Photo by Jem Stone. Used under a Creative Commons license.
The cost in time and materials in setting up a wired network, especially in large or multiple-station complexes, undoubtedly will exceed the cost of installing a wireless infrastructure.
But there is danger ahead in wireless networking. If you do not have it locked down from outside intrusion, every computer on the wireless network is vulnerable to attack.
Anytime you connect to an unsecured wireless network, you have no way of knowing who else is logged on. Other users may be able to browse your shared folders; this would equate to leaving your filing cabinets wide open — under a sign saying “Take whatever you want.”
Cyberthieves love wide-open, unsecured wireless networks. Any information stored on computers attached to the network, as well as any information transmitted, is there for the taking.
Once a cyberthief has detected your wide-open network, he or she could:
- - Use your Internet connection for free, downloading who-knows-what and slowing the network to a crawl.
- - Download from pornographic websites, potentially including child porn, which conceivably could get you arrested if traced back to your network and found stored on your system in an obscure file created by the hacker.
- - Set your network up to spam to hundreds of thousands of people — spam that appears to come from you;
- - Download or distribute music illegally.
- - Take complete control of your network, locking out you and other users. (Consumer wireless routers have a button that resets everything to the default settings of the installed firmware; but until the lockout is detected and rectified, the hacker has control over your network and access to private or financial information stored on your system.)
- - Install a backdoor into your company’s file server(s) and create a virtual private network that would allow access to company financials and personal info about all employees. (While many companies are using separate third-party financial, payroll and HR software that is encrypted or protected and runs outside the local LAN, some broadcast facilities cannot afford the cost of off-site services; they house the data on their local servers. While encryption methods seem secure, cyber thieves have been able to break encryption codes to obtain the valuable information they are after.)
- - Use the information collected about you or your business to commit identity theft, which could cost you or your station thousands of dollars in lost credit and time. Even worse, if clients’ confidential information should get out, they could sue you.
One need not be a computer genius to gain unauthorized access to wireless networks. All an intruder needs is a laptop and software that can be downloaded from the Internet for free. Any computer with a wireless card within the vicinity of the wireless transmitter can latch on to a network.
People who jump in their cars with their wireless laptops and drive around looking for networks are called “wardrivers.” Not long ago, a story made the news in which wardrivers hung around outside malls, obtaining credit card and purchase information from transactions made at one of the nation’s largest electronics retailers. This could have been avoided if the store had secured the wireless network.
An intruder might not even have to drive around looking for an unprotected network. He or she might simply latch onto a neighbor’s wireless connection.
Many engineers might disdain a wireless network for these reasons. But a network has advantages if installed and configured properly. People need to move around in a broadcast facility; often it is simpler to pick up a wireless computer and move it. Simple and effective, wireless is the way to go for many users.
But as the saying goes, with privilege comes responsibility. Protecting your company’s assets must be the top priority; and you must implement a schedule of regular maintenance and thorough checking for any changes in system parameters.
There are two basic types of wireless Internet connections. The first is a Wi-Fi connection, essentially using a radio transmitter connected to the Internet via a cable or DSL modem which broadcasts and receives information from the World Wide Web.
Warning: A wide-open wireless network. The second is a cell phone network, which enables you to browse the Web and send that information to your smartphone and other PDA device such as an iPhone or BlackBerry.
Today let’s talk about how you can protect your home or office Wi-Fi network. Security for cell phone networks is a different ballgame; we will discuss that in the future.
Engineer, protect thyself
Here are nine steps to protect your wireless network. No system is foolproof; but these tips should deter hackers, who generally prefer easier targets.
- Immediately change the default password in your wireless device. If you choose to use the default administrator password, any wireless network sniffer program can determine the manufacturer of your device. All the cyberthief must do is go to the manufacturer’s website and download the user manual. It will give them your default information, including the administrative password and default IP address. Then the intruder can change the device settings and lock you out of access to the admin interface.
