 |
Home
Quick Glossary
Maintenance Checklist
Security Overview
Home Networks
Extensive Glossary
Security Checklist
Symptoms of Spyware
Browser Safety
Identity Theft
Email Spoofing
Social Engineering
Wireless Networks
Networking Glossary
Port Scans
Firewalls
Firewall FAQs
File Sharing
Virus World Map
Current Virus Threats
Current Internet Health
Current Spyware Threats
When to use Online Scans
Online Scans
Connection Speed
Sans Top 20 Threats
CERT Advisories
Homeland Security
Security Focus
Symantec Advisories
Microsoft Security
Dept of Energy
IT Security
|
|
Your Wireless Home Network with Windows XP
Published: February 14, 2005
In the early days of wireless networking, no one paid much attention to wireless security. Not many people used the technology. Because the perceived security risk was low, many people didn't bother to configure security. At that time, Wired Equivalent Privacy (WEP) was the only form of encryption available. WEP, though weak and breakable, was better than no security at all. At least it kept the casual hacker away.
But with the launch of Windows XP, the operating system offered native support for configuring wireless networks. I'm convinced that this built-in feature was largely responsible for the rapid growth of wireless networking. Now wireless networking has moved outside homes and office buildings. Connectivity is everywhere from Barnes & Noble to the main terminal at your airport to free community hot zones. Wireless 802.11 a/b/g networking hardware is embedded not only in mobile computers, but can be found in many consumer electronic devices. This includes wireless security cameras, DVD players, automobile MP3 players, and Windows XP Media Center Extenders.
Wi-Fi Protected Access (WPA) has emerged as the improved security standard. Most wireless hardware vendors now offer network equipment that supports this newer standard. WPA comes in two flavors: WPA-Enterprise for large wireless networks and WPA-Person for small office and home wireless networks. Windows XP Service Pack 2 (SP2) has native support for configuring WPA-Personal through a WPA-Preshared Key (PSK), also known as WPA passphrase. You can read more about WPA in my column on WPA Wireless Security for Home Networks.
With the explosive growth of wireless networking, the need for wireless security has been increasing exponentially. But as I read through the posts in the Windows XP Wireless Networking newsgroup, it's frighteningly obvious that many people don't use any form of wireless security or use weak security. They minimally configure their wireless settings and don't realize the risks.
In this column, I'll explain best practices for configuring secure wireless home networks. After convincing you that you need to secure your wireless network, I'll cover the following topics:
| • |
How to configure WPA-PSK security for a router. |
| • |
How to use the Windows XP SP2 Wireless Network Setup Wizard and a USB flash drive to reconfigure your network for better security. |
| • |
Steps to take to secure your wireless home network. |
| • |
Tips for replacing WEP-only devices. |
| • |
How to improve security when you travel and use public wireless access. |
And I'll point you in the right direction to get more help with wireless issues and questions.
Why Secure Your Wireless Network?
Included in the group of minimally secure networks I read about in the newsgroups are those that use all "1's" for a WEP key or a WPA passphrase. Some people who use no security don't realize that instead of connecting to their own wireless network, they're connecting to one owned by a neighbor! These same people see unfamiliar computer names in My Network Places and don't question the situation.
Think about what the nature and contents of the information you store on your hard drive or on other computers in your home network. Providing open access to e-mail and files on your computer are obvious security risks. Many people use financial software such as Microsoft Money or Quicken. They keep all their financial data in these programs without using a password to encrypt their data files. Others have credit card information, tax returns that contain social security numbers, and even text files with password lists stored on their home computers. This is a virtual smorgasbord for wireless hackers and could make you an easy target for identity theft.
In today's world of drive-by hackers, it's more important then ever to combine all the available tools to secure your wireless home network. The time you spend reconfiguring or setting up a wireless network to provide strong security is time well spent.
Configure WPA-PSK and Set up Security on Your Router
The first step in implementing strong network security is to establish (or change) the Service Set Identifier (SSID), also known as a wireless network name, and establish a strong WPA passphrase on your router or access point. Then configure all the wireless computers and devices on your home network to associate with the SSID of your WPA-enabled router or access point using the same WPA passphrase. Do this from a wired computer.
Tip: If you have a laptop that has both wired and wireless capabilities, use it to perform the configuration. Use the wired connection to set up the router and then you will be able to disconnect the cable and easily set up wireless access. Create the SSID and WPA passphrase in Notepad first so that you can copy and paste them into various configuration fields.
If your router doesn't support WPA, check for a firmware update that adds this feature. If none is available, it's time to replace your existing router with a new device that supports WPA. Figure 1 shows the wireless administration page for my D-Link DI-784 router. Note the random characters in the SSID and the long, random WPA passphrase of 20 characters or more.
