How To Secure Your Wireless Network With A Router (Nica) And A Network (Nipo) Card (Nic)

(1)

Wireless Network Security

A self-instructional module Will Dressler Ryan Garcia Branden Hazlet ETEC 603 P. Leong February 2008

(2)

Introduction

Two relevant trends are coinciding in the technology industry: cyber-crimes are on the rise and wireless routers are becoming dramatically more common as they continue to

come down in price. The decrease in price of wireless routers has led to a proliferation of unsecured wireless networks in the homes and offices of people who don't understand

wireless security concepts. While all brands of routers come with basic “how-to” instructions that allow the user to navigate the router

management interface, the instructions do not explain the concepts behind the router options to create a layered approach to wireless security.

In this module you will learn about the concepts underlying four different strategies of wireless security. These four strategies include: limiting router interface access,

disabling SSID broadcast, MAC address filtering and wireless encryption. Taken alone, each of these components can provide some minimal protection to your wireless network, but when used in combination, they will provide substantial protection using „layers‟ of different defense strategies. Much as a home burglar looks for easy prey, such as homes that have open doors or windows, hackers look for unprotected or weakly protected networks to steal confidential information. Understanding how a layered approach to wireless security works can help you prevent unwanted access to your network and the possible theft of personal information.

To introduce the concepts behind these four strategies we will continue with the more familiar metaphor of home security. Specifically, we will use a metaphor based on strategies for securing the most important documents in your home -- i.e. financial records, passports, birth certificates, memorabilia, etc.

(5)

Obviously the first step to securing your documents within your home is simply to control access to your home – shut and lock your doors and windows. This basic strategy of home security parallels wireless security in terms of „limiting access to your wireless router interface,‟ simply shut and lock the door to your router to prevent the easiest path of unwanted access.

In this metaphor, your door key will be a unique and complex password for your router interface access.

A second level of defense in our metaphor of securing your home documents would be „hiding‟ the documents, possibly even camouflaging them in a compartment

behind a framed photograph or poster. In terms of wireless security the analogous strategy would be „disabling SSID broadcast,‟ a strategy that essentially „hides‟ the signal coming from your wireless router so that it is not as easily discovered by people searching for a connection. If someone were to find your network, as if they were to find your documents, they could easily access your information. However, just by hiding the signal through disabling the SSID broadcast you make your information a good bit harder to get to.

Our third comparison of home document security and wireless security is based on secret codes. For your sensitive financial information, including account numbers and PIN number for ATM cards, you might want to confuse anyone who

discovered these records by adding 5 to every number; for example if your PIN number was 4-2-1-1, you could record it in your records as 9-7-6-6. Thus even if someone found your records they still wouldn‟t know your PIN number unless they could figure out that the secret to „decode‟ the PIN number was to subtract 5 from the written

information to get the correct information. The equivalent wireless security strategy is „encryption,‟ whereby information passed between a computer and the router is incomprehensible unless the computer knows the „key‟ for the secret code.

(6)

Our final security metaphor is the coup de grâce, in terms of home document security it might be considered a little home vault or safe that requires a fingerprint ID to open. No

one would be able to access the documents unless their fingerprint was preapproved to open the safe. In terms of wireless security this metaphor represents MAC address filtering, essentially using a „fingerprint‟ from the computer to check against a preapproved list of computers allowed to access to the wireless router.

Taken individually, each of these components provides some basic security, but taken together, the combination of each of these unique strategies adds up to a powerful multilayered security system which would prevent all but the most skilled and lucky burglar from infiltrating your information. If your documents are locked securely behind your doors and windows, hidden behind a picture on the wall, encoded in secret

cryptography, and locked in a fingerprint accessed vault -- you might fairly say you have „document security.‟ Likewise a wireless router employing interface access limits,

disabled SSID broadcasting, encryption and MAC address filtering can be considered fairly secure. In both cases there is no such thing as absolute security, but by correctly employing many different layered strategies your degree of total security is improved tremendously.

