How to Secure a Network

[Statica]

With the proliferation in Wireless networks, I thought that we could post a brief set of directives to get your WiFi LAN secured from the common vulnerabilities. While this is not meant to be a brand new resource, this is just a helpful compilation that could be referred to. Any contributions are appreciated. Of course a lot of these points will not be specific to just Wireless networks but to even your wired gateway device. It is important to realize that simply plugging in a router isnt protection enough. Using it properly will give you the best value for your money and the best security.

If you have a question or a doubt about securing a network, please do not post to this thread; instead open a new thread so that we can deal with your specific issues. These are how to-s in a generic sense, there are far too many manufacturers and models and revisions ... out there for any person to tell you exactly where a specific setting is. If you dont know how to do what you may find on here, the best place to check is in the manual. Of course, if you still cant find it, you could start a new thread asking for instructions.

Hope this helps.

[Statica]

I've seen too many people get a router, and simply plug it in with the base configurations; it doesnt make sense to me. If you are going to spend money on a router, why not go through all the configuration menus on there and learn to use it. After all its your router and your network.

1) Establish an administrative password; and as with most passwords, ensure that it is a secure password. Losing your router password is probably the simplest solution - a hard reset of the router will quickly get you back to factory defaults

2) Ensure that you have the latest firmware for your router. Yes, your router has a firmware on it, the equivalent to the "BIOS" for your motherboard. Newer versions usually give you better features, better performance and sometimes even patches to vulnerabilities. Check with your router's manufacturer pages for firmware upgrades and howto's

3) Check the router's log pages to see whats going on with the device. This need not be done daily, but at least fortnightly ESPECIALLY if you have a wireless network. It will give you an idea of who is attempting what

4) Do you have a virtual server running? Ensure that all virtual servers (or port forwardings) are specific to your needs. Dont be openning up a virtual telnet service if all you need is FTP. When you are done using the service, make it a habit of disabling the service

5) Some routers have special filters for specific programs. Especially for online gaming or Instant Messangers etc. If you are using any of them, then enable only what you need. If you are not an online gamer, check to see that your router isnt set to enable gaming ports by default

6) Learn to create MAC filters. MAC filters are your best friend with a finite network as with most common home networks. For a brief background, every Network device (wireless, wired, USB etc etc) has a MAC (Media Access Control) address hardcoded into it. (Microsoft calls this the physical address). Some routers, especially WiFi will allow you to allow only certain MAC addresses to use its facilities. You have a finite number of computers/network cards plugged in right? Why not specifically DENY access from any other MAC card? Of course, if you buy a new laptop or a new network card, you can always add the new MAC address on.

7) DHCP Servers, are great because you can simply boot up to an IP address. You increase your security by disabling it. Let's face it, most of us dont have even 10 IP addresses in use from the home network, how about just assigning a static IP to your computer's network cards and disabling DHCP? Should someone spoof their way into your router and get your router to actually give them an IP, chances are that you can detect it much easier.

8) Are you sure you dont have Remote Management enabled on your router? Check to see if its disabled.

9) Discard PING from WAN side: A lot of routers have this valuable tool hidden away in strange submenus. But check to see if you have this enabled. It prevents most from pinging your router from outside your LAN.

9) Is your router functioning on UPNP mode? Try disabling it

10) If you have a wireless network, check to see what authentication you are using. If its old-ish. Make sure you use some sort of security. Under ideal situations, say for 802.11g or 802.11b networks, you should be on WPA-PSK. Make sure you have a complex passphrase established between the router and the connective devices. If you dont have WPA, then you should at least use WEP. WEP, is being done away with because it is vulnerable, but its better than using nothing. In WEP, use it in 128bit rather than 64bit. Make yourself a good strong key. I can't stress this enough, do change your keys once every 2 weeks or so. This should be filed under the "maintenance" category that you do - like the defrag and the diskcheck!

11) If I turn on and check for wireless networks where I am, I am bound to come across someone running a wifi network with the router default SSID. Firstly what is the SSID - its an acronym for Service Set IDentification, is a broadcast network name letting you connect to your network. Do yourself a favor and change the name from the router default (which is usually called 'DEFAULT') to something more personal.

12) And now on to step 2 of the SSID issue. Configure your router to broadcast the SSID with your new personalized name. Now go to all the computers that are using the router for their wireless connection, and connect to it. Ensure that everything is working just fine. With WPA/WEP. All working? Good! Now log into your router and DISABLE the SSID broadcast. This will prevent unauthorized scanning for a network. Since your WiFi network cards have connected and have the password stored, they know what to look for, you will be fine.