- Change the SSID. The service set identifier is simply the name of the wireless network. This name must be known to connect to the network. Change the SSID to something other than the obvious. Changing your network’s SSID to “WXYZ Internet” is too easy. Use a combination of letters, numbers and special characters to name your network. The harder you make it for an intruder to figure out your network’s name, the quicker he will move on to easier pickings.
- Change the default subnet. If you fail to change the manufacturer’s subnet default setting (found in the user’s manual), the intruder can assign himself a static IP address and TCP/IP config information based on the default subnet. Most use the common default subnet 192.168.0.0 with a subnet mask of 255.255.255.0. Change this to a non-routable IP address range reserved for use in private networks. These ranges are as follows: 10.0.0.0–10.255.255.255; 172.16.0.0–172.31.255.255; and 192.168.0.0–192.168.255.255
- Disable the SSID. The default setting in most devices enables SSID. Disable it. Remember, if the hacker has access to the admin password and IP address, he can obtain the default SSID from the user manual.
- Enable encryption. Wireless devices support encryption via the Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA/WPA2) protocols. Each uses a pre-shared key, essentially a password, to gate access to the system. They also support various bit lengths of encryption; a simple rule of thumb is the longer the bit length the harder the encryption key will be to crack. An encryption key is set up on the wireless gateway as well as the computer that has a wireless network card. Information transferred between the devices then will be encrypted; if the key doesn’t match, the wireless gateway will not connect. Because WPA and WPA2 are newer protocols, they have incorporated developments that make them harder to hack; however, some older pieces of equipment may not support the newer protocols and you may have to opt to the less-strong encryption method.
- Disable DHCP. Almost all wireless gateway devices have Dynamic Host Configuration Protocol enabled as the default setting. DHCP automatically assigns an IP address and TCP/IP config information to any device requesting connection to the wireless gateway. If this function is disabled, the hacker does not know which IP address and TCP/IP properties to assign his or her computer, making it impossible to connect to your wireless network. (This won’t be practical for wireless LANs that need to support more than a few wireless devices. You would have to assign each computer connected to the LAN its own IP address. Way too much work for larger facilities with a great number of computers. Some stations employ local Wi-Fi hotspots connected to a secondary ISP, separate from their corporate LAN/WAN, to accommodate local clients, customers and visitors who need Internet service on their own wireless device while in the station.)
- Use MAC address filtering. Each network adaptor has a unique hardware address, also called a MAC address, for Media Access Control. Most wireless gateway devices support MAC address filtering; by entering all of the MAC addresses of authorized users, you can deny access to any computer that tries to connect without the proper or “authorized” address. Each network adaptor (card) has an identifier that names the manufacturer of the device; the second portion of the MAC address is a unique address for that card. If the computer trying to connect to the wireless device is polled for its MAC address and doesn’t match an address on the list, it is denied access. However, this has the same downside as disabling DHCP. The MAC address filtering list will need to be updated every time a new device is added to the network.
- Follow common-sense computing practices. Make sure firewalls are installed and running on all computers connected to the wireless network. Install antivirus software on all computers and keep it up to date. Password-protect network connections, and require a user login for all computers. Disable guest accounts, no matter how few rights are assigned to that account. Power down the network when not in use.
- Go two ways. Depending on what you need in the facility, you might set up two networks: one that’s secured and accessible only by company-approved computers, and a second that is more open — with perhaps a non-broadcast SSID, and WEP/WPA/WPA2 password-protected — to give Internet access for such uses as visitors and staff smartphones.
All wireless networks should be secured. For peace of mind and the safety of your data, take these steps to keep the bad guys out.
Brian Cunningham, CBRE, is chief engineer for Crawford Broadcasting’s western New York region, based in Buffalo. He wrote earlier this year about protecting a computer network from viruses. For past articles, click on the Radio IT Management tab under “Business” at radioworld.com.