Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Robert L. Mitchell

Reality Check

How I survived configuring and securing a wireless LAN - Part 1

6 comments

IT TOPICS:Mobile & Wireless, Networking, Security

How do you correctly set up and lock down a wireless LAN? I've been holding off, but wanted wireless access so that I can work more comfortably and not be at my desk all day. With file sharing on my home network and a family that just had two credit cards compromised in the TJX data theft, however, we're not interested in taking any chances. If we're going to have wireless, we want our computers as secure as humanly possible.

Here's how the project is going so far. Hopefully you can learn from my experience.

Last weekend I pulled out my newly reissued VISA and bought a Linksys Wireless G router. This is one of the most commonly available Wi-Fi routers right now and has all of the security features you need. Now, three days later, it's finally set up correctly. Linksys didn't make the process easy as easy as I'd hoped, but from what I've seen, other brands don't do much better.

Finding a Wi-Fi Router

To get started, I recommend buying a name-brand unit with these buzzwords: MAC address filtering, Wi-Fi Protected Access 2 (WPA2) protection and firewall features. I chose a Linksys Wireless G model WRT54G in part because the company is owned by Cisco, a respected enterprise networking vendor, in part because it was one of the few models available locally.

Here's something else I learned: Shop around. When I decided on the Linksys WRT54G, I thought I would pay the going price of $69.99. Then Circuit City advertised a $20 off sale. I hoped to jump at that before it came off special but never got there. The funny thing is, it remained at $49.99 for weeks and weeks. I dropped by my local Staples and saw that they offered the same model $69.99 with a $20 "Instant Rebate." But like Circuit City, the "sale" price wasn't expiring. What's up with that?

Answer: Wal Mart. The local store began carrying the same model. Regular price: $49.99. A store manager at Circuit City admitted that they check the competition each day and match the prices. As long as Wal Mart carries the unit, you get the "sale" price.

Setting Up Basic Security

First off, Don't expect much from the directions in the box. Because the Linksys brand is owned by Cisco I assumed that setup would be easy. I was so wrong. Inside the box I found an FAQ postcard, a registration card and two pieces of collateral advertising tucked into an envelope. The box included no printed manual, of course. The directions on the envelope basically said to insert the installation CD.

Another tip: Find the missing manual on the installation CD and read it because the install routine won't do everything you need to fully secure the wireless LAN (WLAN). Inserting the Linksys CD auto-launches a setup wizard. From there I clicked "next" and started the installation. Another option at the bottom, "User Manual," brought up a PDF document. That option, washed out light gray text on a green background, is easy to miss. If you buy this unit, remember this. You'll need that manual later.

Above all, Don't trust the setup wizard to secure your WLAN. After you finish up the basic install you'll need to go into the settings screen (accessible by typing the Linksys router's IP address from a browser) to complete the job.

The setup wizard walks you through a pictorial for the physical setup of the unit. The service set identifier (SSID), the name wireless devices need to use to gain access to the wireless router. The router broadcasts the SSID by default so that anyone can find it and attach to it. However, you can also make the SSID invisible. Wireless clients must then be configured to know about the hidden SSID and to automatically connect to the device. The SSID is set to "admin" by default, but you can change it to anything else, up to 32 characters. Anything is better than the default. I could have chosen to use a name like "Home" or "Mitchell" for my unit. My recommendation is to chose a random, long alphanumeric text string for the SSID (up to 32 characters but certainly no less than eight) that no one could easily guess.

I protected the router and its configuration utility by replacing the "admin" default password with a strong password. The setup routine asks you to create a new password for access to the wireless router's configuration. The default is "admin." For God's sake, don't use that. While the program prompts you to change the password, it doesn't force you to do so, nor does it encourage you to use a strong password, so make sure you do. I use the free Password Safe program created by security expert Bruce Schneier to store my passwords in an encrypted "vault" on my computer. It's a quick and easy download. If you're not sure what a strong password is, this program will generate one for you.

Next I had to choose between "SecureEasySetup" and "Skip." The former automates setting up security between the router and devices that use Linksys brand Wi-Fi adapters that support SecureEasySetup. I do have one laptop with a Linksys Wi-Fi Wireless G adapter but it does not appear to support this feature. I chose "Skip" - an odd choice of verbiage for an option that means "walk me through the setup."

That brought me to the wireless security setup screen. It asks you to select one of four choices for encrypting wireless traffic between the router and wireless devices, but leaves the user to guess what the the technical mumbo-jumbo means. Right about now you'll wish you had that manual. I read about this stuff every day and even I can't keep it all straight.