Figure 1: Configure strong security on a router with a random SSID name and random WPA-PSK passphrase.
Automate Configuration with the Wireless Network Setup Wizard
Don't be overwhelmed by the need to make broad configuration changes to computers on your wireless network. Windows XP SP2 has a great new tool to help automate the process, the Windows XP SP2 Wireless Network Setup Wizard. In addition to running Windows XP Service Pack 2, you'll also need a USB flash drive (also known as a memory key or thumb drive) or some other removable media. After setting up your router or access point, you're ready to use the Windows XP SP2 Wireless Network Setup Wizard.
To set up the wireless network
1. |
Unplug the Ethernet cable from the router, if you're using a computer that supports both wired and wireless to set up your network. |
2. |
Right-click your wireless network connection in the notification area, and then click View Available Wireless Networks. |
3. |
Under Network Tasks, click Set up a wireless network for a home or small office, and then click Next on the Welcome screen. |
4. |
Name your network by copying the SSID from the Notepad file you created and pasting it into the Network name field or type it manually, as shown in Figure 2.
Figure 2: Create an SSID using random characters and specify WPA encryption.
|
5. |
Click Manually assign a network key. |
6. |
Select the Use WPA encryption instead of WEP check box, and then click Next. |
7. |
Clear the Hide characters as I type check box. |
8. |
Copy the WPA passphrase from Notepad and paste into the Network key and Confirm network key fields, as shown in Figure 3. Click Next.
Figure 3: While configuring a random WPA passphrase, the number of characters used is displayed dynamically.
|
9. |
Select Use a USB flash drive (or select Set up a network manually, if you don't have removable storage). Be sure to print the settings later in the wizard so you can configure devices such as Media Center Extenders properly. |
10. |
Plug in the USB flash drive when prompted, complete the wizard pages, and safely remove the USB flash drive. |
Configure Other Wireless Computers Automatically
Now you can easily set up your other wireless Windows XP SP2 computers using the USB flash drive and the Wireless Network Setup Wizard.
1. |
On each additional computer running Windows XP with SP2, plug in the USB flash drive. The Wireless Network Setup Wizard should start automatically. |
2. |
If you have different types of content stored on the USB flash drive, Windows XP shows a list of choices. Select the Wireless Network Setup Wizard as shown in Figure 4.
Figure 4: The USB flash drive can contain other data besides the Wireless Network Setup Wizard.
|
3. |
Click OK to add to the network name displayed. |
Windows XP SP2 will do the rest, including configuring the SSID and WPA passphrase and adding the network to the list of preferred wireless networks. Then, a connection to the wireless network is automatically established.
Finish securing your network by manually configuring non-computer devices such as Media Center Extenders and PDAs to use the SSID and WPA passphrase for your new, secure wireless network. Joe Davies' Cable Guy article on TechNet provides more information about the new Windows XP SP2 Wireless Network Setup Wizard and USB flash drive technology.
Keep Your Wireless Network Really Secure
Configuring your wireless network to use WPA-Personal is the first step to better security. I also strongly suggest that you use all available means to protect your wireless network. Here's my complete list of steps you can take:
| • |
Use a WPA passphrase of a minimum of 20 random characters. You can use up to 63 characters in a WPA passphrase. WPA-Personal is vulnerable to dictionary attacks, in which hackers try to connect to your wireless network by using WPA passphrases based on common words, easily configurable strings, or known information about you. Therefore, don't use any common words or phrases, easy sequences of characters (such as all "1"s), or personally-identifiable information for the WPA passphrase. Always use random strings composed of upper and lower case letters, numbers, and if allowed, special characters such as punctuation. For extra security, consider changing the passphrase periodically. |
| • |
Never use the default SSID provided by the manufacturer. |
| • |
Change the default password provided by the manufacturer for administrator access to the access point or wireless router. Some routers let you change the administrator name as well. |
| • |
Place the access point or router in the center of your home and not near a window. |
| • |
Turn off administrative access over wireless if possible. If you do, you'll need to connect to your router with a wired Ethernet connection when you want to make configuration changes. |
| • |
Turn off remote administrative access over the Internet on your router if possible and if it's not already off by default. You can use Remote Desktop to make an encrypted connection to a computer running behind your router and make configuration changes from the local computer you are accessing over the Internet. |
| • |
To avoid accidentally connecting to your neighbor's wireless network, turn off the setting to automatically connect to non-preferred networks. This is disabled by default in Windows XP. |
To turn off this setting
1. |
Right-click the wireless connection icon in the notification area, click Status, and then click Properties. |
2. |
On the Wireless Networks tab, remove any unrecognized networks from the list of Preferred networks by selecting each one individually and then clicking Remove. |
3. |
Click Advanced, and clear the Automatically connect to non-preferred networks check box. |
By default, simple file sharing is enabled on a Microsoft Windows XP-based computer if the computer is not a member of a domain. But if you're using any version of Windows XP except Home Edition, you can turn off simple file sharing to provide more network security. Configure permissions for any folder you want to share on your network. (Unfortunately, simple file sharing cannot be turned off in Windows XP Home Edition.)