(7)

Chapter 1:

 Securing Your Router Interface

 Review

 Review Key and Explanations

.

These Chapters are intentionally left blank.

(8)

Chapter 2:

 Wireless Encryption

 Review

 Review Key and Explanations

.

These Chapters are intentionally left blank.

(9)

Chapter 3: SSID Broadcast

Chapter 3 has two skill sets for you to master:

 Section A. Identify the function of an SSID.

 Section B. Determine how disabling the SSID Broadcast can contribute to wireless security.

Section A. Identify the function of an SSID

Service Set Identifiers (SSIDs) are the „Names‟ of wireless routers. To have a computer talk to the router, the computer first must know that the router exists and then must know the name, SSID, of the router. To make it easy to connect to a wireless router, the router usually sends out a

„broadcast‟ that is picked up by all wireless computers within range; this broadcast is essentially the router introducing itself, “Hello, my name is (some SSID) and I‟m here to connect with you if you want.” Initially, almost all routers come with the default SSID of the manufacturers‟ name, i.e. Dlink, Linksys, Cisco, Netgear, 3Com, etc. Leaving the default name intact is a clue for any hacker that the network is not secure and it often can give them easy access to the default router interface username and password, which can be easily found from manufacturers‟ websites.

Example and Non-Example: If there are two wireless routers in a neighborhood, Router A and Router B, when a laptop scans for wireless signals, it will detect these two separate signals according to their SSID. For example, Router A may have the default factory name of “Linksys”, while Router B could have the name “Gypsy Radio”.

In this case of Router A, “Linksys”, it still has the default SSID provided by the

manufacturer. The SSID gives away the manufacturer of the router, which can be used to search the internet for the default administrator username and password. Router B, on the other hand, has a unique SSID, “Gypsy Radio”, which prevents hackers from knowing the manufacturer and the associated default password of the router. A hacker would more easily infiltrate Router A.

(10)

Section B. Determine how disabling the SSID Broadcast can contribute to wireless security

To refer back to our metaphor of securing your home documents, the second level of defense after closing your doors and windows, would be to hide your

documents. For instance, you might hide them by them by putting them in a compartment that is camouflaged behind a framed photograph hung on the wall. In terms of wireless security the analogous strategy would be „disabling SSID broadcast,‟ a strategy that essentially „hides‟ the signal coming from your wireless router so that it is not as easily discovered by people searching for a connection. If someone were to find your network, as if they were to find your

documents, they could easily access your information. However, just by hiding the signal by disabling the SSID broadcast you make your information a good bit harder to get to.

If “Disable the SSID broadcast” is selected in the router interface, the router is prevented from sharing its name and availability. Therefore, most computers won‟t „discover‟ the existence of the router and wireless signal, much less connect to it.

Example and Non-Example: There are two wireless routers in the room, Router X and Router Y. Both X and Y are internet connected and neither requires a password. The routers are configured exactly the same except for the SSID broadcast settings: Router X has SSID broadcast enabled, while Y has SSID broadcast disabled. When a laptop is turned on in the room, it will only detect one signal- Router X. The laptop will not detect a signal from Router Y because Router Y is not broadcasting its SSID. Router Y is essentially hidden from the laptop, therefore, Router Y is more secure because disabling its SSID broadcast has made it harder to find.

(11)

Chapter 3: SSID Broadcast Review

1. Wireless routers send out signals to identify themselves and „introduce‟ their signal to computers in the area. What is this called?

A. SSID Broadcast

B. Interface Access Announcement C. WEP Encryption Key

D. MAC Address Sharing

2. Wireless routers usually send out signals with their names and availability for connection to all computers in the area. If you configure a router to prevent this signal from going out, what have you done?

A. Implemented WEP Encryption Keys

B. Corrupted the Interface Access Announcement C. Disabled SSID Broadcast

(12)

Chapter 3: SSID Broadcast Review Key and Explanations

1. Wireless routers broadcast a signals to identify themselves and „introduce‟ their signal to

computers in the area. What is this called?

