Tip of the Day - Home Wireless Gateways

Published: 2006-08-20
Last Updated: 2006-08-21 20:40:03 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
Today's tip focuses on small office/home office (SOHO) wireless routers.  As most of our readers probably know, I teach SANS Security Essentials (SEC 401) about five times a year at the large SANS conferences.  We always get into a sidebar discussion at some point about how to safely configure your home wireless router or gateway.  So I thought that the ideas we've come up with over the past few years would be good for discussion here.

I'll use my home system as an example.  After all, practice what you preach, right?  :)

I am on a cable modem system and also have access to a fiber optic service provided by the local telco.  To simplify things, let's just assume that I have one ISP.  Dual-homing in your house tends to upset the residential ISPs so therefore let's don't go down that road today.  I am in a "normal" suburban neighborhood, average sized wood frame house, two levels above ground plus a basement, garage, porch, etc.  Nothing fancy but perfect for building a home network.

In a "typical" setup the cable modem connects to a SOHO wireless router.  Wired and wireless hosts are behind the SOHO router and get their IP addresses, DNS settings, etc. from the router via DHCP.  Being the geek that I am, there are two SOHO routers in my basement, one wired (connected to the cable modem) and one wireless (connected to the wired router.)  By using two devices I can create a separately numbered wireless LAN.  Also, I have an old two-port  router that connects to the wired SOHO router, and behind that old router is my test network on its own subnet.  My IP subnetting looks like this:

68.x.y.z - wired SOHO router, low (WAN) side
192.168.1.1 - wired SOHO router, high (LAN) side
       192.168.1.11..15 - DHCP assigned wired hosts
       192.168.1.200 - printer
192.168.1.2 - old two port router, low side
       192.168.2.1 - old two port router, high side
       192.168.2.21..25 - test computers with fixed IP addresses
192.168.1.3 - wireless SOHO router, low side
       192.168.3.1 - wireless SOHO router, wireless side
       192.168.3.31..35 - DHCP assigned wireless hosts

By using discipline in subnetting I have a much easier time troubleshooting problems, plus I've created a few "layers of defense" in my home network.  On the wireless SOHO router, I do the following for wireless protection:

- Turn off SSID broadcast
- Use MAC address filtering
- Turn on 128-bit WEP
- Keep the router at or below ground level
- Limit the number of DHCP licenses to only what I need
- Change the default frequency (channel) to one that is not used by my neighbors

Why put the wireless SOHO router below ground?  Well, wireless signals are at 2.4GHz if you are using 802.11b/g service and at that frequency they don't travel very well through dirt.  So if the router is below ground, the signal is fine inside the house, but drops off significantly more than a few feet away outside the house.  This is yet another "layer" since it makes war driving from the curb very difficult with standard antennas.

One other item for home users.  If you have one of the popular SOHO routers (Linksys, Netgear, DLink, etc.) the odds are good that they can create logs for the DShield service.  See the how-to page over at DShield for instructions.  I use the wired SOHO router to create my logs, from the router they go to a desktop computer with a fixed IP address, then that computer submits them to DShield once an hour.  By logging into DShield I can see graphically what is coming at my home network based on what the SOHO router is logging.  Very cool!

Have you got any other useful tips for home or small office wireless routers?  If so, send them to us via the contact page and we'll post additional ideas here.

UPDATES

Chris suggests:
  - Change the SSID to something other than what the manufacturer provided
  - Make sure that you also change the default password(s) on the router
  - Use WPA or WPA2 if available (I know that WEP is "crackable" but you've got to have a lot of packets to do that.  Most home networks are not that noisy so you force an attacker to use additional tools to create traffic.  Remember the idea here is to use whatever the best tool is that you have, WEP is better than nothing, WPA is better than WEP and WPA2 is better than WPA.  TKIP gives you bonus points.)

