Wi-Fi Security Tools

white and black modem router with four lights

The security tools in Wi-Fi specifications may not be perfect, but they are better than having no security at all.

Even if you choose not to use them, it's important to understand what they are and how they work, so you can make informed decisions, such as turning them off.

Network Name (SSID)

Every wireless network has a name called the Service Set ID (SSID). In a network with one access point, the name is the Basic Service Set ID (BSSID).

If there are multiple access points, the name becomes the Extended Service Set ID (ESSID), but both types are displayed together in the same list. The general term for all network names is the SSID.

When setting up a network, you must specify the SSID for that network. All access points and network clients in a network must use the same SSID.

When a network client detects multiple access points with the same SSID, it assumes they are part of the same network, even if they operate on different radio channels.

The client associates with the access point that provides the strongest or cleanest signal. If the signal deteriorates, the client tries to switch to another access point on the same network, known as a handoff.

If two different networks with overlapping signals have the same name, a client might mistakenly perform a handoff from one network to the other, causing a connection drop. Therefore, every wireless network that could potentially overlap with another network should have a unique SSID.

The exception to the unique SSID rule is for public and community networks that only provide internet access. These networks often have a common SSID so that subscribers can detect and connect to them from different locations.

For example, if you have an internet access account at a coffee shop, you might find and use the same SSID when visiting another shop owned by the same company.

The SSID provides limited access control because it's necessary to specify the SSID when setting up a wireless connection. Most network configuration programs automatically detect and display the SSIDs of active networks within range.

In some cases, it's not necessary to know the SSID before connecting. Configuration utilities or network monitoring programs like NetStumbler can show the names of nearby networks in a list or menu, except for networks with the Broadcast SSID feature turned off.

Firewalls

Firewalls are essential for protecting wireless LANs from unauthorized access and maintaining network security. Acting as a proxy server, a firewall filters all incoming and outgoing data based on predefined rules set by the network manager.

It can reject data from unknown sources or files that match specific criteria, such as viruses. Firewalls are commonly deployed at the gateway to the Internet, separating the local network from external threats.

In a wireless network, a firewall can be positioned at the gateway between wireless access points and the wired network.

This setup isolates the wireless segment, preventing unauthorised users from leveraging the wireless connection to access the Internet or the wired LAN. To deter potential intruders, restricting access to the Internet can make the wireless network less appealing.

The primary functions of a wireless network firewall include serving as a gateway router between the wireless network and the wired LAN or the Internet.

It blocks unauthorised traffic from the wireless side to the wired network, allowing only authenticated users to pass through. Legitimate users can connect to network nodes on the wired LAN or the Internet, while intruders are denied access at the firewall.

It's important to note that a firewall doesn't isolate wireless nodes from each other. Therefore, an intruder who gains access to one computer on the wireless network can still potentially infiltrate other connected devices and access shared files.

Disabling file sharing on computers connected to the wireless network is advisable.

A wireless network firewall should employ authentication mechanisms to permit authorised users while rejecting unauthorised individuals. If MAC address-based access control and 802.1x authentication prove inadequate, an external firewall should require users to enter a login and password before connecting to the Internet.

If a wireless network consists of computers running different operating systems, the firewall must utilise a login tool compatible with all platforms. One convenient approach is employing a web-based authentication server like Apache, which supports multiple platforms and can be deployed on low-cost hardware.

Alternatively, for Windows users or those who prefer pre-assembled solutions, commercial firewall utilities or the Windows version of Apache can be considered. These options provide additional choices and ease of implementation.

It's crucial to recognise that wireless LANs require firewall protection against Internet-based attacks, just like any other network.

Access points with built-in firewalls, such as the D-Link DI-524 Wireless Router, offer a straightforward solution. These devices combine wireless access point functionality with broadband routing and Ethernet switching capabilities, supporting both wired and wireless clients.

Firewall programs installed on individual computers in the network offer an additional layer of defense against external attacks.

These programs safeguard against unauthorised access attempts, potential data breaches, spam relaying, or malicious activities from the Internet. Additionally, client firewalls mitigate the risk of viruses, intrusive programs, and unauthorised control of PCs.

When using a firewall, configuring virtual servers to forward specific requests to designated computers within the LAN is necessary. Each request for connection includes a port number indicating the type of server required. For example, web servers typically operate on port 80, while FTP servers use port 21.

By configuring the virtual server, the firewall's Network Address Translation (NAT) function directs requests to the appropriate internal IP address. It's important to manage the dynamic IP assignment in wireless networks to ensure reliable NAT translation and avoid potential issues when IP addresses change due to new client connections or departures.

By implementing firewalls effectively, wireless LANs can establish a secure barrier against unauthorised access, protecting the network and its connected devices from potential threats.

Power Down for Enhanced Security

To enhance the security of your wireless network, consider turning off the access point and all connected computers when they are not in use.

By doing so, you eliminate the possibility of unauthorised access during periods when Wi-Fi is unnecessary or when you are away. Before leaving your home or office for an extended period or when you're finished using your computers for the day, simply disconnect the power connector of the access point or utilise a power strip to deactivate power to all computers and peripheral devices, including the network access point.

When you're ready to utilise the network again, reconnect the power connector or activate the power strip. It's important to wait until the lights on your DSL or cable modem and wireless access point cease flashing before resuming network usage.

This practice not only bolsters security but also reduces power consumption. Although access points and devices typically consume only a few watts when idle, completely powering them down can yield a modest reduction in your monthly electric bill.

Reflections on Wi-Fi Security

A recurring pattern seems to emerge in the world of Wi-Fi security.

Companies strive to develop robust security tools to protect their products from malicious individuals, only to have independent researchers discover vulnerabilities shortly after.

Consequently, new hacking programs surface online, further highlighting the imperfections of the so-called "protected" data. Despite the efforts of end users to keep up with the evolving landscape, complete security for wireless networks remains elusive.

Viewing wireless security as a cat-and-mouse game, it becomes apparent that both the attackers and defenders require sophisticated knowledge and equipment. While advanced tools are readily available to anyone with internet access, it raises the question: what can be done?

Is achieving a secure wireless network an unattainable goal? However, there is reason for hope. WPA encryption provides sufficient security to deter most intruders from compromising the majority of Wi-Fi networks.

Additionally, the enhanced security features in the 802.11n specification offer further protection. For those seeking even greater security, implementing a VPN adds an extra layer of safeguarding for data.

Think of wireless security akin to the front door of your house. Leaving it wide open allows anyone to enter and pilfer your belongings. However, when you lock the door and secure the windows, it becomes significantly more challenging for burglars to gain access.

While an expert might still find a way in through the lock, most thieves will opt for easier targets—an unprotected house.


Learn more about Wireless Networks