Wireless Access Points & Security
You've installed an access point, now what do you do?
First thing is Change the default password on the device.
Why? You don't want someone pulling up outside your house and changing it for you.
You've logged in to the administrative interface, right? After you change the password, find the SSID and change that also.
The SSID is the name of the wireless network. If you keep it the default, people will know which brand of AP you have. If they see it, that tells them that maybe restrictions haven't been put in place.
Changing the SSID and the password will be the first steps in keeping people out. If you can, disable the AP from broadcasting the SSID. If you call your Access Point 'MyAP', and set your laptop to connect to 'MyAP', there's no reason to broadcast it. Broadcasting the SSID is advertising that you have one.
If possible, enable MAC filtering on the AP. Each wireless device has a MAC address assigned to it. The MAC address uses letters A-F and number 0-9. It's 12 character long and looks something like: 00AB12CD34EF (example only). It could also have colons or hyphens between sets of 2 characters like: 00:AB:12:CD:34:EF
What MAC filtering does, is allow only those devices that you have specified to be able to connect.
Next, if you can, disable DHCP and assign IP addresses to each of your devices.
Your access point assigns (or can be set to assign), private IP addressess. The following IP addresses are in the private space:
10.0.0.0-10.255.255.255 172.16.0.0-172.31.255.255 192.168.0.0-192.168.255.255You don't have to, but it would be a good idea to move away from the default IP addresses that your AP hands out. ie, if your AP assigns IPs in the 192.168.0.X range. Set your AP to hand out IPs in 172.168.5.X range.
If you *do* decide to setup your own instead of DHCP, set the AP to the lowest number. ie, 172.168.5.1 then assign the others to your PCs. 172.168.5.2, 172.168.5.3 ...
The subnet mask would be 255.255.255.0. The subnet mask tells the devices which part of the IP address is the network, and which is the device. 255.255.255.0 means the first three octets are the network: 172.168.5.0, the last one is for the device: 0,1,2,3...
I'm being a little paranoid here. IF you've noticed, I suggest changing all the defaults to something else. By changing all the defaults, you make it a little more difficult for someone to break into your wireless.
If someone is determined, they can break in.
I've purposly not mentioned Encryption yet.
Okay, I'll mention it. There are a couple things to think about when dealing with encryption. 1 is the encryption connecting to your AP, the other is the encryption connecting to a secure web site. They are two different critters.
Think of the two this way:
You write a letter and encrypt it. You put the letter into an envelope, address the envelope, and put it in your mailbox out front. Someone pulls up out front and looks at the letter in your mailbox. They can see who it's addressed to, and who it's from, but they can't read the letter.
This is what happens when you connect to a secure web site.
If you add encryption to the AP, a step occurs before you put the letter in the mailbox. Before you put the letter in the box, encrypt the address. Since you and the mailman have already agreed on the encryption method, he can deliver your letter. If someone looks at the envelope, they can't even figure out what the from or the to address is.
Using the letter analogy, with no AP encryption, all the mail in your mailbox can be read by outsiders. When you connect to your mail server, your username and password are probably being sent in clear text.
VPN.. Virtual Private Networking
VPNs are another thing you can do.
With a VPN, if your company supports it, you are able to connect to your computer to your company's network.
When you connect with a VPN, there's a secure tunnel that is setup between your computer and your company.
Any traffic going between your computer and your company will be encrypted.
If you company has a VPN, ask them about it.
|
| ||