4. Turn off SSID broadcasting
The Service Set Identifier (SSID) is the name of your wireless network. By default, most WAPs broadcast the SSID. This makes it easy for users to find the network, as it shows up on their list of available networks on their wireless client computers. If you turn off broadcasting, users will have to know the SSID to connect. Some folks will tell you that turning off SSID broadcasting is useless because a hacker can use packet sniffing software to capture the SSID even if broadcasting is turned off. That's true, but why make it easier for them? That's like saying burglars can buy lockpicks, so locking the door is useless. Turning off broadcasting won't deter a serious hacker, but it will protect from the casual "piggybacker" (for example, a next door neighbor who notices the new network and decides to try connecting "just for fun").
5. Turn off the WAP when not in use
This one may seem simplistic, but few companies or individuals do it. If you have wireless users connecting only at certain times, there's no reason to run the wireless network all the time and provide an opportunity for intruders. You can turn off the access point when it's not in use — such as at night when everyone goes home and there is no need for anyone to connect wirelessly.
6. Change the default SSID
Manufacturers provide a default SSID, often the equipment name (such as Linksys). The purpose of turning off SSID broadcasting was to prevent others from knowing the network name, but if you use the default name, it's not too difficult to guess. As mentioned, hackers can use tools to sniff the SSID, so don't change the name to something that gives them information about you or your company (such as the company name or your physical address).
7. Use MAC filtering
Most WAPs (although not some of the cheapest ones) will allow you to use media access control (MAC) address filtering. This means you can set up a "white list" of computers that are allowed to connect to your wireless network, based on the MAC or physical addresses assigned to their network cards. Communications from MAC addresses that aren't on the list will be refused.
The method isn't foolproof, since it's possible for hackers to capture packets transmitted over the wireless network and determine a valid MAC address of one of your users and then spoof the address. But it does make things more difficult for a would-be intruder, and that's what security is really all about.
For the final three tips, click here...
Talkback
Another option that people should consider is to provide an additional open unencrypted free access to the internet. Restrict the access to LAN resources by providing an additional authentication step. If necessary, restrict the bandwith allocated to the free access so as not to degrade the other users access.
Someone who is trying to access "your network" is probably simply trying to get an internet connection. So simply make it easy for them to get one. Most likely they will then be happy and not spend days trying to break through your security... at which point they would have full access to all your sensitive information.
Providing an additional unsecured Wi-Fi access to the internet might stop casual intruders. Maybe a corporation with a huge amount of bandwidth could spare a little to support such an approach but what of the small business or home user? Do you really have bandwidth to spare? Do you trust strangers to share your connection? In an age of cyberterrorism, internet fraud, spam and paedophilia do you really want to allow others to use your bandwidth for their unapproved and possibly nefarious activities? I don't... I certainly don't want the police turning up on my doorstep having determined my WAN IP address is linked to crimes. I don't want to explain 'it wasn't me' as someone dismantles my PC. I enjoy the benefits of wireless access but I want the exclusivity of Ethernet. It's my bandwidth, mine all mine.
Hi,
I regard myself as tolerably PC literate and act as the PC 'help desk' for my village. In your opening line you state state 'wireless networking is easy to set up'. I agree. However, I suggest you should have then said setting up wireless security is a nightmare and takes us back to the worst days of poor instructions and indecipherable geeky words. There is no common methodology for setting up security. If you get it wrong it can be incredibly difficult to go back and start again because you cannot get the laptop to talk to the router to make the changes. OK, I hear you say connect via an ethernet/USB cable, Where does it tell you to do this - usually by thought transfer or similar.
My advice to most people is enable wirelss securituy at your peril. It might work for a while then you go out log on to somewhere else and guess what, you get home and you cannot log on no matter what you do unless you remove all security and start again.
I would plead for a real campaign to make the wireless router companies write user 'wizards' which hide all the geeky stuff and make it simple to set up. Llike you I do believe it is necessary to enable security. However, for the moment in our quiet rural village its open house for wirelss users.
Simon
scwyatt@tiscali.co.uk
I agree with 'Anonymous iTV Consultant' completely. I have a wireless network at home with 3 devices on it, which was an absolute doddle to set-up.
Then came the security configuration and despite being very PC literate I couldn't even begin to configure the security because whatever I tried effectively 'broke' the wireless connection.
I PM website production and if a site is unusable by Joe Public you can bet that it's a resounding failure, so I'd very much like someone to tell me why PC software companies get away with building unusable rubbish that seems designed specifically to leave security holes through the average user not being able to configure it.