Protect Yourself from WiFi Snoops
by Preston Gralla, author of Windows XP Hacks, 2nd Edition
Using a home or small-business WiFi network is like putting a sign on your front door reading, "Door is open. Please come in and steal whatever you like."
That's because any passerby can easily hop onto your network; nose around your PCs; and steal, edit, or delete your files. They can also sniff out the information you're sending and receiving over the internet, and take that as well.
But you needn't be at the mercy of WiFi snoops. There's a lot you can do to protect your home or business network, without spending a lot of time or even any money. Read on to see how.
Hide Your Network SSID
Your wireless router tells the world that it's wide open and available to all comers. It does this by broadcasting what's called its SSID (service set identifier). Your wireless router's default SSID, essentially its name, is the same for the thousands or millions of routers the manufacturer makes. (For example, Linksys routers have the SSID of--surprise--Linksys.) So, a would-be intruder can search for networks with a few common default SSIDs from the major manufacturers, and quickly find wireless networks.
Changing your default SSID will help, but only partially. That's because XP, as well as most war-driving software, including NetStumbler, automatically searches out nearby SSIDs, displays their name, and lets you easily connect to them. So you want to not only change the name of the SSID, but also tell your router not to broadcast its real name. That way, it will be invisible. But because you know its name, you'll be able to tell your own PCs to connect to it.
The steps you take to change the SSID's name and to tell your network to stop broadcasting its SSID vary from router to router. The following steps show you how to do it using a Linksys router, although it may vary from model to model:
Log in to the setup screen by opening your browser and going to http://192.168.1.1. When the login screen appears, leave the username blank, type admin in the password section, and press Enter. (If you already changed the password, use your new password instead.)
Click on the Wireless tab. In the Wireless Network Name (SSID) box, type a new name for your network. For the most security, type a random collection of letters and numbers, and don't give it a name that can be easily guessed, such as "My Network."
In the Wireless SSID Broadcast section, select Disabled.
While you're at the Wireless screen, you can do something else to help keep your network invisible to outsiders. You should regularly change the wireless channel your router uses to transmit. That way, if someone has previously tapped into your network, he won't know which channel you're currently using to broadcast. Choose a new wireless channel from the Wireless Channel drop-down list.
Click on Save Settings to save all your settings. Figure 1 shows you what your settings should look like.
Figure 1. Change the settings on your wireless router--click for full-size image
You now have to go to each of the PCs connected to your network, and tell them to connect to the router using the new network name. In Windows XP SP2, click on the small wireless icon in the Notification Area, and click on the View Wireless Networks button. Click on "Change advanced settings" in the left-hand column and then click on the Wireless Networks tab. Click on the Add button in the "Preferred network" section, type your new network name, click on OK, and then click on OK again. You'll now be connected to your network.
If you're running an earlier version of Windows XP, click on the small wireless network icon in the Notification Area and select the Wireless Networks tab. Click on the Add button, type the network name, click on OK, and then click on OK again. You'll now be connected to your network.
Now only someone who knows the name will be able to connect to your network.
Filter Out MAC Addresses
Every piece of networking hardware has a unique ID number--in essence a serial number--called a MAC address. No two pieces of networking hardware have the same MAC address, which looks something like this: 00-08-A1-00-9F-32.
You can use these MAC addresses to keep out intruders. Many routers let you permit only certain MAC addresses onto the internet. So you can tell your router to let in all of your computers and keep everyone else out.
Again, how you do this varies from manufacturer to manufacturer, and even from model to model. The following steps show you how to do it using a Linksys router:
Open your browser and go to http://192.168.1.1. When the login screen appears, leave the username blank, type admin in the password section, and press Enter. (If you already changed the password, use your new password instead.)
Choose Wireless -> Wireless Network Access. The Wireless Network Access screen appears with grayed-out boxes labeled MAC 01, MAC 02, and so on, up to MAC 20.
Choose the Restrict Access option to make the grayed-out boxes active.
Scroll to the bottom of the screen and click on Wireless Client MAC List. A screen appears listing every wireless PC on your network with basic information about each, including the MAC address. Check the Enable MAC Filter box for each computer and click on Save.
You'll be sent back to the Wireless Network Access screen. All the MAC addresses that you check will be automatically filled into the boxes next to MAC 01 and so on, as shown in Figure 2.
This security feature applies only to your wireless PCs. If you have any wired PCs connected to your router, you will not see their MAC addresses listed. After all, if someone broke into your house and connected their PC to your network with an Ethernet cable, you would probably notice.
Click on Save Settings. Now only computers you specify will be allowed onto your network.
What happens if you buy a new computer and want to add it to your wireless network? You just need to find the MAC address of the wireless adapter and enter it into a MAC box on the Wireless Network Access screen. To find the MAC address, go onto the PC, select Start -> Run, type command, and press Enter. A command-line box will open. Type ipconfig /all and press Enter. Copy the number next to Physical Address into a MAC box on the Wireless Network Access screen. The computer will be allowed to connect to your network.
Finally, you should use encryption on your network. That way, even if an intruder manages to somehow discover your SSID, he won't be able to snoop on the information you're sending out over the airways.
The two most common types of encryption are WEP and WPA. The WEP protocol is older and less secure than WPA, but you might be forced to use it if you have older hardware that doesn't support WPA. Keep in mind that all of your hardware has to support the same encryption standard. For example, if your newer router uses WPA, your wireless network adapters must also support it. If not, you'll have to use WEP.
The truth is, though, that for home networks, WEP is most likely plenty strong enough. You really only need to protect yourself against passersby, not against someone dedicated to break into your network. Again, though, if your hardware supports WPA, it is a better bet. And it's certainly more suitable for small-business networks.
There's not enough room in this article to go into all the details of how to set up encryption, but it's a two-step process. First, you tell your router to turn on encryption and choose an encryption key. How you do this varies from router to router. On some Linksys models, log in to the administrator screen, select Wireless -> Wireless Security, and you'll come to the encryption setup screen.
After you turn on encryption, you tell each PC to use encryption. On each PC, you'll first click on the wireless connection icon in the Notification Area. Then click on the Properties button and click on the Wireless Networks tab. Highlight your network, click on the Properties button, and click on the Association tab. From there, you configure the PC for encryption.