How to Make Your 802.11b/g Wireless Network More Secure

Microsoft Knowledge Base Article - 309369,

This article was previously published under Q309369

SUMMARY

Wireless networks can be vulnerable to a malicious outsider gaining access because of the default settings on some wireless hardware, the accessibility that wireless networks offer, and present encryption methods.

The concepts that are presented in his article are general suggestions, and may help make your wireless network more difficult for a malicious outsider to gain access. For more specific information about the implementation of these suggestions, see the documentation for your wireless network hardware or contact the hardware vendor.

The 802.11b/g standard permits Wired Equivalent Privacy (WEP) encryption. Depending on the manufacturer and the model of the network adapter and access point, there are two levels of WEP typically available: 64-bit encryption based on a 40-bit encryption key, and a 24-bit initialization vector, and 128-bit encryption based on a 104-bit key and a 24-bit initialization vector. In addition to enabling WEP, there are other steps that you can take to make your home or small business local area network (LAN) more secure.

MORE INFORMATION

Making your Wireless Network More Secure

  1. Enable the highest level of WEP that your hardware provides. WEP provides some security and is effective in deterring casual attempts by outsiders to infiltrate your network. Most 802.11b/g certified products can use basic 64-bit WEP encryption. By default, however, 64-bit WEP encryption may be disabled.

  2. Change the default Service Set Identifier (SSID) and passwords for your network devices. Access points/wireless routers ship from the manufacturer with default SSID and passwords which is the same on all devices made by that manufacturer. Leaving these at default makes it easy for a malicious outsider to gain access.

  3. Do not change the SSID or password to reflect your name, address, or anything that would be easy to guess. Use upper and lower case letters, numerals and symbols for the password, if the hardware supports this.

  4. If your access point allows, turn off broadcast SSID. This will put the unit in a stealth type mode.

  5. As you survey your home or small business for access point deployment, think about locating the access point toward the center of your location instead of near the windows. Plan your coverage to radiate out to the windows, but not beyond. If the access points are located near the windows, a stronger signal will be radiated outside your location making it easier for those outside the building to locate your network.

  6. Take a notebook computer that is equipped with a wireless network adapter, and go outside your location and survey what range you get in moving around your property or neighborhood. You may be surprised how far the signal radiates. If you can connect from three or four buildings away, so can someone else.

  7. Some access points allow you to control access based on the media access control address (MAC Address) of the network adapter trying to associate with it. If the media access control address of your adapter is not in the table of the access point, you will not associate with it. If your access point has this feature, enable it and add the media access control addresses of each computer's network adapters you use.

  8. If your access point is also a wireless router, think about assigning static IP addresses for your wireless adapters and turn off DHCP. By not automatically assigning IP addresses to clients who access the network, it makes it a little more difficult for an outsider to gain access. Also consider changing the IP subnet to a different subnet that does not route on the Internet. Many wireless routers default to the 192.168.1.0 network and use 192.168.1.1 as the default router. If you have 5 computers or devices you could change this to a limited range such as 192.168.168.1 through 192.168.168.5

  9. Purchase access points and network adapters that support 128-bit WEP. Some products only support 64-bit (40 bit key) WEP, and are not as secure. Note that some adapters may only require a driver upgrade to attain 128-bit WEP capability. To obtain additional layers of security, check for support for WPA, 802.11i, 802.1x, VPNs, LEAP, PEAP, TKIP, MIC, FAST, WEP or others.

  10. Purchase an access point that has a flashable firmware. There are a number of security enhancements that are being developed, and you want to make sure that you can upgrade your access point as these become available.

  11. Some products support additional security features that are either not defined by the 802.11b/g standard, or not mandated by the standard. Products that use a propriety security method will only work with products from the same manufacturer, but can enhance the security of your network.

  12. Use a combination of the previous suggestions.

Some editing by Russ Seeney, www.PBSHawaii.com