1. |
Open Windows Explorer, click Tools, and then click Folder Options. |
2. |
On the View tab, scroll bar to the bottom of the list and clear the Use simple file sharing (Recommended) check box. |
Replace WEP-Only Hardware for Maximum Security
WEP is too easily cracked. Hacking tools to break into WEP-encrypted networks have proliferated. It's no longer safe to create WEP-only segments on a home network, because these segments provide an entry point to other computers in your home. If you don't know what kind of security your wireless router or access point is using, Windows XP SP2 provides this information when you View available wireless networks, as shown in Figure 5.
Figure 5: The encryption method (or lack of) is shown below the Network name (SSID). A WPA-encrypted network is specifically listed as (WPA).
If you have older devices that can't be updated to use WPA security, consider replacing them or using an alternate networking method to connect to your network. For example, if you have a Pocket PC that does not support WPA, consider Bluetooth as a means to connect to your network. You can now purchase WPA-enabled gaming adapters such as D-Links' DWL-G820, which provide security for game consoles such as Microsoft Xbox and can also be used with any device that supports wired Ethernet.
Bolster Security When Traveling
If you travel with a laptop and connect wirelessly, you need to take extra precautions. Most public wireless providers and hot spots use no security at all. Everything you send and receive is sent in the clear with no encryption. If you're using a VPN connection to your office, you'll have the protection of an encrypted tunnel.
There are several methods of implementing VPN. For more information, see Charlie Russel's column Connect to Your Corporate Network from Home with Windows XP. You can also use the information in Charlie's column to connect while you're on the road. If you can't use a VPN tunnel to your office, consider using a Remote Desktop connection to a computer you've left running at home. You can use Windows XP Professional, Windows XP Media Center Edition, or Windows XP Tablet PC Edition as a Remote Desktop host computer, but not Windows XP Home Edition. Windows XP Home can be used as the remote client.
Take additional security precautions when using public networks outside your home. Follow these additional steps to make your wireless connection more secure.
To configure the Windows Firewall to be on with no exceptions
1. |
Right-click the wireless icon in the notification area, and then click Change Windows Firewall settings. |
2. |
Select the Don't allow exceptions check box, and then click OK. |
If you're using Windows XP Home Edition, turn off file and print sharing on your laptop when you travel by disabling the File and Printer Sharing for Microsoft Networks component in the properties of your wireless connection. If you're using any other version of Windows XP, turn off simple file sharing as suggested earlier in this column.
Don't visit any Web site or use any program that lets you send passwords, account numbers, or other sensitive information in the clear. Use Secure Sockets Layer (SSL) connections for e-mail. If you don't know how to configure Outlook Express or another e-mail client for SSL or if your ISP does not support this, your ISP probably has a secure SSL-based Web mail application that you can use. If in doubt and there is a choice for secure or encrypted versus normal or non-secure, always select the secure version. SSL sites normally have URLs that begin with https://.
Use online banking with care. Most banks offer SSL online access. Read the fine print carefully.
Only use online merchants who provide a secure SSL site. Internet Explorer and most other browsers will display a padlock icon on the bottom status bar when accessing a SSL secured site.
Stronger Wireless Security on the Horizon
In September 2004, the Wi-Fi Alliance ratified an even stronger version of WPA, called Wi-Fi Protected Access 2 (WPA2), without a lot of fanfare. WPA2 includes WPA2-Personal for residential networks and an enterprise version. WPA2 uses the Advanced Encryption Standard (AES) encryption instead of the Temporal Key Integrity Protocol (TKIP), which is used by WPA, and is the best encryption available today for wireless networks. If you're just getting started with wireless networking and making an initial equipment selection, consider buying only hardware that is WPA2 certified or WPA2 upgradeable with a firmware update. I'll be writing more about WPA2 and AES in a future Expert Zone column.
Get Help on Wireless Networking
The best place to get online help on general wireless networking questions and issues is the Windows XP Wireless Networking newsgroup. If you need help networking your Media Center Edition 2005 computer and Media Center Extenders using wireless technology, be sure to post your questions in the Windows XP Media Center Edition 2005 newsgroup.
Barb Bowman enjoys sharing her own experiences and insights into today's leading edge technologies. She is a product development manager for Comcast High-Speed Internet, but her views here are strictly personal.
The links below will take you to some needed tools that will help to keep your computer safe and secure.
|
|
|
|
Top of page
