This page intentionally left blank Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 15 CHAPTER IN THIS CHAPTER ■ Specifying a New Administrative Password ■ Positioning the Access Point for Maximum Security ■ Encrypting Wireless Signals with WPA ■ Disabling Network SSID Broadcasting ■ Changing the Default SSID ■ Enabling MAC Address Filtering ■ From Here Implementing Wireless Security C omputer veterans may be familiar with the term war- dialing, a black-hat hacker technique that involves auto- matically calling thousands of telephone numbers to look for any that have a modem attached. (You might also know this term from the 1983 movie War Games, now a classic in computer cracking circles. In the movie a young cracker, Matthew Broderick, uses wardialing to look for games and bul- letin board systems. However, he inadvertently ends up with a direct connection to a high-level military computer that gives him control over the U.S. nuclear arsenal. Various things hit the fan after that.) Modems are becoming increasingly rare these days, so wardialing is less of a threat than it used to be. That doesn’t mean we’re any safer, however. Our houses and offices may no longer have modems, but many of them have a relatively recent bit of technology: a wireless network. So now wardialing has given way to wardriving, where a cracker drives through various neighborhoods with a portable computer or another device set up to look for available wireless networks. If the miscreant finds a nonsecured network, he uses it for free Internet access (such a person is called a piggybacker) or to cause mischief with shared network resources. The hacker may then do a little warchalking, using chalk to place a special sym- bol on the sidewalk or other surface that indicates there’s a nonsecure wireless network nearby. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Crackers engage in all these nefarious deeds for a simple reason: Wireless net- works are less secure than wired ones. That’s because the wireless connection that enables you to access the network from the kitchen or the conference room can also enable an intruder from outside your home or office to access the network. Fortunately, you can secure your wireless network against these threats with a few simple tweaks and techniques, as you’ll see in this chapter. Specifying a New Administrative Password By far the most important configuration chore for any new router is to change the default logon password (and username, if your router requires one). Note that I’m talking here about the administrative password, which is the pass- word you use to log on to the router’s setup pages. This password has nothing to do with the password you use to log on to your Internet service provider (ISP) or to your wireless network. Changing the default administrative password is particularly crucial if your router also includes a wireless AP because a nearby malicious hacker can see your router. This means that the intruder can easily access the setup pages just by navigating to one of the common router addresses—usually http://192.168.1.1 or http://192.168.0.1—and then entering the default pass- word, which for most routers is well known or easy to guess. The next few sec- tions show you how to modify the administrative password for various routers. Belkin Here are the steps to follow to change the administrative password on most Belkin routers: 1. Log on to the router’s setup pages. 2. Under the Utilities section, click the System Settings link to display the System Settings page, shown in Figure 15.1. 3. Use the Type In Current Password text box to type the existing admin- istrative password. 336 Networking with Microsoft ® Windows Vista ™ 15 The most effective tech- nique for securing your wireless access point (AP) is also the simplest: Turn it off if you won’t be using it for an extended period. If you’re going out of town for a few days, or if you’re going on vacation for a week or two, shut down the access point and you’re guaranteed that no wardriver will infiltrate your net- work. tip On most Belkin routers, the default administrative password is blank. note Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. FIGURE 15.1 On most Belkin routers, use the System Settings page to change the administrative password. 4. Use the Type In New Password and Conform New Password text boxes to specify the new administrative password. 5. Click Apply Changes. D-Link For most D-Link routers, follow these steps to change the administrative pass- word: 1. Log on to the router’s setup pages. 2. Click the Tools tab. 3. Click Admin to display the Administrator Settings page, shown in Figure 15.2. 4. Use the Login Name text box to specify a new username. 5. Use the New Password and Confirm Password text box to specify the new password. 6. Click Save Settings. The router saves the new settings. 7. Click Continue. CHAPTER 15 Implementing Wireless Security 337 15 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. FIGURE 15.2 On your D-Link router, use the Administrator Settings page to change the administrative pass- word. Linksys Here are the steps to follow to change the administrative password on most Linksys routers: 1. Log on to the router’s setup pages. 2. Click the Administration tab. 3. Click the Management subtab to display the page shown in Figure 15.3. 338 Networking with Microsoft ® Windows Vista ™ 15 FIGURE 15.3 On most Linksys routers, use the Administration/Management page to change the adminis- trative password. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 4. Use the Password and Re-enter to Confirm text boxes to specify the new administrative password. 5. At the bottom of the page, click Save Settings. The router reports that the Settings are successful . 6. Click Continue. Netgear Follow these steps to modify the administrative password on most Netgear routers: 1. Log on to the router’s setup pages. 2. In the Maintenance section, click the Set Password link. The Set Password page appears, as shown in Figure 15.4. CHAPTER 15 Implementing Wireless Security 339 15 FIGURE 15.4 On most Netgear routers, use the Set Password page to change the administrative password. 3. Use the Old Password text box to type the current administrative pass- word. