How to Secure a Network

Discussion in 'Online Security' started by Statica, Dec 5, 2003.

  1. Statica

    Statica

    Joined:
    Jun 29, 1999
    Messages:
    9,229
    With the proliferation in Wireless networks, I thought that we could post a brief set of directives to get your WiFi LAN secured from the common vulnerabilities. While this is not meant to be a brand new resource, this is just a helpful compilation that could be referred to. Any contributions are appreciated. Of course a lot of these points will not be specific to just Wireless networks but to even your wired gateway device. It is important to realize that simply plugging in a router isnt protection enough. Using it properly will give you the best value for your money and the best security.

    If you have a question or a doubt about securing a network, please do not post to this thread; instead open a new thread so that we can deal with your specific issues. These are how to-s in a generic sense, there are far too many manufacturers and models and revisions ... out there for any person to tell you exactly where a specific setting is. If you dont know how to do what you may find on here, the best place to check is in the manual. Of course, if you still cant find it, you could start a new thread asking for instructions.

    Hope this helps.
     
  2. Statica

    Statica

    Joined:
    Jun 29, 1999
    Messages:
    9,229
    I've seen too many people get a router, and simply plug it in with the base configurations; it doesnt make sense to me. If you are going to spend money on a router, why not go through all the configuration menus on there and learn to use it. After all its your router and your network.

    1) Establish an <b>administrative password</b>; and as with most passwords, ensure that it is a secure password. Losing your router password is probably the simplest solution - a hard reset of the router will quickly get you back to factory defaults

    2) Ensure that you have the <b>latest firmware</b> for your router. Yes, your router has a firmware on it, the equivalent to the "BIOS" for your motherboard. Newer versions usually give you better features, better performance and sometimes even patches to vulnerabilities. Check with your router's manufacturer pages for firmware upgrades and howto's

    3) Check the <b>router's log</b> pages to see whats going on with the device. This need not be done daily, but at least fortnightly ESPECIALLY if you have a wireless network. It will give you an idea of who is attempting what

    4) Do you have a <b>virtual server </b>running? Ensure that all virtual servers (or port forwardings) are specific to your needs. Dont be openning up a virtual telnet service if all you need is FTP. When you are done using the service, make it a habit of disabling the service

    5) Some routers have special <b>filters</b> for specific programs. Especially for online gaming or Instant Messangers etc. If you are using any of them, then enable only what you need. If you are not an online gamer, check to see that your router isnt set to enable gaming ports by default

    6) Learn to create <b>MAC filters</b>. MAC filters are your best friend with a finite network as with most common home networks. For a brief background, every Network device (wireless, wired, USB etc etc) has a MAC (Media Access Control) address hardcoded into it. (Microsoft calls this the physical address). Some routers, especially WiFi will allow you to allow only certain MAC addresses to use its facilities. You have a finite number of computers/network cards plugged in right? Why not specifically DENY access from any other MAC card? Of course, if you buy a new laptop or a new network card, you can always add the new MAC address on.

    7) <b>DHCP Servers</b>, are great because you can simply boot up to an IP address. You increase your security by disabling it. Let's face it, most of us dont have even 10 IP addresses in use from the home network, how about just assigning a static IP to your computer's network cards and disabling DHCP? Should someone spoof their way into your router and get your router to actually give them an IP, chances are that you can detect it much easier.

    8) Are you sure you dont have <b>Remote Management </b>enabled on your router? Check to see if its disabled.

    9) <b>Discard PING from WAN </b>side: A lot of routers have this valuable tool hidden away in strange submenus. But check to see if you have this enabled. It prevents most from pinging your router from outside your LAN.

    9) Is your router functioning on <b>UPNP mode</b>? Try disabling it

    10) If you have a wireless network, check to see what <b>authentication</b> you are using. If its old-ish. Make sure you use some sort of security. Under ideal situations, say for 802.11g or 802.11b networks, you should be on <U>WPA</U>-PSK. Make sure you have a complex passphrase established between the router and the connective devices. If you dont have WPA, then you should at least use <u>WEP</U>. WEP, is being done away with because it is vulnerable, but its better than using nothing. In WEP, use it in 128bit rather than 64bit. Make yourself a good strong key. I can't stress this enough, do change your keys once every 2 weeks or so. This should be filed under the "maintenance" category that you do - like the defrag and the diskcheck!

    11) If I turn on and check for wireless networks where I am, I am bound to come across someone running a wifi network with the router default <b>SSID</b>. Firstly what is the SSID - its an acronym for Service Set IDentification, is a broadcast network name letting you connect to your network. Do yourself a favor and change the name from the router default (which is usually called 'DEFAULT') to something more personal.

    12) And now on to step 2 of the SSID issue. Configure your router to broadcast the SSID with your new personalized name. Now go to all the computers that are using the router for their wireless connection, and connect to it. Ensure that everything is working just fine. With WPA/WEP. All working? Good! Now log into your router and <b>DISABLE the SSID</b> broadcast. This will prevent unauthorized scanning for a network. Since your WiFi network cards have connected and have the password stored, they know what to look for, you will be fine.

    13) Disable WiFi if you dont have WiFi running. Sometimes, you may wish to go out and buy a wireless capable router, just so you can use wireless for that new laptop you're getting for christmas. Till then disable it. Usually, when I am out of town for an extended period of time, and I have my notebook with me, I disable WiFi when I leave knowing that I dont have any other wireless device that require it.
     
    Last edited: Dec 5, 2003
  3. Floppyman

    Floppyman PCMech Owner Staff Member

    Joined:
    Mar 10, 1999
    Messages:
    7,669
    Location:
    Northeast U.S.A.
    Great info here....^bump^
     
  4. glc

    glc Forum Administrator Staff Member

    Joined:
    May 26, 2000
    Messages:
    34,996
    Location:
    Joplin MO
    Stickied.
     