Of the options, two are Wired Equivalent Privacy (WEP) protocols, which are outdated and should only be used if you have a computer with an old wireless card. Rather than settling for less secure encryption and authentication mechanism, however, your best choice is to upgrade machines with an older Wi-Fi adapter and use the more secure Wi-Fi Protected Access Personal (WPA Personal). Specifically, I chose WPA2 and then created a "key" that will allow computers to decrypt transmitted data. Again, I used a strong password consisting of more than 8 characters (it can be up to 32 characters; the longer the better).

The next screen lets you save or print the settings, register the product and exit. At this point the program ends and you might be forgiven for assuming that you are done. You're not. More on that next time.

Until then, I welcome reader comments. Did I miss something? Is there an easier way for the nontechnical to get the job done? Let me know.

Email this

Digg this

What People Are Saying

Add new comment

802.11b

Submitted by Carol on November 28, 2007 - 4:55 P.M.

If I switch to WAP from WEP will my laptop with only an 802.11b wireless adapter be able to log onto the router. If I have to use WEP does mac filtering help keep attackers out (along with software firewall).

Reply | Report this comment

Wow, seit einiger Zeit

Submitted by German on October 16, 2007 - 4:21 A.M.

Wow, seit einiger Zeit schaue ich immer mal wieder.Prima, weiter so.
sex chat
[url=http://chatonline.freehostyou.com/sitemap.html]free online sex chat[/url]

Reply | Report this comment

Hello all Am a new to the

Submitted by Katherine on March 27, 2007 - 5:40 A.M.

Hello all
Am a new to the world of computers and on a fast track learning curve! I have spent the last couple of days trying to set up my boyfriends parents computers onto Belkin wireless G router. I was working my way through the installation cd quite happily until I got to the page with the SSID and channel number options on. When I changed the SSID and set the channel, i could not continue ie the `next` button would not work. I called Belkin technical support and went through many many options, until they finally concluded that i would need to disable the norton firewall in order to proceed. I have looked into this, but am unable to do this myself and therefore wonder if this could be so? If anyone could offer any advice i would really appreciate it. With many thanks and best wishes,
Katherine

Reply | Report this comment

my experience was very

Submitted by Anonymous on February 2, 2007 - 11:11 P.M.

my experience was very similiar to Roberts; the linksys rooter provides little to no instructions. I have a question that you may be able to answer. I have a laptop w/wirelees card; (for my job) for some reason I lose the connection from my wireless home but I can go to starbucks, barnes and noble; etc.. and have no problem going wireless (wi-fi) any reason why this is happening?

Reply | Report this comment

Robert - This definitely has

Submitted by Angel on February 1, 2007 - 5:25 P.M.

Robert - This definitely has been a rough road for you. You gave some good tips. Let me add to them. Besure to select Save before advancing to the next screen.

Use a cable to connect a computer to the Linksys for any configurations. Then log in using your browser.

Setup tab>Basic Setup:
1) Compare the firmware on your Linksys(upper right corner of interface) with the latest firmware available for download on the Linksys site. The firmware on your Linksys should be equal to or greater than what is offered on Linksys.com . Make sure you select the firmware by model and hardware version so you don't load the wrong firmware. The hardware version # of your device is located on the label on the bottom of your firewall/router. Firmware is upgraded using the Admin. tab>Firmware Upgrade screen.

2) Change the Max. Number of DHCP users to the max. number of computers on your network. This limits the number of computers that can use your home network.

Wireless tab>Basic Wireless:
3) Change the SSID from "Linksys" to an SSID that doesn't identify you, your family, your house or employer. Be anonoymous. (i.e. Stonehenge, MyHouse, La_mia_Casa). Record this case-sensitive name as it will be needed later for configuring each device that uses your network.

4) Change the channel from 6 to 1 or 11 to reduce the chances of interference from other wireless devices (including your neighbors wireless router/firewall).

5) Disable broadcasting the SSID (wireless network name). No reason to shout out the wireless network name.

Wireless tab>Wireless security:
6) Select WPA2 Personal encryption and TKIP + AES. WPA2 is the strongest home encryption offered for protecting your data transmissions between the wireless device and the Linksys. If all the wireless devices using your home network have WPA2 and/or WPA Personal (PSK) as a selection, then use this encryption. TKIP + AES allows a mix of encryption TKIP & AES on your network. If one device only has WEP as a selection, then you will have to use the weaker WEP encryption.

7) Select a WPA2 passphrase between 20 and 63 characters is recommended. Go for a mix of spaces, alpha and numeric characters. Consider the title of your favorite movie or music CD. Write this down exactly as you entered it.

