A few hours later, his son mentioned that there was more than one wireless network available on the second computer. My client logged on to the second machine and discovered that the wireless card was indeed picking up another WAP. It seems that the neighbors were running a WLAN as well. He clicked on the other network and was surprised when his second machine logged on to the neighbor’s network without any difficulty. It was fairly soon after this discovery that I received a call…

“If I can logon to their network, what keeps them from logging in to mine?”

Well, not a whole lot if you simply install your wireless devices using the default settings. But there are ways to improve the security of your WLAN.

The first level of defense is in naming your network. Wireless networks depend on an SSID (Service Set IDentifier) sometimes referred to as the network name for a WLAN. The SSID is a 32-character unique identifier that differentiates one WLAN from another. In order to join a network, each device provides the network name to the WAP. Most wireless devices ship with a default SSID and do not prompt you to change this ID during standard installation. Therefore, most devices already “know” what the correct SSID is to join the network. For this reason, it is wise to change the SSID to something only you know. Do not use common names, such as “Home” or “Wireless” or something else that can be easily guessed by someone outside of your network.

Unfortunately, the SSID is transmitted between devices using plain text. This can be pulled from the air, or sniffed, and used by others. To further secure your WLAN, you need to enable WEP, or wired equivalent privacy, on your devices. WEP on early wireless devices provides 40-bit encryption. However, most devices now utilize 128-bit encryption. While any encryption can be broken, the time and effort it takes to break this encryption makes it not worthwhile — when there are so many totally unprotected wireless networks to pillage. Just make sure that, when creating your encryption key, you do not use something as simple as a series of all 1s or all 0s. These keys are not hard to crack!

The next thing you want to do is change the default administrator password on your WAP. Again, these devices come with a factory default that anyone can know. If a hacker can logon to your network with a default username and password, they can take total control of your wireless network.

Windows XP comes with an amazing auto-discovery feature that enables it to scan for available wireless networks. This is great for easily setting up your local network, but it also provides too simple a way for others to enjoy the benefits of your WLAN resources. This is due to the fact that most WAPs are designed to broadcast their SSIDs to any compatible wireless devices in the area. Securing your network from broadcasting SSIDs is a two-step process. On the WAP, simply disable the broadcast function on the device. Then, you must go to each wireless device. First, set the SSID on each device to that of your WLAN. Finally, disable the ability of your devices to join other WLANs. This last step is accomplished, in Windows XP, by deselecting the “Automatically connect to non-preferred networks” check-box in the Wireless Setting tab in the Properties of each specific wireless connection.

To tighten security even more, most WAPs enable the administrator to specify which MAC (Media Access Control) addresses are recognized on the network. Each network device comes from the manufacturer with a unique MAC address, or 12-digit code, which can be used to identify each specific device. By explicitly defining which MAC addresses are allowed to participate on the network, you may prevent unauthorized devices from participating on the WLAN. The MAC address can also be located by checking the properties of each network device. On Windows XP, this is under Details on the Support tab for the device. It is labeled as the Physical Address.

Finally, it is a good idea to separate your physical LAN from your WLAN. This protects your internal network in case your WLAN is compromised. This can be accomplished by using a hub or switch to connect to your ISP (Internet Service Provider) using two IP-addresses, creating two logical subnets. You then install a firewall on your LAN, to restrict access from the WLAN (and others).

At this point, you are about as secure as you can be. I wish everyone the best in their wireless networking pursuits. Until next month. . .