What good is unimplemented security? In this video, learn how to secure your wireless network so that your neighbors will stop using all your bandwidth.
- There's a lot more to securing your wireless network than simply turning on WPA2. I mean, it's important don't get me wrong, but what I want to do right now's go through a litany of things that you should be doing on your wireless access point, to make sure that your system truly is secure. So let's start off by taking a look at what I've got set up so far. So right now this is my D-Link wireless access point. I've had it for a couple of years, I really like it, and I've currently set up an SSID called keepout that's always handy.
And you can see I'm doing WPA2 and I've got a passphrase set in and it's up and running, life's good. But there's a couple of things you might want to be aware of in here. First of all, here's this guy right here. You see where it says SSID visibility? We can disable that, in essence what we're doing, is we're turning off SSID broadcast. Now the downside to doing that, is that you'll notice that on a lot of networks you'll have clients that'll sit there and go, there's a network, there's no SSID broadcast, but there's a network out there.
So this is an access control list based on MAC addresses. So right now I've got three computers that are connected to this. So what I want to do is say, I want to limit whoever can connect to this particular network based on their MAC address. So it's kinda convenient what you'll do is you have everybody connect who you want to be on your wireless network. And then you can pretty much just go in and select the people that you want to be on there and at this point, oop I got it set for rejection, let's set that to accept.
So that means that we'll only accept these MAC addresses. The downside to this, is what if your Aunt Bernice comes to visit? Well you have to go through some rigamarole to get her configured. So you've got a couple of choices here. If you've got a really advanced wireless access point, you can do cool things like put in multiple SSIDs. In that case you can have one which is the permanent SSID and only the certain people can get in. And then you can have a visitor SSID that's a little bit more robust in terms of what it allows.
So let me just keep pokin' around in here a little bit, and I'll show you some of these options. So here's multiple SSID. This one's actually kinda fun, and one of the reasons I bought this WAP for my office. And that is, I can create multiple SSIDs and then I can, once those multiple SSIDs are set up, I can give them different types of encryption, I can set them to separate VLANs, I can do all kinds of cool stuff like that to help protect my network. So MAC address filtering's pretty good too, but there's one another little trick I want show ya, and that has to do with DHCP.
Now pretty much all of these little guys are going to be DHCP servers. So what I can do, is I can come in and right now you can see I've got a whole bunch of DHCP, let me turn this guy on momentarily. So right now I'm passing out 235 different IP addresses. What I can do if I need to is I can set that, to let's say there's five computers in my network. I can set that up so that there's only five. Now this creates a really tough limitation if somebody were trying to piggyback onto this network.
Well they'd have trouble because they'd never be given a IP address. So that works pretty well too. Unfortunately, it again falls back into the Aunt Blanche's visiting issue. However in this particular case, it's usually fairly trivial to go into your wireless access point and change that five to a six. So that as long as Aunt Blanche is visiting, she can get an IP address. All right, the other one, and this one drives me insane. It's such a basic thing that it just drives me crazy. I'm gonna have to bring it up, and that is the password.
When it comes to the password, you really need to change it from whatever it's defaults are to something a little bit more complicated. This is an old-fashioned easy way for bad guys like me to easily hack into any wireless access point. Simply because we made the point to understand to know what the default passwords are for all of these different devices. This is bad with an access point, it can be downright disastrous for one of these wireless routers where I can really get in and wreak havoc. So make sure that you don't do that.
All right. The other thing you'll see on a lot of wireless access points that's convenient, and unfortunately mine doesn't have this, is called remote management. Basically it says can you access this configuration screen from a wireless client? By default it's almost always turned off. But time to time people like to turn these on, cause it's convenient for them. Cause they don't want to have to plug into their network, just to make configuration changes to their wireless access point. In general I don't like that idea, because bad guys will try to poke in on it.
However, if you use robust passwords, if you make it complicated enough to get in there for example, change the default port from port A to something else, it can often be a convenient option for those of us who need to get into our wireless access point to make changes. And the last one, and this is a very rare option, but one I wish I could see more often, is called client isolation. With client isolation you have a single wireless access point and you'll have a whole bunch of people connecting to it. Now keep in mind when everybody connects to a single wireless access point, they are in essence in a broadcast domain.
So if everything else is set up correctly on their individual computers, they can see each other. However, on a really cool wireless access point, and one of the reasons I love the popular DD-WRT firmware upgrade, the free one. Is that it adds this option called client isolation. Which means everybody can connect to this one SSID, but they absolutely cannot see each other. So next time you walk into a coffee shop and you'll notice that the only person on the network is you, well there's a good reason for that. Because pretty much everybody's learned that client isolation is important, especially on a public wireless network.
This Total Seminars course covers the exam certification topics. For information on additional study resources—including practice tests, lab simulations, books, and discounted exam vouchers—visit totalsem.com/linkedin. LinkedIn Learning members receive special pricing.
This course was created by Total Seminars. We are pleased to offer this training in our library.
We are a CompTIA Partner. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Implementing wireless security
- Threats to your wireless network
- Wi-Fi Protected Setup
- Installing a wireless network
- Cloud ownership and implementation
- Creating a virtual machine
- PaaS, SaaS, and IaaS
- Mobile networking
- Deploying mobile devices