  5. kikis9200

    kikis9200

    Joined:
    Mar 13, 2004
    Messages:
    19
    Location:
    Central Mindanao, Philippines
  6. TennBikeBerk

    TennBikeBerk

    Joined:
    Jun 12, 2004
    Messages:
    220
    How do I enable WPA protection?
     
  7. glc

    glc Forum Administrator Staff Member

    Joined:
    May 26, 2000
    Messages:
    34,996
    Location:
    Joplin MO
    Your access point and adapters have to support WPA. If they do, it should be somewhere in the configuration.
     
  8. nooblark

    nooblark

    Joined:
    Apr 13, 2004
    Messages:
    466
    Location:
    NJ
    just hooked up my router and its working.. wanna make it secure.. whats the best way, to encrypt it?

    if so.. how ? :)

    the noob is back!!!
    ty,
    -noob
     
  9. ZeratulsAvenger

    ZeratulsAvenger

    Joined:
    Jun 6, 2003
    Messages:
    903
    Location:
    Alaska
    Follow the above advise to make it secure.

    Turning on WPA, turning off SSID broadcasting, MAC filters, and also of course changing the Admin password are probably the most important steps in securing your wireless(or at least I would do those first...)
     
  10. ltmccaul

    ltmccaul

    Joined:
    Dec 4, 2004
    Messages:
    54
    If you have the reasonable amount of networking skills and how to subnet then I recommend changing the default router address usually, 192.168.1.1. Makes it hard for those newb hackers that are only trying to see what they can do. Changing this requires a bit more skill to find and crack.
     
  11. ComputerNut

    ComputerNut Its the Dark Side!

    Joined:
    Jan 3, 2004
    Messages:
    1,111
    Location:
    Kitchener, Ontario, Canada
    I noticed that one of the options mentioned was to disable uPnP. but i actually need it in some occasions. Is it a really bad security risk to turn it on?

    CN :)
     
  12. old dog 2

    old dog 2

    Joined:
    Oct 30, 2004
    Messages:
    99
    Just what I need to know

    Statica I was just going to post a question. But you answered it for me, I think. I just found out someone was using my wireless connection to get on the internet. I changed my SSID from the default when I setup. But he found it so I must be broadcasting it. Right? So if I do what you said in steps 11, and 12 I can shut him out. Right?
    Now he is a friend so I am not to upset about it. But can he see what is on my computers? I have a firewall set up will that keep people out?
     
  13. TennBikeBerk

    TennBikeBerk

    Joined:
    Jun 12, 2004
    Messages:
    220
    Old_dog_2,

    Why don't you try step number 6?
     
  14. feeder82

    feeder82

    Joined:
    Feb 8, 2005
    Messages:
    16
    cannot disable ssid

    great help, but when I try to disable the ssid broadcast, my wireless connection loses the signal, it comes right back when i reconfig. and turn the broadcast ssid back on? any ideas?
     
  15. visakbnb

    visakbnb

    Joined:
    Feb 25, 2005
    Messages:
    18
    lost

    Now I guess I'm in this group.
    After reading these post, and 99% of them I don't understand the info or how t find it, I just went wireless, don't know if it is set up alright or, I'm trying to set up security.
    I also don't quite understand on how to use this forum, even tho sounds like everybody is super, there comes a breaking point on one's patience. Anyway maybe its just better to be wired (instead of wireless)
    But if any one has the patience, I would appreciated it.
    two computers
    one desktop one laptop both HP
    desktop window XPhome, laptop XPpro
    desktop 'g' card, laptop "b' card
    linksys wrt54g router
    I think I have the laptop working, and I think the desktop is working
    I am really concerned about security
    from what little bit I know (that's for sure) I think that mac address are the way to go
    How can I set this up?
    thanks
    bruce
     
  16. glc

    glc Forum Administrator Staff Member

    Joined:
    May 26, 2000
    Messages:
    34,996
    Location:
    Joplin MO
    visakbnb: This is how you use the forum. You have an existing thread concerning your router setup, and we have a dialog going there. Keep replying to THAT thread until the issues are taken care of. Jumping from thread to thread is counterproductive. Thank you!
     
  17. renoma

    renoma

    Joined:
    Apr 18, 2005
    Messages:
    1
    hi im a noob 18 yr old trying how 2 block users using mac filters.
    anyone care 2 go through the STEPS required 2 do it?
    eg. 1st u mus find ur own mac address......
    then click wad, do wad etc..

    tnx 4 ur help ^^
     
  18. ZeratulsAvenger

    ZeratulsAvenger

    Joined:
    Jun 6, 2003
    Messages:
    903
    Location:
    Alaska
    Renoma, might be worth making your own thread, as most will just pass this one over, as it is somewhat aged and few "new" things are brought up so long after the initial topic was made. List what your OS's are, what router you have(Brand and model number), and someone will probably be able to help you just fine. Ok, I guess probably just the router info would work, but better to much information then to little, right?
     
    Last edited: Apr 18, 2005
  19. Panama Red

    Panama Red If I'm not here, I may be cruisin'!

    Joined:
    Apr 8, 2003
    Messages:
    14,773
    Location:
    near the left coast of Michigan
    Two moderator comments. First, as suggested, please start your own thread in order to get the appropriate attention to your question. Second, please refrain from the use of Instant Messaging Speak. We encourage the use of proper grammar and spelling. (some of us are a LOT older than 18 and have trouble translating the lingo! ;) )
     
  20. Digitalic

    Digitalic

    Joined:
    Apr 25, 2005
    Messages:
    207
    I just wanted to throw this in here and it may have been mentioned but routers will come with a default UN\PW. Make sure the defaults are changed especially if remote administration is enabled.