. 31
( 61 .)


4. Click the Start button to start sharing.
5. Close the Sharing panel and the System Preferences panel.
After you complete these steps, this Mac OS X computer is now both a
DHCP server and a NAT server, equivalent to a broadband router. You
might need to restart any computer or AP that is connected to the PC
for the IP addresses to be reassigned.

To remove Internet connection sharing, display the Internet tab of the
Sharing pane in System Preferences and click the Stop button.

The host PC has to be turned on for the other computers sharing its connec-
tion to be able to access the Internet.
Chapter 10
Securing Your Wireless Home
In This Chapter
Worrying about wireless home network security
Understanding Wired Equivalent Privacy (WEP)
Getting security on your network
Checking out future security enhancements

I f you read the news ” well, at least if you read the same networking news
sources that we do ” you™ve probably seen and heard a thing or two (or a
hundred) about wireless local area network (LAN) security. In fact, you really
don™t need to read specialized industry news to hear about this. Many major
newspapers and media outlets ” The New York Times, the San Jose Mercury
News, and USA Today, among others ” have run feature articles documenting
the insecurity of wireless LANs. Most of these stories have focused on
wardrivers, those folks who park in the lot in front of an office building,
pull out their laptops, and easily get onto corporate networks.

In this chapter, we talk a bit about these security threats and how they might
affect you and your wireless home network. We also (being the helpful types
that we are) give you some good advice on how you can make your wireless
home network more secure. And finally, we talk about some new solutions
that are being developed by the wireless LAN industry to beef up wireless
LAN security.

The advice that we give in this section applies equally to your wireless net-
work, whether it uses 802.11b, a, or g. We™re not going to be specific to any
particular 802.11 technology in this chapter because the steps that you take
to batten down the hatches on your network are virtually identical, regard-
less of which version of 802.11 you choose. (If you™ve missed our discussion
on 802.11 basics, jump back to Chapter 2.)
184 Part III: Installing a Wireless Network

No security at all!
The vast majority of wireless LAN gear (access that up to 60 percent of all access points that
points, network cards, and so on) is shipped to they encounter have no security methods in
customers with all the security features turned place at all.
off. That™s right: zip, nada, zilch, no security at all.
Now, we should add that some people pur-
Just a wide-open access point, sitting there
posely leave their access point security off
waiting for anybody who passes by (with a Wi-
in order to provide free access to their neigh-
Fi“equipped computer, at least) to associate
borhoods. (We talk about this in Chapter 16.) But
with the access point and get on your network.
we find that many people don™t intend to do this
Now this isn™t a bad thing in and of itself; initially but have done so unknowingly. We™re all for
configuring your network with security features sharing, but keep in mind that it could get you in
turned off and then enabling the security features trouble with your broadband provider (who
after things are up and running is easier than might cancel your line if you™re sharing with
doing it the other way ™round. Unfortunately, neighbors). If you don™t want other people on
many people never take that extra step and acti- your network, take the few extra minutes that it
vate their security settings. So a huge number of takes to set up your network security. You can
access points out there are completely open to test your network ” to make sure WEP is really
the public (when they are within range, at least). enabled ” by using a program like Network
Folks who™ve spent some time wardriving (which Stumbler (which we discuss at length in
we describe in this chapter™s introduction) say Chapter 16).

No network security system is absolutely secure and foolproof. And, as we dis-
cuss in this chapter, Wi-Fi networks have some inherent flaws in their security
systems, which means that even if you fully implement the security system in
Wi-Fi (WEP), a determined individual could still get into your network.

We™re not trying to scare you off here. In a typical residential setting, chances
are good that your network won™t be subjected to some sort of determined
attacker like this. So follow our tips, and you should be just fine.