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 4. Use the New Password and Repeat New Password text boxes to specify the new administrative password. 5. Click Apply. Positioning the Access Point for Maximum Security Almost all wireless network security problems stem from a single cause: wire- less signals that extend outside of your home or office. This is called signal leakage, and if you can minimize the leakage, you’re well on your way to hav- ing a secure wireless network. Of course, this assumes that a wardriver is using a standard antenna to look for wireless signals. That may be true in some cases, but many wardrivers use super-powerful antennas that offer many times the range of a regular antenna. There is, unfortunately, nothing you can do to hide your signal from such hackers. However, it’s still worthwhile to reposition your access point to minimize signal leakage since this will help thwart those hackers using regular antennas. Unfortunately, minimizing signal leakage isn’t that easy because in most network setups there are a couple of constraints on the position of the wireless AP: ■ If you’re using the wireless AP as your network router, you need the device relatively close to your broadband modem so that you can run ethernet cable from the modem’s ethernet or LAN port to the router’s Internet or WAN port. ■ If you’re using the wireless AP as your network switch, you need the device relatively close to your computers with ethernet network inter- face cards (NICs) so that you can run ethernet cable from the NICs to the switch’s RJ-45 jacks. However, even working within these con- straints, in almost all cases you can posi- tion the wireless AP away from a window. Glass doesn’t obstruct radio frequency (RF) signals, so they’re a prime source for wire- less leakage. If your wireless AP must reside in a particular room, try to position it as far away as possible from any windows in that room. 340 Networking with Microsoft ® Windows Vista ™ 15 On most Netgear routers, the default administrative password is pass- word. note You might think that your wireless net- work signals extend at most just a few feet outside of your home or office. I thought so too, but then one day I was looking at Vista’s list of available wireless networks, and I saw a network where the service set identifier (SSID) was the house address, and that house was four houses down from us! note Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. In an ideal world, you should position the wireless AP close to the center of your house or building. This will ensure that the bulk of the signal stays in the building. If your only concern is connecting the router to a broadband modem, consider asking the phone or cable company to add a new jack to a central room (assuming the room doesn’t have one already). Then, if it’s fea- sible, you could used wired connections for the computers and devices in that room, and wireless connections for all your other devices. Of course, if your office (or, less likely, your home) has ethernet wiring throughout, it should be easier to find a central location for the wireless AP. Encrypting Wireless Signals with WPA Wardrivers usually look for leaking wireless signals so that they can piggyback on the Internet access. They may just be freeloading on your connection, but they may also have darker aims, such as using your Internet connection to send spam or download pornography. However, some wardriving hackers are interested more in your data. They come equipped with packet sniffers that can pick up and read your network packets. Typically, these crackers are looking for sensitive data such as pass- words and credit card numbers. Therefore, it’s absolutely crucial that you enable encryption for wireless data so that an outside user who picks up your network packets can’t decipher them. Older wireless networks use a security protocol called Wired Equivalent Privacy, or WEP, that protects wireless communications with (usually) a 26- character security key. That sounds impregnable, but unfortunately there were serious weaknesses in the WEP encryption scheme, and now software exists that can crack any WEP key in minutes, if not seconds. In newer wireless networks, WEP has been superseded by Wi-Fi Protected Access, or WPA, which is vastly more secure than WEP. WPA uses most of the IEEE 802.11i wireless security standard, and WPA2 implements the full stan- dard. WPA2 Personal requires a simple pass phrase for access (so it’s suitable for homes and small offices), and WPA2 Enterprise requires a dedicated CHAPTER 15 Implementing Wireless Security 341 15 If you find a more cen- tral location for your wireless AP, test for signal leak- age. Unplug any wireless- enabled notebook and take it outside for a walk in the vicinity of your house. View the available wireless networks as you go, and see whether your network shows up in the list. tip Many wire- less APs come with an option to extend the range of the wireless signal. Unless you really need the range extended to ensure some distant device can connect to the AP, you should disable this option. caution Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. authentication server. Be sure to use the strongest encryption that your equipment supports. The next few sections show you how to change the encryption properties in sev- eral popular wireless APs. Belkin Here are the steps to follow to change the encryption settings on most Belkin routers: 1. Log on to the router’s setup pages. 2. In the Wireless section, click the Security link to display the Security page. 3. Select an encryption type. The setup page refreshes to show the encryp- tion options associated with the type you selected. For example, Figure 15.5 shows the options associated with the WPA2 Only type. 342 Networking with Microsoft ® Windows Vista ™ 15 Unfortu- nately, encryption is a “lowest common denominator” game. That is, if you want to use a strong encryption standard such as WPA2, all your wireless devices must support WPA2. If you have a device that only supports WEP, you either need to drop your encryption standard down to WEP, or you need to replace that device with one that supports the stronger standard. (You might also be able to upgrade the existing device; check with the manufacturer.) Note that some APs come with a setting that enables you to sup- port both WPA and WPA2 devices. caution FIGURE 15.5 On your Belkin router’s Security page, select an encryption type to see the associated encryp- tion settings. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 4. For WPA or WPA2, you should select Password (PSK) as the Authentication option, and Passphrase as the Password (PSK) option. 5. Use the Password (PSK) text box to specify the password or pass phrase required to connect to the AP. 6. Click Apply Changes. D-Link For most D-Link routers, follow these steps to change the encryption settings: 1. Log on to the router’s setup pages. 2. Click the Setup tab. 3. Click Wireless Settings to display the Wireless Network page. 4. In the Wireless Security Mode section, use the Security Mode list to select an encryption type. The setup page refreshes to show the encryp- tion options associated with the type you selected. For example, Figure 15.6 shows the options that appear when you select Enable WPA2 Wireless Security. 5. In the Cipher Type list, select either TKIP (Temporal Key Integrity Protocol) or AES (Advanced Encryption Standard). Note that AES is slightly stronger than TKIP, but either one is certainly good enough for a small network. 6. In the Personal/Enterprise list, select Personal. 7. Use the Passphrase and Confirm Passphrase text boxes to specify the password or pass phrase required to connect to the AP. 8. Click Save Settings. The router saves the new settings. 9. Click Continue. CHAPTER 15 Implementing Wireless Security 343 15 PSK is short for pre- shared key, which refers in general to the sharing of some secret information with a person so that person can use the information later on (which is why this system is also sometimes called shared secret). In the case of WPA, the shared secret is the password or pass phrase that you give to your users so that they can connect to the wireless AP. note Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... include the network’s SSID as part of the probe requests they send out to see whether the network is within range The SSID is sent in unencrypted text, so it would be easy for a snoop Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 348 Networking with Microsoft Windows Vista™ with the right software (easily obtained from the Internet) to learn the SSID If the SSID is not broadcasting... Click Apply Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 15 352 Networking with Microsoft Windows Vista™ Changing the Default SSID Even if you disable broadcasting of your network’s SSID, users can still attempt to connect to your network by guessing the SSID All wireless APs come with a predefined name, such as linksys, dlink, or default, and a would-be intruder will attempt... possible; see Chapter 13, “Securing Windows Vista,” p 281 ■ For other network security techniques, see Chapter 14, “Implementing Network Security,” p 313 ■ To learn how to log on with Remote Desktop Connection, see “Connecting to the Remote Desktop,” p 373 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark PA R T IV Advanced Networking with Windows Vista 16 Making Remote Network... Sleep mode manually by selecting Start and clicking the Sleep button Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 16 368 Networking with Microsoft Windows Vista™ back on, the desktop and your open programs and documents appear within a few seconds However, remote clients won’t be able to connect to the host if it’s in Sleep mode, so you have to disable this feature Here are... form of encryption Here are the steps to follow to modify the security properties for a wireless connection: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 346 Networking with Microsoft Windows Vista™ 15 FIGURE 15.8 On most Netgear routers, use the Wireless Settings page to change the encryption settings 1 Select Start, Control Panel to open the Control Panel window 2 Under... 3 Click the Basic Wireless Settings subtab to open the Basic Wireless Settings page, shown in Figure 15.16 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 354 Networking with Microsoft Windows Vista™ 15 FIGURE 15.15 On your D-Link router, use the Wireless Network page to change the default SSID FIGURE 15.16 On most Linksys routers, use the Basic Wireless Settings page to... Wireless Settings page to change the default SSID 3 Use the Name (SSID) text box to edit the SSID 4 Click Apply Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 15 356 Networking with Microsoft Windows Vista™ Enabling MAC Address Filtering 15 The MAC (Media Access Control) address is the physical address of a network adapter This is unique to each adapter, so you can enhance security... Close The next few sections show you how to configure MAC address filtering in several popular wireless APs Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 15 358 Networking with Microsoft Windows Vista™ Belkin 15 Here are the steps to follow to set up MAC address filtering on most Belkin routers: 1 Log on to the router’s setup pages 2 In the Firewall section, click the MAC... configure MAC address filtering 6 Click Save Settings The router saves the new settings 7 Click Continue Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 15 360 Networking with Microsoft Windows Vista™ Linksys 15 Here are the steps to follow to set up MAC address filtering on most Linksys routers: 1 Log on to the router’s setup pages 2 Click the Wireless tab 3 Click the Wireless... 15.22 On most Netgear routers, use the Wireless Card Access List page to configure MAC address filtering Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 15 362 Networking with Microsoft Windows Vista™ 9 Repeat steps 4–7 to add other device MAC addresses 10 Click Apply 15 From Here ■ For more information about how Vista remembers wireless networks, see “Opening the Manage . associated with the type you selected. For example, Figure 15.5 shows the options associated with the WPA2 Only type. 342 Networking with Microsoft ® Windows. to position it as far away as possible from any windows in that room. 340 Networking with Microsoft ® Windows Vista ™ 15 On most Netgear routers, the default