects wirelessly, all computers on the LAN are at risk.

  11. Stay educated - know what the threats are. Newsgroups alt.internet.wireless and are good places to start.

Protect yourself. Using a WiFi network that's not yours, without permission, is becoming a crime in most locales. But, a crime is not a crime without several essential steps.

  1. Violation. Somebody has to connect illegally to your network.
  2. Detection. The police have to identify and arrest the violater.
  3. Prosecution. The district attorney has to apply the law, to the law breaker, in court.
  4. Conviction. The judge or jury has to decide that all conditions of the law apply to the actions by the lawbreaker.
  5. Sentencing. The judge has to determine a fair penalty to be paid (in time or money) by the violater.

All of the public officials involved in steps 2 - 4, if they are any good, manage their time carefully. When considering an offender, they decide if their time is properly spent against that offender, or against another. If your case, however important to you, isn't important to them, the Violator is free to go, and possibly to continue using your network.

If you leave your LAN unsecured, this will happen over and over. Regardless of who is legally wrong, you have to secure your WiFi. And you have to encourage your neighbors to do the same.