Assessing the Risks
The biggest advantage of wireless networks ” the fact that you can connect
to the network just about anywhere within range of the base station (up to
300 feet) ” is also the biggest potential liability. Because the signal is carried
over the air via radio waves, anyone else within range can pick up your net-
work™s signals, too. It™s sort of like putting an extra RJ-45 jack for a wired LAN
out on the sidewalk in front of your house: You™re no longer in control of who
can access it.
Chapter 10: Securing Your Wireless Home Network

General Internet security
Before we get into the security of your wireless LAN, we need to talk for a
moment about Internet security in general. Regardless of what type of LAN
you have ” wireless, wired, a LAN using powerlines or phonelines, or even no
LAN ” when you connect a computer to the Internet, some security risks are
involved. Malicious crackers (the bad guys of the hacker community) can use
all sorts of tools and techniques to get into your computer(s) and wreak havoc.

For example, someone with malicious intent could get into your computer
and steal personal files (such as your bank statements that you™ve down-
loaded using Quicken) or mess with your computer™s settings . . . or even
erase your hard drive. Your computer can even be hijacked (without you
knowing it) as a jumping off point for other people™s nefarious deeds; as a
source of an attack on another computer (the bad guys can launch these
attacks remotely using your computer, making them that much harder to
track down); or even as source for spam e-mailing.

What we™re getting at here is the fact that you need to take a few steps to
secure any computer attached to the Internet. If you have a broadband (digi-
tal subscriber line [DSL], satellite, or cable modem) connection, you really
need to secure your computer(s). The high speed, always-on connections
that these services offer make it easier for a cracker to get into your com-
puter. We recommend that you take three steps to secure your computers
from Internet-based security risks:

Use and maintain antivirus software. Many attacks on computers don™t
come from someone sitting in a dark room, in front of a computer screen,
actively cracking into your computer. They come from viruses (often
scripts embedded in e-mails or other downloaded files) that take over
parts of your computer™s operating system and do things that you don™t
want your computer doing (like sending a copy of the virus to everyone in
your e-mail address book and then deleting your hard drive). So pick out
your favorite antivirus program and use it. Keep the virus definition files
(the data files that tell your antivirus software what™s a virus and what™s
not) up to date. And for heaven™s sake, use your antivirus program!
Install a personal firewall on each computer. Personal firewalls are pro-
grams that basically take a look at every Internet connection entering or
leaving your computer and check it against a set of rules to see whether
the connection should be allowed. After you™ve installed a personal fire-
wall program, wait about a day and then look at the log. You™ll be shocked
and amazed at the sheer number of attempted connections to your com-
puter that have been blocked. Most of these attempts are relatively
innocuous, but not all are. If you™ve got broadband, your firewall might
block hundreds of these attempts every day.
We like ZoneAlarm ” www.zonelabs.com ” for Windows computers,
and we use the built-in firewall on our Mac OS X computers.
186 Part III: Installing a Wireless Network

Turn on the firewall functionality in your router. Whether you use a
separate router or one integrated into your wireless access point, it will
have at least some level of firewall functionality built in. Turn this func-
tion on when you set up your router/access point. (It™ll be an obvious
option in the configuration program and might well be on by default.)
We like to have both the router firewall and the personal firewall soft-
ware running on our PCs. It™s the belt-and-suspenders approach, but it
makes our networks more secure.
In Chapter 12, we talk about some situations (particularly when you™re
playing online games over your network) where you need to disable
some of this firewall functionality. We suggest that you do this only
when you must. Otherwise, turn on that firewall ” and leave it on.
Some routers use a technology called stateful packet inspection firewalls,
which examine each packet (or individual group) of data coming into the
router to make sure that it was actually something requested by a com-
puter on the network. If your router has this function, we recommend
that you try using it because it™s a more thorough way of performing fire-
wall functions. Others simply use Network Address Translation (NAT,
which we introduce in Chapter 2 and further discuss in Chapter 16) to
perform firewall functions. This isn™t quite as effective as stateful packet
inspection, but it does work quite well.
There™s a lot more to Internet security ” like securing your file sharing (if
you™ve enabled that) ” that we just don™t have the space to get into. Check
out Chapter 11 for a quick overview on this subject. To get really detailed
about these subjects, we recommend that you take a look at Home Networking
For Dummies, by Kathy Ivens (Wiley Publishing, Inc.) for coverage of those
issues in greater detail.