A. *SSID Broadcast – Correct, the SSID Broadcast is a signal to identify the router and „introduce‟ its signal to computers in the area.

B. Interface Access Announcement – Incorrect, the interface is not a signal C. *. WEP Encryption Key – Incorrect, encryption is coded signals.

D. MAC Address Sharing – Incorrect, MAC addresses identify the NIC, not the router.

2. Wireless routers usually send out signals with their names and availability for connection to all computers in the area. If you configure a router to prevent this signal from going out, what have you done?

A. Implemented WEP Encryption Keys – Incorrect, encryption is coded signals.

B. Corrupted the Interface Access Announcement – Incorrect, the interface is not a signal

C. * Disabled SSID Broadcast – Correct, if you prevent your router from sending out a signal with its name and availability for connection to all computers in the area then you have Disabled SSID Broadcast.

D. Disabled MAC Address Sharing – Incorrect, MAC addresses identify the NIC, not the router.

(13)

Chapter 4: MAC Address Filtering

Chapter 3 has two skill sets for you to master:

 Section A:. Identify the function of a Media Access Control (MAC) address on a Network Interface Card.

 Section B: Determine how MAC Address filtering can contribute to wireless

security.

Section A: Identify the function of a MAC address on a NIC

A computer uses a network interface card (NIC) to get on the internet. Each NIC has a unique identification code called a Media Access Control (MAC) address. The MAC address is also sometimes called the Physical Address because it is physically hard coded into the Network Interface Card. This MAC address is used for identification in the same way people use fingerprints or Social Security Numbers, a unique identifier that is connected to you. The MAC address is actually written as 12 characters arranged in six sets of two, with each set of characters separated either by colons or hyphens. Because MAC addresses are unique, like a person‟s fingerprints, no two are the same across the world. And because they are located on the computer‟s NIC, including wireless NIC‟s, they provide an individual identification for each computer when it connects to a network.

Example 1: In this example we see a picture of a Network Interface Card (NIC) that has been removed from a computer. Note that on the left side of the front of the card is a sticker that has the MAC Address -- six sets of two characters (00 60 94 55 3A 63) that

uniquely identify this card and any computer that would

use this card for a network connection. The important concept to note here is that the MAC address is coded into the NIC itself, and never changes, even if the card is removed from the computer.

(14)

Example 2: Here is a screenshot that contains information about the NIC and the MAC address for a wireless NIC installed in a computer. The first highlighted line says

“Ethernet adapter Wireless Network Connection:” which indicates that we are looking at data for the wireless NIC. In the second highlighted line, titled “Physical Address:” is where we see a 12-character sequence of six sets of 2 characters separated by hyphens; this is the MAC Address. The important thing to recognize from this example is that the MAC address is part of the NIC data for the network connection.

Non-Examples: Note the line that says IP address in example 2 above. The IP address that a computer uses for communicating with the internet is different than the MAC Address in important ways. IP addresses are not always unique and in fact sometimes change dynamically such that a new address is assigned every time a computer connects to the network. This is different because MAC addresses are constant, they are always the same for the particular NIC they are coded into and always stay the same when the computer connects to the network day after day.

(15)

Section B: Determine how MAC Address Filtering Can Contribute to Wireless Security

To begin our discussion of MAC address filtering let us refer back to our metaphor in terms of home document security. MAC address filtering could be said to be analogous

to a little home vault or safe that requires a fingerprint ID to open. No one would be able to access the documents unless their

fingerprint was preapproved to open the safe. In terms of wireless security this metaphor represents MAC address filtering, essentially using a „fingerprint‟ from the computer to check against a

preapproved list of computers allowed to access to the wireless router.

