Friday, September 07, 2007

Setting up a wireless network

Edit (July 12, 2010): Ruh-roh! This blog post was declared Dead on Arrival. Read the story on how my "secure" WPA-PSK wireless network got hacked before setting up your wireless network. My personal recommendation is to NOT use a wireless access point unless you do some real hard thinking and research.

Occasionally I will receive a request for help on wireless networking. Usually the person was scared by someone when they were told, "Wireless networking is insecure. Your personal computer data is at risk." The first question they ask me is, "Is my setup secure?" Well, I'm not a mind reader and usually not in front of the computer, but usually those same users are surprised even to know that they can log into the router.

Okay, so the first thing I have to do is explain what a router is. In layman's terms: A router is something that takes data from computers on a LAN and sends it out on to the big bad Internet. When a response comes back, it is responsible for making sure the data gets back to the computer. Routers also double as a hardware firewall (keeps the bad guys out). If you want the technical explanation, go here:

http://en.wikipedia.org/wiki/Router

Most modern Cable and DSL lines go into some sort of box that you then connect your computer to (or use wireless in it). These are usually bundled with some really lightweight router software stuffs.

If you really want to secure your wireless network, I highly recommend getting a decent router. Like an actual router instead of the fluffy stuff your ISP provided you with. Buffalo, at the time of this writing, makes a pretty mean wireless consumer-level router. You can get consumer quality routers at pretty much any computer and office supply store (Best Buy, Office Max, etc.)

When you first hook up the router, your network is vulnerable (i.e. completely insecure). The first thing to do is use the bit of patch cable (CAT-5) that came with the kit and connect it directly to the LAN port on the computer you plan on using wirelessly. Configuration should be done over the wired connection just to make life simpler.

Once connected, your computer will have an IP address. Now comes the technical part. Go to "Start->Accessories->Command Prompt". If you aren't familiar with this, don't worry. Type in "ipconfig /all" (without quotes). Something like this should appear in the output:

Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : ****************.
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.130
Default Gateway . . . . . . . . . : 192.168.0.1


The line you are after is the 'Default Gateway...: 192.168.0.1' line. Now start a web browser and enter:

http://192.168.0.1/

(Substituting whatever the Default Gateway is for you.)

A password prompt should display. The default username is usually something like 'admin' and the password field is left blank. This differs by router and model - read your manual.

A webpage should now display. This is usually called the Web-based Administrative Interface. What this looks like is usually different for every router. I refer you to your manual on your router for how to navigate the interface that shows up. Keep the command prompt open, more stuff from here is needed later on.

The first thing to do is to locate the wireless device name and change it from the default to something you will remember. This is also to avoid conflicts with surrounding devices. Also, if there are a ton of other wireless devices in the area, you should select a different channel. The default is usually 6. You can usually select a range from 1 to 11. However, because you are operating with radio waves, a channel is actually selecting a range in the 2.4GHz band. This range spans roughly 3 channels on either side. So to completely avoid signal overlap with channel 6, you need to select a channel that is at least 5 channels away: 1, 6, 11.

After making a major change and the router reboots, it is a good idea to close the browser completely, open a new browser window up, and reconnect to the router.

If you royally mess something up or get seriously lost, you can reset the router. There should be a little spot that you can push with a pen for 30 seconds to reset it to factory settings. You'll have to start over from the beginning if you use that (but at least you know it is available).

Now you are ready to start securing the device.

The first thing to do when securing a wireless router, is to go locate where the password for the router is stored. Change the password. Close your browser and open a new browser to the same location you just had opened. You will be asked for your new password. Make sure the password is complicated enough. Someone who breaks into the network will go straight for the router configuration to figure out where the weak points are within the network (along with making it easier to break in next time).

The next step is to make sure remote administration of the router is turned OFF. You don't want outside snoopers on the Internet to even know you have administration interface. Log into the administrative interface and locate the setting for remote administration and make sure it is off.

The next step is to go into the wireless configuration and enable some security on the wireless end of things. The default setting on wireless routers is to disable encryption. That is, everything is being sent in the clear and not encrypted. Someone could watch various bits of traffic such as e-mails, IMs, etc. without even being on the network.