After you™ve set up your firewall, test it out. Check out this great site that has
a ton of information about Internet security: www.grc.com. The guy behind
this site, Steve Gibson, is a genius on the topic, and he™s built a great tool
called ShieldsUP!! that lets you run through a series of tests to see how well
your firewall(s) is working. Go to www.grc.com and test yourself.

Airlink security
The area that we really want to focus on in this chapter is the aspect of net-
work security that™s unique to wireless networks: the airlink security. In other
words, these are the security concerns that have to do with the radio fre-
quencies being beamed around your wireless home network.

Traditionally, computer networks use wires that go from point to point in
your home (or in an office). When you™ve got a wired network, you™ve got
physical control over these wires. You install them, and you know where they
go. The physical connections to a wired LAN are inside your house. You can
Chapter 10: Securing Your Wireless Home Network

lock the doors and windows and keep someone else from gaining access to
the network. Of course, you™ve got to keep people from accessing the network
over the Internet, as we mention in the previous section, but locally it would
take an act of breaking and entering by a bad guy to get on your network.
(Sort of like on Alias where they always seem to have to go deep into the
enemy™s facility to tap into anything.)

Wireless LANs turn this premise on its head because you™ve got absolutely no
way of physically securing your network. Now you can do things like go out-
side with a laptop computer and have someone move the access point around
to reduce the amount of signal leaving the house. But that™s really not going
to be 100 percent effective, and it can reduce your coverage within the house.
Or you could join the tinfoil hat brigade (“The CIA is reading my mind!”) and
surround your entire house with a Faraday cage. (Remember those from
physics class? Us neither, but they have something to do with attenuating
electromagnetic fields.)

Some access points have controls that let you limit the amount of power
used to send radio waves over the air. This isn™t a perfect solution (and it can
dramatically reduce your reception in distant parts of the house), but if you
live in a small apartment and are worried about beaming your Wi-Fi signals to
the apartment next door, you might try this.

Basically, what we™re saying here is that the radio waves sent by your wire-
less LAN gear are going to leave your house, and there™s not a darned thing
that you can do about it. Nothing. What you can do, however, is make it diffi-
cult for other people to tune into those radio signals, thus (and more impor-
tantly) making it difficult for those who can tune into them to decode them
and use them to get onto your network (without your authorization) or to
scrutinize your e-mail, Web surfing habits, and so on.

You can take several steps to make your wireless network more secure and to
provide some airlink security on your network. We talk about these in the fol-
lowing sections, and then we discuss some even better methods of securing
wireless LANs that are coming down the pike.

Introducing Wired Equivalent
Privacy (WEP)
The primary line of defense in a Wi-Fi network is Wired Equivalent Privacy
(WEP). WEP is an encryption system, which means that it scrambles ” using
the encryption key (or WEP key, in this case) ” all the data packets (or indi-
vidual chunks of data) that are sent over the airwaves in your wireless net-
work. Unless someone on the far end has the same key to decrypt the data,
188 Part III: Installing a Wireless Network

he (theoretically) won™t be able to make heads nor tails of it. It™ll be gibber-
ish. So even though your data is beamed right through the side of the house
into that snooper™s PC, it will arrive in an unreadable form.

WEP also has a second security function: Not only does it encrypt your data
being transmitted over the airlink, it also can be used to authenticate users
connecting to the access point. In other words, not only do you need a WEP
key to decode data transmitted over the airlink, but you also need a WEP key
to get your computer connected to the access point in the first place. If an
access point has WEP enabled and you don™t have the key, you can try and
try, but you™ll never get connected to it.

Although the WEP key itself is a long series of numbers and letters, you often
don™t have to make up this key yourself. (It™s harder than you think to just
spew out some random numbers and letters.) Instead, you just have to enter
a pass phrase (some regular English words that you can remember), and the
software will use this pass phrase to generate the key for you.

How about a bit more about WEP?
WEP encrypts your data so that no one can read it unless they have the key.


. 31
( 61 .)