Ann Arbor Area Business Monthly
Small Business and the Internet
Home LAN Security
By Mike Gould
I suspect a good many of you have a Local Area Network (LAN) set up in your home or office. I further suspect that most of you are running it wirelessly, hanging one or more laptops off your broadband connection in addition to a desktop or two. I also suspect that your LANs are wide-open to possible network knavery, and that is our topic this month.
The LAN Plan
Any collection of computers that can talk to each other or share an Internet connection is a form of LAN. If you have a cable or DSL modem, and more than one computer, chances are you also have a router in there somewhere; and if you have a laptop or two, that router is probably also a wireless broadcaster (a WiFi Access Point - which we'll abbreviate here to AP).
The most common setup found in home or small office LANs looks like this: A wire comes into the house or office and connects to a cable or DSL modem. A wire (an ethernet cable) runs from the modem to a router/AP. (or to a router and thence to a separate AP). Desktop computers connect to the router via another ethernet cable. Laptops connect to the router via WiFi. Sometimes desktops connect wirelessly as well, if the home- or business-owner doesn't feel like stringing ethernet cable all over the place.
Variations abound; you can now get a DSL wireless/router/modem thingie that combines all these functions into one box. If you have a DSL connection and a laptop, this is what I generally recommend instead of the multi-box approach. If all the functions are in one box provided by the DSL company, they are forced to support it and can't blame another company's router if (well, when - there is no "if" here) things go wonky (a technical term meaning all of a sudden you can't get your email). Unfortunately, our local cable company has yet to implement this sort of solution.
From a security standpoint, a router of any sort is a Good Thing, because it provides a fairly robust hardware firewall. Any network prowler out there looking for a way into your system will find the router but be unable to get past it to your computers. (Unless you invite them in via a virus or some other means, but that's another article.)
A wireless router, on the other hand, is a security Bad Thing. The reason is that while the firewall aspect may be preventing wired intrusions, most wireless routers are open by default and that is the rub of the hub. By "open", I mean that anyone within range of the AP (usually around 150 feet) can connect to it and start poking around in your network.
This LAN Is Your LAN, This LAN is anybody's LAN
I am always amused when I visit a client and look for wireless access. I almost always find un-secured APs within range, especially in apartment complexes. If I fire up the AirPort software on my Mac laptop, I usually see "linksys" , or "dlink", or somesuch, which is the default name of the network created by the AP. This is called an SSID (Secure Set ID), or the network name of the AP. Un-changed, this is an un-secured way into the neighbor's (or your) LAN. If I see "Pete's Network", I know that Pete has taken the time to change the default and turn on the security features of the AP, and that is the point of this rambling discourse: how and why to tweak your wirelessness so the bad guys can't get in.
The why we've covered: the defaults are like this because the AP manufacturers want things to work out of the box, so they make this as easy as possible. You bring home the AP, plug it in, configure your laptop and you're working. But working un-secured.
So here's the how to tighten up. (Follow the instructions in your manual, but the steps below are the essentials).
First step after you've unpacked things is to plug the device into one computer via a wire, and don't plug it into your network - you don't want to expose an un-tweaked AP to the world just yet. You use your browser software to connect to the device. Fire up FireFox or whatever and enter the URL of the AP into the browser address bar, usually http://192.168.1.1 (this should be found in your instructions, along with the password). You should be asked for a password, usually something really secure like "admin".
The control panel for the AP should then appear in your browser and you are ready to tweak things. Take notes as you go, in case you need to re-do the settings later (I usually do a screen-grab of the completed pages).
Once you are in control, change the admin password for the device. Any time I see "linksys" as an available network at a client's place, I know I can attach to that network, do the above, and lock the user out of their AP, as well as other amusing stunts.
Then change the SSID. I suggest something that doesn't immediately tell the world whose network it is as this would make guessing the password easier.
Finally, turn on encryption. Your choices will vary, but WPA is the current standard. This enables you to require a password of anyone attaching to your AP (the previous password was just to the device itself - this is to the network the device creates.)
You can also set it up so that only certain laptops can attach to your network; this involves determining the MAC address (nothing to do with Apple - this is a hardware address) of your wireless card. You can then put this into a table of permitted devices. This is probably a bit geekier than most folks want to get, but if you have a tech guy handling it, he or she should be aware of the issue.
One final note about home routers, wireless or not: if yours is more than 3 years old, consider replacing it. I have seen a lot of problems lately that were fixed when a new router was installed. And the new ones are faster, cheaper and more secure.
Here is a good resource for securing your system:
Mike Gould, is a part-time mouse wrangler for the U of M, runs the MondoDyne Web Works/Macintosh Consulting/Digital Photography mega-mall, is a member of Factotem.com, and welcomes comments addressed to firstname.lastname@example.org.