There are various levels of encryption available and they have really weird, technical names for the non-technical person. So, I'm going to lay it out in a really straight-forward manner from strongest encryption to weakest:

WPA-PSK2 (AES) (aka WPA2-PSK)
WPA-PSK (TKIP)
WEP
None (default)

Some sites say that WEP is better than nothing, but it can be broken in 10 seconds. I leave it up to your imagination to come up with some humorous analogy. Note that as you increase encryption strength, the distance you can travel from the router (e.g. with a laptop) decreases significantly because signal strength drops off on both ends (power is diverted for encryption calculations). Also, you have to be careful with WPA-PSK2. You have to be using a network card that supports it and drivers that support it and have at least Windows XP SP2 and possibly a specific update.

When choosing a password for the encryption key, make it random. Completely random - letters, numbers, and characters. And store it in a file on a USB thumbdrive or write it down or something. And also make the password really long (at least 20 characters, preferably 40-50). NOTE: Some network cards do not like really long passwords in excess of 15-20 characters.

Once you apply the password and encryption changeover, wait for the router to reboot. You will have to reconnect to the wireless network using the new key. Right click on the "broken wireless connection" icon (has a red X through it) and select "View Wireless Networks". Select your network and click "Connect". Enter the password. It should connect. Now wander around and figure out the limits of how far you can travel before losing the connection. If necessary, move the router to a better place to cover more usable area.

This next step is optional but highly recommended. Log into the administrative interface and go to the wireless setup and locate something called "MAC address filtering" or "MAC filtering". This feature has absolutely nothing to do with the computer systems that Apple, Inc. sells. Enable MAC address filtering. Once enabled, there is usually a "Clone MAC address" feature with a dropdown list but, if you are physically connected, it will have to be entered manually. Switch to the open command prompt and locate the line that says "Physical Address...: XX-XX-XX-XX-XX-XX"...BUT make sure it is for the wireless card (NOT the Local Area Connection). Then switch back to the browser and enter the data into the fields manually.

What MAC address filtering does is say, "Only wireless network cards that have this MAC address are allowed to connect into this router." MAC addresses are uniquely assigned by the manufacturer of the wireless card (or any network card for that matter). Some OSes can use specialized tools to change the MAC address and "spoof" or fake a different card but conflicting MAC addresses makes it harder to get into the network without being noticed.

Optional: Locate the option in the administrative interface for turning off the SSID. The SSID is usually broadcast by default to make it easier to configure. It also makes it easier for the average snoop to figure out where wireless networks are. Those with wireless cracking tools, though, will still be able to figure out your SSID even if broadcasting is turned off.

Optional, but recommended: Switch the patch cable to the Cable/DSL box and connect into the web server that runs there (use 'ipconfig /all' again from before). Locate the a "Wireless radio on/off" toggle and turn off the wireless radio. You don't need it any more and will likely conflict with your newly secured wireless router.

Now that the wireless is completely set up and secured, you are ready to connect to the Internet and see if everything works. Up to this point, everything can be done and verified to work without connecting the router to the Cable/DSL modem. So go ahead and plug the patch cable (CAT-5) into the Cable/DSL. Test to see if you can connect to various websites. If you can connect and view websites, then skip the following troubleshooting section. Otherwise, read on.


Troubleshooting

When you can't connect to websites through a router but it works fine if you connect directly (a bad idea to begin with), then a couple of things could be happening.

The first thing to check is the obvious: Make sure the patch cable (CAT-5) is connected properly between the router and the Cable/DSL box. The patch cable should go from the port that says WAN on the router to a port on the Cable/DSL box. Also make sure to check that everything is powered properly.

The next thing to check is if your Cable/DSL provider has put a special MAC filter of their own and associated it with the IP. Every single networking device has a MAC address. Even the router has one. The problem is that the router's MAC address does not match any known/authorized MAC address. To fix this, go into the administrative interface on the router and locate the "WAN configuration" options (WAN = Wide Area Network...the device upstream, which, in this case is the Cable/DSL box). There should be a MAC address listed here. This is the address which gets broadcasted upstream. Now switch back to the Command Prompt and type in 'ipconfig /all' (without quotes) again. This time look for the wireless card's MAC address. Now switch back to the web browser. There should be a "Clone MAC address" feature with the wireless card's MAC address in the "WAN configuration". Use this option. When the router reboots, try connecting to websites again. NOTE: The MAC address you use should be the same one used when you used to connect to websites through the Cable/DSL box.