Pedro pointed us to a nice URL:
 - Wireless LAN Security Guide

Ned expanded on the DHCP limits idea:
 - You could use a restrictive subnet mask (eg, 255.255.255.248 if you only need 6 IP addresses) to further limit the number of actual IP addresses available on the subnet to just those needed. Once these have been assigned, a hacker can't connect if there's no more IP addresses available on the subnet, and how many SOHO users actually need the full range of 254 IP addresses normally available by default on a SOHO router.

Andrew sent us these ideas.  Some of them may be a stretch for home or small business users, but good ideas to think about:
 - Set speed to 802.11g ONLY. Prevents 802.11b clients from connecting and may prevent some injection and replay based attacks that use Atheros based 802.11b cards. This can be done on a Cisco 800 series router using the "speed ofdm-throughput" command in Interface conifiguration mode.
 - Utilize egress and ingress ACLs and IP inspection on Cisco wireless routers. Inspection and CBAC (Context Based Access Control) can really help you lockdown what "gets out" from your machines to the Internet. As much as we like cool apps, most of them are really phone-home friendly. Also, only return traffic from internal requests will get back into the network.
 - Disable "Ad-Hoc" or "Peer-to-Peer" connections on your wireless card. No need to be able to connect directly with other wireless machines!
 - Turn on a host firewall such as Windows Firewall. I personally use Zone Alarm.
 - Use SSHv2 to manage the router, if available.


Marcus H. Sachs
Director, SANS Internet Storm Center

MORE UPDATES:

Dr. Neal Krawetz makes some additional useful points (which I've edited very slightly):

I suggest putting the WiFi as the outter wall of the DMZ.

 cable modem <-> Wifi <-> DMZ <-> Wired <-> LAN

This way, if your Wifi does happen to get used by someone else, they cannot get into your home computers.  This is a good solution if you don't need to access shared drives.  (I have rarely come across homes with multiple computers that actually use shares -- most have it enabled but don't use it.)  I do allow LPD from the Wifi to the Wired so I can print -- an attacker could waste my paper and toner, but not delete my data.

Regarding antenna placement, I fully agree with you: a basement is best.  Choose a corner that is surrounded by dirt.  If you don't have a basement, consider placing the Wifi near the front of the house and have a fish tank (or refrigerator) between the Wifi and the street.  Your neighbors will see the signal, but war drivers probably will not.  Also consider a metal hood (or aluminum-lined shoebox -- either properly grounded) to limit signal propagation.  And whatever you do, don't put the Wifi on the 2nd floor if you can help it.

This may sound odd, but 802.11a is sometimes better than 802.11b/g.  Since 802.11b/g is more common, running 802.11a is effectively security-by-obscurity.  As long as the attacker does not see you, you're safe. [NOTE FROM ED:  Please do not inundate us with a tired debate about security through obscurity... we've heard it all, and we've all come to the conclusion that I am right.]

As far as encryption goes, WEP is better than nothing and will deter most wardrivers.  If someone wants to crack your WEP then it's because they want "your" network and not just "a" network.  WAP, TKIP and other encryption systems are better, but you may not have compatability with all wireless computers.  MAC authentication will slow down an attacker, but also isn't bullet proof.  Then again, security is a measurement of risk: for most homes, WEP + MAC filtering is more than good enough.

Your other tips, like disabling the SSID broadcast, limiting DHCP hosts, and changing default settings is right on the money.  Also, add in: disable Wifi configuration from the Wifi network (if your router has that option), set a non-trivial admin password on the router, and disable ping-from-WAN (good for all routers).

-------

Good stuff.  Thanks, Dr. Neal!

---

Ryan Merrick pointed us to this URL, where some configs are described that can let you really mess with the head of someone surruptitiously using your wireless network, flipping their pages, reversing fonts, and blurring things.  I don't recommend this, but it is an interesting idea.

--Ed Skoudis
Intelguardians
Keywords: ToD
0 comment(s)

Comments


Diary Archives