This is the tutorial for securing your AP/Routers.
Threats
to Wi-Fi Implementations
Radio waves can penetrate
through walls there is a great chance of unauthorized access to the network and
data. Because of its broadcasting nature, anybody can sniff the network for
valuable credentials. If the network is not properly secured the attacker will
get sufficient data to launch an attack.
In brief the following cases
may happen.
i) The attacker may search for
available wireless networks in the close proximity. If the Access Point( AP) is
open the attacker can avail the network without any effort.
ii) The attacker can directly
log in to the Access Point using default credentials and configure the device
in whatever way he wants.
iii) The attacker can sniff
the network for configuration details such as SSID(Service Set Identifier) ,
BSSID(Basic Service Set Identification ), encryption used, channel used etc. He
can capture sufficient packets to launch an attack.
iv) The attacker can install a
fake Access Point and lure(like advertising free internet access) users to
connect to the rogue AP.
v) The attacker can disrupt
the normal functioning of the network.
Securing
AP/ Router
As far as a user is concerned,
securing Access Point ensures the primary level of security. In this document
configuration settings of an AP/Router that is installed in a typical home
network is discussed. We have used ‘Linksys’ WAP 54G and ‘beetel’ Router for
this purpose. The configuration settings as explained below will secure the AP.
1. Change Administrator
Password
An attacker can easily find
out the default password. It must be changed. Ensure that the admin password is
strong enough.
Password editing interface of Administrator
2. Prefer Wi-Fi Protected
Access(WPA2 Preferably) instead of Wired Equivalent Privacy(WEP).
WPA’s salient features are
strong encryption algorithm, user authentication and support for IEEE 802.1X .
Use Wi-Fi Protected Access (WPA) or WPA2 with Pre-Shared Key (PSK)
authentication and AES as the encryption standard. The pass phrase should be
strong enough.
Interface for configuring Security Mode.
3. MAC Address Filtering
Access of the clients can be
permitted or prevented by providing a list of MAC Addresses in the “MAC Address
filter” configuration parameter. This is known as MAC Address filtering.
Together with SSID this can also used as a security measure. Select the MAC
Address of all the wireless Network interface cards used in the network. The
list can be used to permit or prevent the wireless access .
Configuring MAC filter
4.
Best Practices
There are certain best
practices explained below which should be followed for enhancing security of
wireless Access Point / Routers.
i)
Restrict the Access
SSID (Service Set Identifier)
is used to identify a wireless network which a user wants to attach. All
wireless devices that want to communicate on the WLAN need to have their SSID
set to the same string as the AP. Even though the attacker can get the SSID
simply by sniffing the network it is preferable to change the default SSID.
Avoid SSID which shows name or other information. Name the access point such
that it can be easily traceable during trouble shooting. Physical security of
access point is also important.
ii)
Disable Management via Wireless
It is recommended to disable
management of the router via wireless devices associated with the access point.
If someone manages to associate with the access point and login to the router ,
they can change the configuration of the router. Prefer wired interface with
AP/Router to configure the device.
iii)
Disable Remote Management
Remote Router Access permits
web-based management of the wireless router from external networks such as the
Internet. By default this feature opens port 8080/TCP on the external side of
the router. This feature provides significant risk to the device, permitting an
attack vector and more importantly significant risk to internal network. It
should be disabled unless remote management is absolutely required. Universal
Plug and Play may also be disabled.
iv)
Turn off the AP when not in use
This is also advisable since
it minimizes the risk of unauthorized access.
v)
Configure Network Mode
Select the wireless mode which
is depending upon the protocols. The possible options are.
_ Disabled – disables AP.
_ Mixed – permits both 802.11
b and 802.11g.
_ B-Only – 8.2.11 b only.
_ G-Only – 8.2.11 g only.
vi)
Disable SSID Broadcast.
This can protect the AP from a
naive attacker . By disabling SSID broadcast, the easy availability of SSID can
be restricted. But the attacker can still sniff the SSID from frames that
devices use when associating with an AP. According to some vendors disabling
SSID broadcast may restrict or invite the chance of exploitation.
vii)
Set Wireless Channel from default
Changing the default wireless
channel used by the AP is a good practice.It may avoid automatic association of
the wireless interface to the network.
viii
) Maximize the Beacon Interval
Beacon frames are used for
connection establishment and management by IEEE 802.11 networks. These frames
from AP to wireless clients ,transmitted at regular intervals are used for
configuration matching. It is recommended to set the beacon interval to the
maximum number. This will reduce the transmission frequency of SSID so that the
attacker will get less number of opportunities to sniff the beacons containing
SSID. But there is a problem here. The attacker can probe the network using
some specific SSID which is known as active scanning.
ix)
Prefer Static IP instead of DHCP.
Since DHCP is automatically
assigning IP addresses, an attacker can utilize this feature to get an IP. So
it is recommended to use static IP on wireless networks.
Configuring
Static IP
No comments:
Post a Comment