I have recently become convinced that the way home wireless network access (or WiFi) has been designed is fundamentally flawed. And the worst part of it is that I understand why the manufacturers of home networking equipment have done it this way!

I believe that there is a better way to set up a home wireless network that will allow you to keep your home systems safe while providing WiFi users with what they primarily want, the Internet.

There are three parts to this post:

1. The fundamental flaws with the present WiFi design
2. A better WiFi design
3. Advanced configurations

WiFi is Broken

If you have done what most people have done when implementing a wireless router, your network design and implementation was probably something like this:

1. Design Phase - “I think I want to be able to surf the Internet and watch TV at the same time. I’ll get a WiFi router and replace my regular router.”
2. Hardware Selection Phase - “Which one is on sale?”
3. Implementation Phase - “Let’s see…unplug old router…plug in new WiFi router…search for WiFi connection…Done!”

What you have implemented is something that looks similar to this:

You have essentially provided complete access to your home network to anyone with a wireless network card who is in the vicinity. You may as well run a patch cable out your front door and put up a big neon sign that says, “Free Network and Internet Access”! All I can say is that you had better hope that nobody nearby is running Slurpr.

It is terrifying when you realize that over 40% of the wireless networks deployed today are set up in this manner.

There are four primary areas of weakness that are present in this design. These areas are:

1. WiFi Connection Configuration
2. Firewall Configuration
3. Open Internet Access
4. Open Network Access

Let’s take a look at these weaknesses in more detail.

1. WiFi Connection Configuration

Most wireless firewalls are designed to be easy to configure, not secure. This is because hardware manufacturers cannot sell a product that the consumer cannot configure or use. Unfortunately, WiFi security is beyond the majority of users so this component is generally left out of the equation. It is not uncommon to find WiFi connections with:

• Broadcasted SSID
• Default SSID
• SSID that identifies network
• No or weak encryption
• No MAC address authentication
• No shared key or certificate authentication
• Connection set to adhoc mode

2. Firewall Configuration

Just like the WiFi connection configuration, the firewall is generally configured with the least amount of security so that it is easy to deploy. Many systems are configured with:

• Default admin password
• DHCP running
• Large DHCP zone
• Default subnet
• No SSL encryption
• Open admin console on external port
• No logging

All of these pose security risks.

3. Open Internet Access

Anyone who hops on your wireless network connection can now have complete access to the Internet. While this may not seem like an issue in the beginning, there are a few issues to take into consideration:

1. If you have a limited amount of upload and download volume from your Internet provider, you could find extra bandwidth charges on your monthly Internet bill is someone is downloading massive amounts of data (e.g. file sharing, bittorrent, p2p, etc.)
2. Most Internet providers have as part of their contract that you will not share your Internet connection with anyone else. By setting up an open wireless network, you may find yourself in breach of this contract and you could lose your Internet access all together.
3. If someone is using your Internet access to perform illegal activities (e.g. accessing child pornography, cracking, etc.) then guess who the police are going to be coming after? The criminal? Try the name of the person to whom the external IP address is registered. While you may be found innocent in the end, sometimes all it takes is the accusation to ruin a person’s life.

4. Open Network Access

Probably the most disturbing aspect of this WiFi design is that the WiFi component completely bypasses the one thing that your firewall is supposed to do: Keep people out of your network. The wireless connection puts anyone who uses it right on the same network as all of your “secure” systems. And, if you put as much care into securing your home computers as you do in securing your WiFi network (read “none”) then you could very easily find that all of your personal data and information is up for grabs.

A Better WiFi Design

I have spent some time thinking about how to better secure your home WiFi network and I have come up with a solution that will help to lock things down significantly by attacking the main vulnerabilities that we talked about earlier. This solution:

1. Locks down the WiFi connection
2. Secures the wireless firewall
3. Restricts Internet access to pre-configured users
4. Segments home computers and servers from wireless users

The other nice thing is that most of this can be done at no extra cost because it uses the equipment that you probably already have.

And, the solution is flexible enough that if you do have a need for more that just providing Internet access to WiFi users, you can provide it with a minimal amount of extra cost.

1. Lock Down WiFi Connection

This is probably the most important part of the entire process. With this properly configured, you can eliminate the biggest risks to your network. Follow these guidelines:

1. Use WPA2 encryption for all communications
2. Make sure that you use either certificates or shared keys for the encryption
3. Don’t broadcast your SSID. You should only do this for testing
4. Change your SSID to something obscure like 89cyr65g6vwe or n08345cvb4wq. Definitely do not use the default SSID that came from the company and do not use something like your phone number, last name, or address
5. Use MAC address authentication to ensure that only specific systems can access the WiFi link
6. Use infrastructure mode, not adhoc, for connectivity

Once you have done this, does this mean that nobody can use your WiFi connection without you knowing? No. Someone who did his work and got the right information could potentially still get access to your WiFi connection but they would have to know:

• Your shared WPA2 key
• Your SSID
• Your MAC address

This person would also have to know how to change their MAC address on their wireless network card. While this is not impossible, it is an awful lot of work to just get access to someone’s network.

It is also very important to use infrastructure mode for the connection. This needs to be set on the firewall and the wireless network cards. This way, people can not use your laptop network card as a wireless bridge to get to your network.

2. Secure the Wireless Firewall

The next thing that you need to do is secure the wireless firewall. This is important because if you leave your firewall is compromised, then all of the other security measures can very easily be undone without you even knowing it.

You need to make sure that you take these steps:

1. Change the administrator password
2. Use SSL encryption for all web communication between the firewall and your systems
3. Close any external management interfaces
4. Disable DHCP or at the very least set it to a very small scope (one or two IP addresses) and set DHCP reservations
5. Change the internal subnet from the factory default
6. Create a very small internal subnet. Use a 28 (2555.255.255.240) or 29 (2555.255.255.248) bit subnet mask to limit your network to 14 or 6 hosts respectively
7. Do not allow pings on the external interface
8. Log all activity, preferably to a secure external logging source but internal logging can be just as effective
9. Keep a backup of the configuration in case something happens to the firewall and the configuration gets lost

The down side of all this is that you will need to configure your WiFi enabled devices with all the network and IP information manually. But, it is a small price to pay for security.

3. Restricted Internet Access

With this configuration in place, you have not essentially eliminates access to the Internet for anyone who does not have authorization. In order to access the Internet, a cracker would have to know the following for your network:

• Your SSID
• Your WPA2 shared key
• Your MAC address
• Your subnet and subnet mask
• An available static IP address
• Your ISP to get their DNS settings

4. Segmented Home Network

With the home network behind a firewall, it is protected not only from users on the Internet but also from people who may have gathered enough information to make a WiFi connection. This is key to protecting home network systems and ensuring that they are not compromised.

Fortunately, most people are upgrading their present wired router to a wireless one so it is a small task to integrate the second router into their networking environment.

One drawback of this basic implementation is that if you want to access shared resources on the network, this configuration will prevent you from doing that. But, you can overcome those limitation as described in the advanced design section.

Advanced Configurations

This is just the tip of the iceberg. You can make several other modifications to the design that would allow you greater security or greater flexibility. A couple ideas include:

• Providing VPN access to resources behind the internal firewall using SSH or SSL VPN solutions
• Adding a web proxy with username and password authentication for access to the Internet
• Implement IPSec for all network communication

Conclusion

While most out of the box WiFi configurations leave much to be desired in the way of network security, a little bit of effort and planning can allow you to build a much more secure infrastructure without adding much (if anything) to the cost of the network.

If you found this post useful, why don't you buy me a cup of coffee to show your gratitude?

Trackback link - http://www.dailycupoftech.com/2007/06/08/a-more-secure-home-wifi-design/trackback/

 

18 Responses to “A More Secure Home WiFi Design”

1. The Fieldhouse Says:
   November 30th, 1999 at 12:00 am

   so that you may stumble on something interested that you may not have read before: FOSS for SecurityProtect Your USB Drives NOW!E-Mail TracksSecurity Is About Being UnattractiveI Think I Have A Virus: Now What?Tech Blog of the Week: Schneier on SecurityA More Secure Home WiFi DesignThe Anatomy of a VirusHigh End Router, Low End HardwareRemotely Accessing ComputersDonated/Trashed a Computer? Your Data May be at RiskWindows Update On A DiskStories of Identity TheftDCoT Helps Find Lost Child

2. Michael’s Tech Blog Says:
   November 30th, 1999 at 12:00 am

   explains

3. Like it says… Says:
   November 30th, 1999 at 12:00 am

   Daily Cup of Tech (one of my favorite blogs) recently posted an article about home network security, and making your home (wireless) network less attractive to casual snoopers, responding to criticism received in a comment to a previous posting. The suggestions he provides aren’t designed to make your network hacker-proof - as even he discusses. They do, however, help lower your network’s profile in a potential sea of available access points. Good advice he offers: disable SSID

4. Duncan Cunningham Says:
   June 8th, 2007 at 8:30 am

   Tim,

   Great article!!

   It’s hard to write up something technical, such as this, and yet have it understood. Though I understand all of what you’ve listed, I’ve not yet implemented all of them on my home network. Looks like I’m going to be reviewing your IP subnet guide over the next few days.

   I noticed your BLOG way back when you did FREENAS guides, a most excellent set of work instructions. They allowed me to use plinky plonk PC’s with large Hard Drives in them to behave as close to a server as is possible for free and without having to install a LINUX box and manage that.

   Have you ever considered doing an article of some of those FREE firewall solutions?, you know, smoothwall, IPCOP, ebox, monowall etc? Maybe you have already? I do not admit to reading every article in your history. That’s the beauty of your site!! you take what you want at the time and it’s written in a way that is open and encouraging to the unknowing, even if they don’t understand it all. Anyway, enough of the back slapping. thanks for being there, Tim!

5. Kim Jalun Says:
   June 8th, 2007 at 9:09 am

   You wrote:
   a little bit of effort and planning can allow you to build a much more secure infrastructure without adding much (if anything) to the cost of the network.

   What do you consider as cost? It seems to me that the only thing you are considering is the cost of hardware.

   I would suggest that there are many more elements to a user’s definition of cost.

   What about the cost of time and effort? The cost of implementing and maintaining all of your suggestions for most users is so significant that they simply won’t do it. The effort involved to simply learn the basic concepts is beyond the average user who simply wants everything to “work” out of the box.

   The loss of flexibility to the average user becomes burdensome as well. Imagine someone who has their home WiFi network set up in a secure manner as you suggest above (most likely they had to borrow a friend who already had some expertise to set it up), and then after 6 months or more they purchase a brand new PC. I would suggest to you that when they can’t get this new device to work with their home network, because they can’t even remember their administrator password, let alone how to figure out their new MAC Address, or how to add it - that they will forego all of the security (which is now getting in their way in the same way it was getting in a potential intruder’s way), go out and buy a new wireless router and plug it in - as this process is simpler to them to get them to do what they want/need to do.

   I am not sure what the solution to this dilemma is, but in order for it to be more universally adopted, it is going to have to be simpler for users to implement and understand.

   One thing that you did not mention in this article (but is listed elsewhere on your site in 10-ways-to-protect-your-home-network ) is to turn off your WiFi when not in use. This is the type of simple concept that the industry could adopt as a standard so that every WiFi device comes with a prominent physical on/off switch - that comes configured to automatically turn off after a certain amount of inactivity (as users will forget to turn it off).

6. Tim Fehlman Says:
   June 8th, 2007 at 9:55 am

   Duncan,

   Thank you for the kind words! This is a great boost for me, especially coming form someone as prominent in the blogosphere as you!

   I do not expect most people to look at this design and immediately switch their home network over to it. In fact, I don’t even follow this design myself at home (but probably for different reasons than the average home user would). The idea is to get people thinking and it seems to be working.

   As for the FOSS firewalls, I am compiling a list of projects that I want to start writing about and I do have some of the firewalls as part of the list. In the end, it all comes down to just time. A technical article like this can take several hours to write, not to mention the research required to gain the experience and understanding of a product. Believe it or not, DCoT has only been running since September, 2006! There is still a lot to write and a lot to do.

   Thanks again for the compliments.

   Tim

7. Larry Bartowski Says:
   June 8th, 2007 at 9:56 am

   This is a good read on myths of securing wireless networks:

   http://blogs.zdnet.com/Ou/index.php?p=43

8. Tim Fehlman Says:
   June 8th, 2007 at 10:07 am

   Kim,

   First of all, thank you for taking the time to write such a thorough comment. It is great to read the opinions of others written out so clearly and concisely.

   Now, yes, I do have to admit that when I was talking about cost, I was only considering the cost of components (hardware, software, etc.). I did not calculate the time or implementation costs that could be included in such a configuration. There are two reasons for this: 1) most people do not consider true TCO when looking at home computer systems (Heck, most companies don’t!) and 2) if this were being implemented by someone who knows what they are doing, they should be able to implement it in about the same amount of time as they could implement a “normal” home WiFi solution.

   This leads us into your second point about someone who is less technical getting frustrated with the configuration and just bypassing is for an easier solution. In a recent PC Word article, the “Human Security Hole” is considered to be one of the ten biggest security risks. This goes for every area of computing. We can patch, lock down, monitor, and control as much as we want and all it takes is a user to give out their password or bring in a $10 USB drive and all of our work is for nothing.

   I think that all we, as technical people can do, is try to make things as easy for people as possible while still providing proper security solutions. One possible idea is to create an AutoIt program or script that can automatically configure a new system with all of the proper configuration settings.

   Thanks again for the great comment.

   Tim

9. Brian Says:
   June 8th, 2007 at 11:19 am

   Great article! Like Duncan, I haven’t quite implemented all the suggestions you have posted, but I’m steadily improving. I think that what you suggest is great for technically advanced people, but for the average user (i.e. my parents) its a little overkill. I was taught the “lowest hanging fruit” rule - attackers will typically go for the easiest and quickest success under ordinary situations. Using WPA will probably protect most users (assuming they’re not housing a treasure-trove of valuable information on their network). Its amazing to me how many people leave their SSIDs or even their router hostnames the default. Often the hostname can be very descriptive of what hardware is running - and if the SSID and hostname are default, chances are good the default password works as well.

10. JC Says:
    June 8th, 2007 at 11:29 am

    As everyone said, great post indeed.

    One thing I would add is that to verify all the settings are correct run a ShieldsUp scan from GRC’s (Steve Gibson) Website as it tests for ping response and scans the most usual port as well.

    More advanced users not forwarding any port and having access to another computer on another network may also want to run thorough nmap scans to make sure their system is completely stealth (well as stealth as it can be) to the outside world.

11. Wireless Articles Says:
    June 8th, 2007 at 12:10 pm

    recently become convinced that the way home wireless network access (or WiFi) has been designed is fundamentally flawed. And the worst part of it is that I understand why the manufacturers of home networking equipment have done … Original post by Tim Fehlman

12. CypherBit Says:
    June 8th, 2007 at 12:15 pm

    Great article indeed. Would you be so kind to share what you are using to draw those network diagrams?

13. Tim Fehlman Says:
    June 8th, 2007 at 12:17 pm

    CypherBit,

    This is one of my few areas that I do not go open source. I used Visio 2007.

    Tim

14. Proxy Templates Says:
    June 8th, 2007 at 3:54 pm

    A relatively simple way to support proxy redundancy is to configure a static list of SIP proxy servers to the Linksys ATA in its configuration profile where the list is arranged in some order of priority.’’ … A More Secure Home WiFi Design With this configuration in place, you have not essentially eliminates access to the Internet for anyone who does not have authorization. In order to access the Internet, a cracker would have to know the following for your network:

15. iladelf Says:
    June 8th, 2007 at 5:53 pm

    Well, I set up home and small businesses this way:

    1)SSID broadcast=yes; why? Because they’re usually not “smart” enough to be able to turn the SSID broadcast back “on” when adding a new laptop or computer. Customers start to get cranky if they can’t just “add anybody” at any time.

    2)WPA password. I don’t use WPA2 because I’ve found it doesn’t sometimes work with certain wireless cards (why I don’t know). WPA seems to work fine. Last I knew, the only real “hackable” password was the WEP.

    3)Router login & password changed (if possible). Sometimes you can only change the password, but I tell folks pick something they’ll remember but would be hard for anyone else to guess, etc.

    4)SSID broadcast name changed. I tell people don’t pick your car, house, address, pet, etc. Unless you had that car 20 years ago, and you’ve never talked about it with your neighbors. Then, when your neighbors “see” your network, they can’t get in unless they have the WPA.

    Now, is this the most secure? Oh hell no. But it’s the best for usability reasons, because I’ve found that customers WILL try to add new computers and hardware by themselves without calling their tech first, therefore if you have the SSID turned off, using MAC address authentication and VPN, you’re going to have a honked-off customer that MAY or MAY NOT call you again, and will complain to his next tech that YOU set the system so that YOU ensured yourself of future work. Although I like your post, to my customers, I’d lose a lot of them if I placed their PCs into the equivalent of a mile-deep nuclear bunker. In this case, a tornado shelter works fine.

16. [Geeks Are Sexy] Technology News | Technology, science, news and social issues for geeks. Says:
    June 11th, 2007 at 1:08 pm

    [IMG]-A More Secure Home WiFi Design Tim over at DCOT has recently published a great article on how to boost the security of your home WLAN. Definitely worth the read if you are feeling concerned about villains accessing your network wirelessly.

17. Adam Says:
    June 11th, 2007 at 9:56 pm

    Turning off ESSID broadcasting is not, I repeat not a security measure. It is broadcast when the WAP puts out a beacon, so all you have to do is wait and you’ll have any ESSID you want.

    The same can be said for MAC filtering, small DHCP pool, and different subnets. Without encryption these are pretty much worthless. MAC filtering, without encryption, is easily circumvented. All I have to do is fire up Wireshark, and put my card in monitor mode. The first packet I pick up will have source and destination MACs. Compare them to the MAC (BSSID) of the router, and I know which is the client machine. Spoofing that MAC is trivial. A small DHCP pool is fine, if it’s always full. As long as there’s a vacant address, it can be used. The same goes with a highly subnetted network. Unless every IP is taken, there’s always one available.

    In regards to encryption, if you want people to not use your connection, then use encryyption. WEP is severely flawed, and can be cracked in less than 10 minutes in most cases. I’ve cracked my own 128bit WEP protected network with a 700MHz P3 laptop in about 8 minutes start to finish. WEP is insecure. Period. If you want to deter the occasional bandwidth leech it’ll be fine, but to a determined intruder, it’s nothing more than a speed-bump.

    WPA should be used as encryption, WPA2 if possible, because it uses AES encryption instead of the broken and cracked RC4. WPA is just WEP with TKIP, i.e. it employs WEP with temporal key changing (the encryption key changes over a set amount of time). So it falls under the same vulnerabilities as WEP. WPA2 is vulnerable only to brute-force and dictionary attacks. If you choose a passphrase that comes from a dictionary or a custom-made dictionary, you’re vulnerable. If not, then a brute-force attack could take about the time the sun has left until it explodes to break on today’s hardware. All WPA2 passphrases should be longer than 20 characters, include upper and lower case, numbers, letters, and non-alphanumeric characters for a strong key. If your equipment doesn’t support WPA2 (also know as WPA+AES), and security is a concern, then buy hardware that supports it.

    As the post pointed out, if security is a must, set up VPNs, or create VLANs on your router to segregate traffic, but that’s out of the scope of most home users.

18. is you wifi secure? Says:
    November 18th, 2008 at 1:04 pm

    […] A More Secure Home WiFi Design […]

Leave a Reply