Wireless tab>Adv. Wireless Settings:
8) Disable the Secure Easy Setup (SES) capability. Then you won't accidently use the SES feature to reconfigure the router in the future by pressing the Green logo button on the front of the box. Disabling the SES capability also disables the SES icon button on the interface Setup screen.

Security tab>VPN Passthrough:
9) Only enable the VPN protocol you use. For example most employers use IPSec for employees to create a private tunnel to their network. Therefore IPSec should be enabled and PPTP (Europe) & L2TP (Israel) should be disabled. If you don't use IPSec to tunnel to a server, then disable IPSec.

Admin tab>Management:
10) Change the default password from "admin" to a new password. Something that is not easily guessed.

11) Disable Wireless Web Access. Only login to the Linksys from a wired connection.

12) Disable Remote Management. Don't access the Linksys from the Internet. The security for this type of login is weak and allows hackers an opportunity to find a way onto your home network.

13) Uncheck http and check https. Access the Linksys using a secure network connection. I always recommend this because even though I don't recommend logging into the Linksys wireless, some will ignor this. If you are going to do this, then use a SSL tunnel. Later when you update the firmware on the Linksys you will need to temporarily enable http for the update process.

Admin tab>Config. Management
14) The last step I recommend is to backup the configurations you just performed. Select Backup and choose a location on the hard drive of your computer or server.

15) Remove the cable between the Linksys and the computer you are using to configure the Linksys. Shut down the Linksys and the ISP modem. Connect the modem to power and then the Linksys.

Now for the card(s). The wireless utilities screen layouts vary so I can only provide general directions. The following will need to be performed for each wireless device. Now access your wireless card utility:

1) Select Infrastructure Networks Only. It's important that your laptop doesn't connect to any available wireless network. This selection is necessary if your wireless device uses public wireless networks or hotspots. A hacker could have an access point setup waiting to capture and read your transmitted data.

2) Create a profile on each wireless device that uses your home wireless network. You will need the SSID and WPA2 passphrase that you entered into your Linksys.

Once your are done setting up your devices, shut down all the computers, Linksys and your modem. Boot them up one at a time in reverse order.

Remember, when you are traveling with your laptop to disable the wireless card unless needed.

Reply | Report this comment

I wish I could help you, but

Submitted by jbl on February 1, 2007 - 3:15 P.M.

I wish I could help you, but my Linksys installation went a lot smoother, mainly because I didn't use any special features. (Of course I didn't use the default password!) Since that house is in the middle of a 40-acre lot in a very rural area, I didn't bother with the Wi-Fi security. For that reason I found it fairly simple to install "by ear", but on the other hand I do have a fair amount of networking experience. The standard operation of the WRT54G,including its firewall, address translation and the web-based console are all satisfactory.

In another location, in a suburban condominium, I installed a USRobotics router. This was much more difficult, but it turned out not to be the fault of the router. Installation and operation are comparable to the Linksys (some things are better, other things are worse). Of course with this installation I used WPA2 from the get-go. The trouble I mentioned above was getting WPA2 to run; this was solved much later when I installed a driver update for the Intel Wireless Pro chipset that Dell had used in the laptop. Meanwhile, I got going by buying a USB wireless adaptor also made by USR (and therefore compatible). I mounted this on my desktop and ran an ethernet cable from the wireless router that I could hook up my laptop with. (This latter connection tends to run more consistently and faster than the wireless link, which is not surprising. For this reason, when I later got the Intel chipset working properly with its upgraded drivers, I continued using the wired connection to the router when convenient.)

It sounds like incompatible wireless hardware and software is at least one gotcha you managed to avoid.

Reply | Report this comment

Wi-Fi security: It's a good time to be a bad guy

How reliable is YOUR wireless network?

What your mother never told you about VPNs

Wi-Fi encryption "cracked in 60 seconds"... time to panic?

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

Forrester Consulting - Optimizing Users and Applications in a Mobile World
Learn how to successfully deploy a WAN optimization solution that is specifically tuned for a mobile environment!

Managing Laptops Outside the Office
Learn how you can reduce costs by tracking mobile computers no matter where they are located.

WAN Application Delivery for Executives
Learn how to simplify server and application administration without creating performance problems for distributed users.

4G Ahead Video Program
Uncover the features and benefits of the two leading 4G technologies for enterprises considering future deployment.

Applying Remote Support Technology for Maximum Impact
Download Now!

Complimentary Webcast: Taking a Strategic Approach to Enterprise Mobility
Download This Webcast Today!

All White Papers | All Webcasts