If the above fails, then you have probably run into the second problem: IP address range conflicts. The Cable/DSL box is issuing the same LAN (LAN = Local Area Network) IP addresses to the router that the router is issuing to computers on the actual LAN. In this case, the router is confused when it receives a request to connect to the outside world. To verify that this is the problem, directly connect the computer to the Cable/DSL box and use 'ipconfig /all' to see if the Default Gateway is the same as when you connect through the router. If so, to resolve this issue, go into the administration interface on the router and locate the "LAN configuration" options. What you are looking for is the base address of the router that matches the Default Gateway address. Here is where it gets tricky. Usually you will have a conflict of 192.168.0.* or 10.0.0.* (and rarely 172.16.0.*) - that is, both devices use the same first three numbers. To resolve this, simply increment the third number by one (1). So, 192.168.0.1 becomes 192.168.1.1. When you save this change, the router will reboot. A side effect of the change is that the web address to access the administrative interface changes to:

http://192.168.1.1/

Now try to connect to various websites. In most cases, this will work fine.

In the event that it doesn't work, you may be experiencing a synchronization problem between the new router and the Cable/DSL box. Power cycle everything. By this, I mean shut down the computer, router, and Cable/DSL box. Disconnect all cables (try to remember what goes where). Wait 30 seconds. Then plug the Cable/DSL box in and connect the line (from the wall) to the box. Wait for everything to be ready. Then plug in the patch cable between the Cable/DSL box to the router. Plug in the router and wait a bit for it to be powered up. Boot up the computer. Wait for the wireless connection to kick in and say you are connected. Try connecting to various websites.

If that fails, repeat, but leave everything disconnected for about 2-3 hours.

If that fails but connecting directly through the Cable/DSL box works fine, call your Cable/DSL provider and mention that you have a new router and "would like to know if there is anything special you need to do to get it to work because directly connecting through the Cable/DSL box works just fine". In particular, they may have a specific "MTU" setting. Whatever they tell you to do should be in the "WAN configuration" options of the administration interface.

If it still fails, then you could have faulty hardware. Especially if it works when you directly connect.


Final Security Check

Now that you are secure from the inside (including your pesky neighbors and wardrivers), let's see if you are secure from the big bad Internet. There are LOTS of bad guys out there and if you think your ISP is protecting you from them, you are wrong. If you sit on an open Internet connection with even a patched Windows-based PC (and even with many Cable/DSL providers!), you will be hacked and botnet'ed in under a minute..."up to one quarter of all personal computers connected to the Internet are part of a botnet" (botnets are usually protected by some form of rootkit making them nearly impossible to remove without reinstalling the OS).

The router you now have in place is there to defend you from all fronts at the IP packet level. So let's test that theory. Go here:

https://www.grc.com/x/ne.dll?bh0bkyd2

Scroll down the page past the useless stuff. Steve Gibson is a fanatic and not much of a security expert (moves his mouth a lot though - Bruce Schneier, on the other hand, is a REAL security expert) but his ShieldsUp! tool is extremely useful for finding any chinks in the armor of your router. Click the "Proceed" button. Click the "All Service Ports" option. Then sit back and wait as the website handles the rest.

A really good router will be completely "stealthed" (all green). However, many consumer routers have port 113 "closed". Port 113 is the identd service - some manufacturers do this so users won't complain about certain e-mail servers that require identd. If it was "green"/stealthed, sending e-mail messages could be very slow. Therefore it responds as being closed. This keeps the e-mail process moving along BUT at the sacrifice of having control over router security. Blame your manufacturer but also realize that port 113 isn't going past the router (i.e. requests stay on the WAN side - they never enter the LAN).


That's it! You're good to go. As far as consumer-level security, you've got the best there is for a minimal amount of tinkering.

If you want to do some more stuff, look into setting up firewall rules that block every outgoing connection except on specific ports that you use. This requires a fairly good understanding of how the Internet works in general. To try to explain it in English in a way that you could understand would take about two blog entries. Maybe more. And I would not try to explain it the same way Senator Ted Stevens did...The Internet is a series of tubes...it is not a truck...huh?

For commercial purposes and the adventuresome, take a look at RADIUS enabled hardware and software (along with various Linux/*NIX installations for certain router brands). The commercial hardware/software allows you to dynamically change the encryption key every 'x' minutes, which is a huge security enhancement. Also, you can set up those nifty redirection/login pages you see when you visit various establishments. You can also issue SSL client certificates for really secure setups. Actually, organizations are starting to put/are putting the wireless outside the LAN (usually squashed between two firewalls) and requiring people to VPN/SSH into the network to get on the LAN. This route is very secure.

This has been a very long message from your friendly neighborhood geek.

No comments:

Post a Comment