MAC address filtering is a way of coding into the router a limited list of computers that are allowed to talk to the router. Every network interface card (NIC), whether it is a wireless or a wired connection card, has a MAC Address. The MAC address is a totally unique character set for every individual NIC, so it can therefore be used to identify individual machines that connect to the network. MAC

address filtering is a way of blocking all machines from attaching to the router except for the ones that are

specifically allowed by previously entering them into the router‟s list of pre-approved MAC Addresses. It‟s like having a bouncer at a nightclub who only lets in people whose name is on a list. This is a strong way to keep

unwanted computers from connecting to the router, but it can also be tedious to update when new computers or guests want to connect to the wireless network.

Example: Router MAF has MAC address filtering enabled so only computers whose MAC addresses have been approved and entered into the interface by the router administrator will be able to connect to Router MAF. Even if a hacker discovers the router‟s SSID and Encryption key, she will have a much more difficult time connecting

(16)

with Router MAF, because her computer will not be in the preapproved list that MAC address filtering allows into the router.

Non-Example: Router X does not have MAC address filtering enabled. If a hacker discovers the router‟s SSID and Encryption key he will be able to connect with Router X.

(17)

Chapter 4: Review

1. The unique identification number that never changes on a Network Interface Card is called the:

A. Internet Protocol (IP) Address

B. Media Access Control (MAC) address C. Serial Number (S/N)

D. Special Security Number (SSN)

2. If you restrict access to your wireless network based on the unique identification number on the connecting computers‟ Network Interface Card (NIC), what security strategy are you using?

A. WEP Encryption Key B. Interface Access Pass Code C. SSID Number Blocking D. MAC Address Filtering

(18)

Chapter 4: MAC Address Filtering Review Key and Explanations 1. The unique identification number that never changes

on a Network Interface Card is called the:

A. Internet Protocol (IP) Address - Incorrect. IP addresses do change.

B. Media Access Control (MAC) address - Correct, the MAC Address is a unique identification number that never changes on a Network Interface Card.

C. Serial Number (S/N) - Incorrect. The serial number refers to the make and model of the NIC.

D. Special Security Number (SSN) - Incorrect. This is a fictional item.

2. If you restrict access to your wireless network based on the unique identification number on the connecting computers‟ Network Interface Card (NIC), what security strategy are you using?

A. WEP Encryption Key Camouflage – Incorrect, encryption keys are for decoding signals.

B. Interface Access Code Filtering – Incorrect, the interface is not on the NIC. C. SSID Broadcast Interrupt – Incorrect, the SSID is not on the NIC.

D. MAC Address Filtering–Correct, MAC Address Filtering restricts access to your wireless network based on the unique identification number on the connecting computers‟ Network Interface Card (NIC),

(19)

Module Post-test

Please take this brief Post-test so that we can assess what you have learned from this module.

1. The function of an SSID broadcast can best be described as

A. sending out a signal to identify the computer by name and „introduce‟ its signal to computers in the area.

B. providing an interface console IP address for access via the web.

C. sending out the identification number of the machines network interface card physical address.

D. sending out a code linked to a time signature for address resolution.

2. If you do not disable the SSID Broadcast from a wireless router, you will allow…. A. NIC‟s with unregistered MAC addresses from accessing your router.

B. hackers from decoding your encryption passphrase.

C. computers from automatically detecting the existence and name of your network signal

D. . virus infected machines from accessing your registry keys.

3. The function of a MAC address can best be described as?

A. a 12 character address used to allow other computers to find the location of your web page.

B. .a code for encrypting a signal so that people without the appropriate „passphrase‟ can not decode your message.

C. a unique and never changing address used for identification on a Network Interface Card

D. a network protocol used to resolve GPS coordinates into a Physical Address.

4. Which of the following best describes MAC address filtering?

A.. an electronic camouflage to hide wireless information among the radio waves and cell phone signals that otherwise would be filtered out.

B. a code for encrypting a signal so that people without the appropriate „passphrase‟ can not decode your message.

C. a network protocol used to block machine coordinates that do not have the right registration on the domain.

D. a list of pre-approved computer identification numbers to block out any unapproved computers

How To Secure Your Wireless Network With A Router (Nica) And A Network (Nipo) Card (Nic)

Wireless Network Security

Table of Contents

Introduction