13) Disable WiFi if you dont have WiFi running. Sometimes, you may wish to go out and buy a wireless capable router, just so you can use wireless for that new laptop you're getting for christmas. Till then disable it. Usually, when I am out of town for an extended period of time, and I have my notebook with me, I disable WiFi when I leave knowing that I dont have any other wireless device that require it.

[Floppyman]

Great info here....^bump^

[glc]

Stickied.

[kikis9200]

Great!

[TennBikeBerk]

How do I enable WPA protection?

[glc]

Your access point and adapters have to support WPA. If they do, it should be somewhere in the configuration.

[nooblark]

just hooked up my router and its working.. wanna make it secure.. whats the best way, to encrypt it?

if so.. how ?

the noob is back!!!
ty,
-noob

[ZeratulsAvenger]

Follow the above advise to make it secure.

Turning on WPA, turning off SSID broadcasting, MAC filters, and also of course changing the Admin password are probably the most important steps in securing your wireless(or at least I would do those first...)

[ltmccaul]

If you have the reasonable amount of networking skills and how to subnet then I recommend changing the default router address usually, 192.168.1.1. Makes it hard for those newb hackers that are only trying to see what they can do. Changing this requires a bit more skill to find and crack.

[ComputerNut]

I noticed that one of the options mentioned was to disable uPnP. but i actually need it in some occasions. Is it a really bad security risk to turn it on?

CN

[old dog 2]

Statica I was just going to post a question. But you answered it for me, I think. I just found out someone was using my wireless connection to get on the internet. I changed my SSID from the default when I setup. But he found it so I must be broadcasting it. Right? So if I do what you said in steps 11, and 12 I can shut him out. Right?
Now he is a friend so I am not to upset about it. But can he see what is on my computers? I have a firewall set up will that keep people out?

[TennBikeBerk]

Old_dog_2,

Why don't you try step number 6?

[feeder82]

great help, but when I try to disable the ssid broadcast, my wireless connection loses the signal, it comes right back when i reconfig. and turn the broadcast ssid back on? any ideas?

[visakbnb]

Now I guess I'm in this group.
After reading these post, and 99% of them I don't understand the info or how t find it, I just went wireless, don't know if it is set up alright or, I'm trying to set up security.
I also don't quite understand on how to use this forum, even tho sounds like everybody is super, there comes a breaking point on one's patience. Anyway maybe its just better to be wired (instead of wireless)
But if any one has the patience, I would appreciated it.
two computers
one desktop one laptop both HP
desktop window XPhome, laptop XPpro
desktop 'g' card, laptop "b' card
linksys wrt54g router
I think I have the laptop working, and I think the desktop is working
I am really concerned about security
from what little bit I know (that's for sure) I think that mac address are the way to go
How can I set this up?
thanks
bruce

[glc]

visakbnb: This is how you use the forum. You have an existing thread concerning your router setup, and we have a dialog going there. Keep replying to THAT thread until the issues are taken care of. Jumping from thread to thread is counterproductive. Thank you!

[renoma]

hi im a noob 18 yr old trying how 2 block users using mac filters.
anyone care 2 go through the STEPS required 2 do it?
eg. 1st u mus find ur own mac address......
then click wad, do wad etc..

tnx 4 ur help ^^

[ZeratulsAvenger]

Renoma, might be worth making your own thread, as most will just pass this one over, as it is somewhat aged and few "new" things are brought up so long after the initial topic was made. List what your OS's are, what router you have(Brand and model number), and someone will probably be able to help you just fine. Ok, I guess probably just the router info would work, but better to much information then to little, right?

[Panama Red]

Quote:

Originally Posted by renoma hi im a noob 18 yr old trying how 2 block users using mac filters. anyone care 2 go through the STEPS required 2 do it? eg. 1st u mus find ur own mac address...... then click wad, do wad etc.. tnx 4 ur help ^^

Two moderator comments. First, as suggested, please start your own thread in order to get the appropriate attention to your question. Second, please refrain from the use of Instant Messaging Speak. We encourage the use of proper grammar and spelling. (some of us are a LOT older than 18 and have trouble translating the lingo! )

[Digitalic]

I just wanted to throw this in here and it may have been mentioned but routers will come with a default UN\PW. Make sure the defaults are changed especially if remote administration is enabled.

[DynamicTech]

i just wanted to reiterate subnetting. Changing the default ip and mask are essential, especially if you are turning off dhcp. Routers come with a default ip/mask that are commonly known and easily accessed. Download a free subnet calculator if you do not know how to subnet. A trick I always use is mixing up a class A, B, or C subnet mask with a class A, B, or C private address. Firewall rules are are most important as well. I like to block all ICMP from the WAN to all ports (overkill, but I'm paranoid.). ICMP is an invaluable hacking tool, as well as Telnet and SNMP. You can find out more about port assignments by using google.