Saturday, January 22, 2005

 

Protect Your Home Wireless Network

For the last three years, every laptop I've owned has had built-in wireless capabilities. When you boot up these computers, they automatically scan for available wireless networks.

I was amazed how many would typically be found. The computer will latch on to the nearest unsecured one. Practically everywhere I went, I would discover my computer had, without any prompting from me, taken it upon itself to locate a source of free Internet access.

The ethics of using such a connection are not clear; if you are just surfing chicagotribune.com, it's not like you're stealing a great deal of bandwidth from its rightful owner. But is it OK to walk uninvited into somebody's home through an open screen door and help yourself to a glass of water on a hot day? It's not OK... and in most places in the United States, it would be rather dangerous!

We have recently moved into a new home. I took the opportunity to order COMCAST cable internet. To the COMCAST-supplied cable modem I attached a basic Linksys WRT54G wireless router. This allows my wife and myself the flexibility to access the Internet from anywhere in our home, from any of our various laptop and desktop computers, and PDAs.

The WRT54G also has the welcome effect of acting as a firewall. A firewall allows you out to the Internet for surfing, but prevents uninvited Internet traffic crossing into your systems.

If you plug your standard Windows computer directly into a cable modem without a firewall in place, you are asking for trouble. As an exercise, I once connected an unpatched laptop running Windows 2000 to the Internet. Within one hour it had three separate executable programs running on it which had been 'inserted' and remotely started by nefarious people somewhere on the Internet, using vulnerabilities in that operating system.

So, with the WRT54G in place, and running the free version of ZoneAlarm on our computers, we're fairly safe from that type of attack.

But I also knew from experience that our Internet connection was now "open for business" for anyone with a wireless card. Even though our house is some distance from our nearest neighbours, I counted nine other wireless networks, most of which were not secured.

So what's the risk? Well, anyone connected to our Router could certainly have a go at breaking in to other machines likewise connected, as they form part of the same subnet. But they could also use the connection for a variety of activities which they could carry out in complete anonymity, while we would get the blame as it would all trace back to our IP (Internet) address:

- Downloading from illegal, obscene sites
- Song Swapping (hello RIAA/MPAA lawsuit)
- Sending unsolicited commercial email (SPAM)


It amazes me that given all the publicity surrounding public figures caught with various illegal types of porn on their computers, soccer moms being sued by the RIAA because their kids downloaded the latest Eminem songs, people are not more careful about who they allow to use their Internet connection.

If the feds bust down my neighbour's door and cart away his computer because someone at his IP address was downloading illegal types of porn, he may eventually be able to prove his innocence. Probably not before he's done the 'perp walk' in handcuffs, been named in a press conference by an aggressive publicity seeking prosecutor, lost his job and had the Feds smash up all his equipment, and maybe had DCFS take his children into care.

By now you're probably thinking, maybe I'll stick with wired Internet, and forget the wireless. I don't blame you. But I'm going to describe some steps you can take to reduce the risk that you're sharing your connection with some lowlife.

The WRT54G and, I am sure, any other wireless router worth the name, has two key security features which you will enable if you have any sense.

You access the configuration on the WRT54G by entering your favourite web browser and surfing to http://192.168.1.1

You'll be prompted for a username and password. Leave the username blank and enter the default password from your documentation. Hint: if you are lost at this point, stop and get someone more comfortable with computers to help!

Change the default router password

You MUST change this default password to something every ten year old hacker doesn't know. Otherwise anyone who can connect to your router from inside or outside your home can reconfigure it and lock you out.

To do this, click the "Administration" label. In the "Router Password" box enter a password which you'll use in the future to access this configuration page. Enter the same password in the "Re-Enter to Confirm" box and click Save Settings.


Enable Wireless MAC Filter

It's a little known fact that all devices connected directly to TCP/IP networks, which is what the Internet is, have a unique number known as the Media Access Control (MAC) address. You may know you will get assigned or set manually an IP address (of which 192.168.1.1 is an example). However, the MAC address of your computer's wireless network card is burned in at the factory and is globally unique. That's right - no other piece of hardware on the planet, has the same number.

If you're curious and are running Windows XP, 2003, 2000, or NT, you can see what your MAC address is. Start a command prompt and type:

IPCONFIG/ALL

The MAC address is the "Physical Address" that IPCONFIG is talking about. If your computer has a wireless card and also a built in wired Ethernet port, you will see two MAC addresses, one for each. There are ways to discover your MAC address whatever operating system you're running. But fortunately, I don't have to spell all that out in order for you to be able to enable Wireless MAC Filtering on your WRT54G router.

Wireless MAC Filtering is basically you telling the Router: Only allow the following devices on the network. Although people will be able to see your network, your router will reject connections from any hardware whose MAC address is not on a list. Can MAC addresses be spoofed? Almost certainly. Is this foolproof? No security measure is. Will it stop your neighbour's eleven year old kid uploading a huge collection of pirated music and games to the Internet? Unless he's incredibly smart and determined - and there are no other unprotected networks he can use instead - probably.

Click the Wireless tab in the Router setup. Then click "Wireless MAC Filter".

Set "Wireless MAC Filter" to "Enable". Select the "Permit Only" option.

Then ensure all the computers you want to access your wireless network are powered up and click "Edit MAC Filter List". In the window which appears, then click "Wireless Client MAC List". You'll see a list of computers the Router can see connected. Does the number of items on the list correspond to the number of computers you own? Any more, and you already have an uninvited guest! Before you dash off a note to your attorney, remember, computers will seek out insecure networks and connect automatically, so don't assume a malicious intent here.

In the "Wireless Client MAC List: Enable MAC Filter" column, check all those computers you recognize. Then click "Update Filter List" and "Close". In the "MAC Address Filter List" provided you can see the MAC addresses you expect, click "Save Settings" to close the window. Then click "Save Settings" on the "Wireless" tab.

Next power off the router and cable modem and wait thirty seconds. Power on the cable modem and wait for a minute. Then power up the router.

You're good to go!


Comments: Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?