I decided to gather a series of recommendations to make WiFi networks more secure.
Please have in mind that every system is vulnerable, it is only about reducing the risk of being vulnerated.
I divide recommendations in two parts: AP (Access Point) and the workstation.
At the AP
- Change the SSID by default. It's not good to have those from factory (ej: Linksys, 3COM, etc.)
- Change AP's default password. It is relatively easy to find out the AP's model, and from there to know the default admin password.
- Deactivate SSID broadcasting. This doesn't add much security, but discourages 'casual hacker'.
- Use WPA or WPA2. Don't let the network without security. WEP is vulnerable (see my other post http://en.tuxero.com/2007/08/howto-crack-wep-sony-vaio.html), however if WPA or WPA2 are not available, WEP is better than nothing.
- Filter by MAC Address. Even if a MAC address can be changed, this is more complicated for common people.
- Deactivate DHCP. Unless it is not possible, use static IP addresses.
- Limit the maximum number of IPs in the DHCP. This would limit the quantity of devices connected (however more devices can be added with static IPs).
- Turn the AP off when not in use. This is not always possible. For home networks, this option is good, as long as you don't let your PC turned on for accessing it from the internet.
- Change the passwords often. With time, passwords can be obtained. To change them regularly it is a good practice.
- Limit the AP power. This is quite effective. It is always good to lower the power at the minimum (verifying that the farthest device can connect correctly). This lowers the chances of connection from distant devices (eg: someone in the street).
- Choose AP's location wisely. It is good to put the AP in the center of the house, away from windows and exterior walls (see preceding point).
- Use secure passwords. It is good to use passwords that mix letters, numbers and signs. If possible, use entirely random hexadecimal passwords.
- Disable AP's remote administration. This impedes someone from outside the network from accessing the AP.
- Activate Firewall at the AP.
At the workstation
- Verify who installed the AP. There are APs planted to capture network traffic. You should check it is a legitimate AP.
- While surfing the net, do not enter passwords, or sensitive information in pages not marked as secure. Before entering credit card numbers, bank or email passwords, check that the site address begins with 'https://'.
- Do not share public folders. This is a very common mistake: to have shared folders while connecting to a (public) wireless network.
- Verify you have an active firewall. When connecting to public wifi networks, you are exposed to attack from other devices inside the network.
- Shutdown the wireless card when not in use. Besides the obvious energy savings, an attacker could create an 'ad-hoc' network with the active NIC.
- Use a VPN. If you have a VPN (generally available in corporate environments), this makes the connection more secure.
Always remember that we are 'just making it more difficult' to hackers. We should avoid making it easy ;-)
You can check these links too: