Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.
Securing your network is an important step in keeping most hackers out of your wireless network. Adequate wireless security can keep interlopers, such as neighbors or attackers, from hogging network bandwidth (a form of denial-of-service), compromising sensitive information (such as identities, important passwords etc.), using the network for illegal downloads or introducing viruses...
********************************************** Table of Contents
Features of a Secured Wireless Network Securing Your Network (General) Securing Your Network (Linksys) Securing Your Network (D-Link) Securing Your Network (Belkin) Common Types of Wireless Threats Glossary of Terms Further Reading
Features of a Secured Wireless Network
Securing a wireless network usually comprises the following features: 1. A solid form of encryption such as WPA2 or WPA 2. Non-Broadcasted SSID 3. NAT Firewall
Optional (not available in all routers), but these do add to security: 1. Turning off DHCP - Use Static IP Addressing 2. Using MAC Address filtering 3. Using Access Control Lists 4. Using Inbound Filters 5. Disable WAN Pinging
The use of filters and ACLs might slow the router or access-point throughput or performance.
This tutorial assumes the router/ap is already setup.
Securing Your Network (General)
Only configure the security settings of your wireless device through a direct Ethernet connection. Be sure to save the settings before navigating away from the page.
1. Login to your router by typing its ip address in your web browser. Common router ip addresses: 192.168.0.1 (D-Link, Netgear) 192.168.1.1 (Linksys) 192.168.2.1 (Belkin, SMC) Default router logins: user:admin password:admin (Linksys), no password (D-Link)
2. Rename SSID I recommend doing this before turning off the SSID
3. Select channel Most commonly used, so do not use these: 1 6 11 (United States).
4. Select 802.11 mode 802.11N only or mixed 802.11N & 802.11G
5. Turn-off SSID (or change it to invisible)
6. Enable WPA or WPA2 Personal. Recommend using WPA2 Personal since it uses the AES cipher, which is harder to crack. WPA uses the TKIP cipher, which is more compatible with legacy or older devices. I do not recommend using WEP since it is easy to hack.
7. Create an alphanumeric pass-phrase (password) for WPA2/WPA
Change the administrator settings& Save the router settings to a computer (handy if you need to reset the router)
********************************************** Securing Your Network (Linksys)
These steps should work for all Linksys routers with the 802.11G or 802.11N standard. Confirmed to work for the WRT series of routers.
1. Log in to the router by typing 192.168.1.1 into a web browser Username: admin Password: admin
2. Click on the “Wireless” tab to access wireless security settings
3. Click on the “Basic Wireless Settings” sub tab Wireless Network Name (SSID) <= Rename this from it’s default name Wireless Channel <= Choose any channel other than 1 or 11 Wireless SSID Broadcast <= set this to disable
4. Click on the “Wireless Security” subtab Security Mode <= choose either WPA or WPA2 Personal (Recommended) WPA Algorithms <= choose AES for WPA2 or TKIP for WPA WPA Shared Key <= see step 7 under “Securing Your Network (General)”
5. Click on the “Administrator” tab
6. Click on the “Management” sub tab Password <= this is where you change your login password
The following steps work with all E series routers equiped with Cisco Connect.
1. Log in to the router by typing 192.168.1.1 into a web browser Username: admin Password: (leave blank)
2. Click on the “Wireless” tab – to access wireless security settings
3. Click on the “Basic Wireless Settings” sub tab Configuration View <= click on manual Network Mode <= select "Wireless-N Only" only if you do NOT have any devices using 802.11G, otherwise select "Mixed" Network Name (SSID) <= Rename this from it’s default name Channel Width <= select "Auto" Channel <= select "Auto" SSID Broadcast <= select "Disabled"
4.Click on the “Wireless Security” sub tab Security Mode <= choose either WPA/WPA2 Mixed Mode (default) or WPA2 Personal Passphrase <= see step 7 under “Securing Your Network (General)”
Be sure to click "Save Settings" to apply your changes at each screen!
********************************************** Securing Your Network (D-Link) coming soon... ********************************************** Securing Your Network (Belkin) coming soon... **********************************************
Common Types of Wireless Threats
Accidental Association Network security can be compromised through accidental behavior. Users with a notebook connected to a wired or wireless network can unknowingly connect to an overlapping wireless network. Such a connection is called "accidental association." It is a security risk because a malicious attacker can use the link created through the unknowing users' notebook to access information in a protected wired network. To neutralize this threat, switch off wireless cards when not in use, maintain all access points or use powerful data encryption.
Malicious Association This threat is similar to accidental association with an important difference: The line of attack is not created through the accidental association of a user within a contained network but through the attacker's deliberate malicious acts. The attacker hacks a notebook's wireless card to appear as a legitimate access point.
This creates a "soft access point" that the hacker can use to gain access to the network, compromise or steal sensitive data or plant various back doors to further compromise the network. It is crucial for companies to monitor their networks and airwaves to ensure that their computers and access points are only connecting to the company's devices.
MAC Spoofing MAC spoofing is another threat. One of the most common ways to secure a wireless network is to use authentication based on a list of authorized MAC addresses. This kind of protection is only effective against low-level threats from an unsophisticated attacker. Security of a network cannot rely solely on MAC address filtering.
Using stronger overlapping protection by other methods, system administrators can defend against MAC spoofing. They can do this by detecting when two computers use the same MAC address at the same time or by analyzing a wireless card's vendor data.
Denial of Service (DoS) A denial of service attack is when a malicious user sends out large amounts of bogus requests that flood the airwaves, making access points unable to cope with the volume. These attacks can be made by household items that use the same frequency as the wireless network, such as a microwave oven, or through more advanced means.
They work by targeting access points and flooding them with premature successful connection messages, log off commands, failure messages or other kinds of fake requests.
Man in the Middle The most advanced type of attack on a wireless or wired network is the "man in the middle" attack. The attacker attempts to insert himself as middleman between the user and an access point. The attacker then proceeds to forward information between the user and access point, during which he collects log on information. The attacker then forces the parties to reauthenticate; during that process, he inserts himself into the network as the victim user. The user is then disconnected and the attacker can proceed with his attack. This kind of attack is very hard to detect, but the threat is lowered by using forms of endpoint authentication---such as a mutually trusted third party certification authority.
802.11 802.11 is a group of wireless specifications developed by the IEEE for wireless local area network (WLAN) communications. It details a wireless interface between devices to manage packet traffic to avoid collisions. Some common specifications include the following: 802.11a, 802.11b, 802.11g, 802.11n
Access Control List Access Control Lists (ACL) are rules applied to a router that will determine traffic patterns for data.
DHCP Dynamic Host Configuration Protocol (DHCP) is a protocol which dynamically assigns IP addresses and more to hosts, which includes computers.
MAC Address A Media Access Control Address (MAC Address) is a physical address used to define a device uniquely.
Network Address TranslationNetwork Address Translation is the process of translating your multiple, internal IP addresses to a single registered IP address on the outside of your network.
SSID The SSID is the name (or identification) of a wireless network.
Static IP Addressing A static IP address is a manually configured permanent IP address given to a specific host.
Wide Area Network A wide-area network (WAN) is made up of interconnected LANs. It spans wide geographic areas by using WAN links such as telephone lines or satellite technology to connect computers in different cities, countries, or even different continents.
Wireless Gateway Wireless Gateway is a device that can share an Internet connection, serve DHCP, and bridge between wired and wireless networks. Wireless Gateway may also be called as wireless router, base station, or access point.
WPA: Wi-Fi Protected Access Wi-Fi Protected Access (WPA) is a data encryption specification for 802.11 wireless networks that replaces the weaker WEP. Created by the WiFi Alliance before a 802.11i security standard was ratified by the IEEE, it improves on WEP by using dynamic keys, Extensible Authentication Protocol to secure network access, and an encryption method called Temporal Key Integrity Protocol (TKIP) to secure data transmissions. WPA provides roughly comparable security to VPN tunneling with WEP, with the benefit of easier administration and use.
WPA2: Wi-Fi Protected Access 2 Wi-Fi Protected Access 2 (WPA2) is an enhanced version of WPA. It is the official 802.11i standard that was ratified by the IEEE in June, 2004. It uses the Advanced Encryption Standard instead of TKIP. AES supports 128-bit, 192-bit and 256-bit keys.
I have some additional Best Practices that I want to add for the Linksys Router. I personally implement all of these. Below are my contributions and the Bold represents the Routers Tab that you should be in:
A.) Maximum Number of DHCP Users... if you own two wireless devices then change this number to 2. If you only run one of them at a time, change the number to 1. This way, even if someone can spoof your MAC address, if your logged in, they can't be assigned an IP Address on your Network.
B.) Change your Local IP Address! If someone wants to log into your Router they are going to use the standard web address to access it. (More is discussed on this directly below)
Administrator > Management Tab:
A.) Disable Wireless Access Web (if you have an Ethernet cable). This prevents people with laptops or devices outside from trying to edit your settings. They need to be physically connected to your Router.
B.) Web Access : Enable HTTPS login and Disable HTTP.
A.) In addition to disabling the SSID Broadcast, create a complicated Name just like you would your Password. For example, use characters such as _ , ! * ?
B.) Enable MAC Filtering. If you have a desktop, a laptop and a Console or iPod Touch, write down each of these IP addresses and enter them into the Fields provided.
Advanced Wireless Security:
A.) Enable AP Isolation (which is Off by Default on older Linksys WRT54G variants) It allows each of your connected devices to have it's own irtual network, preventing them from connecting with one another outside of the Routers Firewall.
A.) If you don't use it, disable TELNET under Blocked Services
Application and Gaming:
A.) If you use programs such as TeamViewer5 that require certain ports to be opened that can expose your system, be sure to use the Port Forwarding Feature.
If you combine the two Tutorials you have a pretty darn secure Home Wireless Network. The point is to make the process of hacking your Router so time consuming and difficult that the perp will likely give up and move on to an easy target since plenty exist.
Computer type Laptop System Manufacturer/Model Number Sager NP8290 OS Windows 7 Ultimate x64 CPU Intel Core i7-4930MX 3.9GHz Memory 16GB DDR3 @1600MHz XMP Kingston HyperX 2X8GB Dual Channel Graphics Card nVIDIA GeForce GTX 780M 256bit w/4.0GB GDDR5 Monitor(s) Displays 17.3" Matte LED Full HD Screen Resolution 1920 x 1080 (1080p)
Mouse Logitech Performance MX ; MS Arc Touch Case Clevo/Sager Cooling Thermaltake Massive23 LX Hard Drives HD1: 512GB Samsung 840 PRO
HD2: 512GB Samsung 840 PRO Internet Speed Intel Wireless-AC 7260 DL: 97.25 MBs / UL: 45.17 MBs on 5GHz Antivirus The Best Browser Firefox Other Info 6x Blu-Ray Burner/Reader / 8X DVDRW Super Multi Combo Drive
Do not pay $35 for IC Diamond Thermal Paste. PM me to see how-to videos for better quality paste at a quarter of the cost!
Computer type PC/Desktop System Manufacturer/Model Number Novatech iRush Pro OS Windows 7 Ultimate SP1 - 64 Bit CPU Intel Core i5 2500k Motherboard Foxconn H67M-S/H67M-V/H67 Memory 2x4GB DDR3 1333Hz Graphics Card Ati Radeon 6770 Sound Card None Monitor(s) Displays Samsung S22B150 Screen Resolution 1920x1080
Keyboard HP KU0316 Mouse Wireless Logitech M185 PSU 500W Cooling Fan Hard Drives 2x500GB Internet Speed 20MB/s Antivirus Avast Free Browser Google Chrome Other Info Logitech M185 Mouse