We should all by now know that Wi-Fi is by default inherently insecure - it’s tantamount to dangling a network cable out of your window with a prominent ‘Help Yourself’ label attached to it. The earliest attempt at Wi-Fi security, WEP (wired equivalent protocol), proved deeply flawed and very easy to hack. WPA (wireless protected access) and in particular WPA2 (which features near-unbreakable AES encryption) has gone a long way to rectifying this glaring defect.

Even so, many wireless networks remain unprotected. Here are some dos and don'ts.

Wi-Fi security dos
Because so many wireless networks aren’t protected, it’s absolutely essential to change all the default security settings on your access point. So, change the SSID (service set identifier or network name) on your router/access point to anything but Netgear or Linksys.

The default SSIDs of commonly available hardware are well known to hackers. Your ideal SSID should not contain information that would give away your company name or location. Something bland or innocuous is best.

You should also change the administrator password, too. Hackers know the default passwords for all of the major brands of hardware and with your password could easily remotely reconfigure your AP.

Similarly, if your router supports SNMP (simple network management protocol), change the community names, for example ‘public’, to something much less obvious.

This will prevent hackers from managing your device using standard community names and SNMP-management software.

Always turn on the highest level of security your hardware supports. Even if you have older equipment that supports only WEP, be sure to enable it. Despite its nonexistent reputation as a security solution, simply having it running will turn most hackers away. Use WPA or better still WPA2 if it’s available. A number of recent Wi-Fi products either support the new security standard or are capable of being upgraded to it, so check your hardware manufacturer’s website for firmware upgrades.

You can also use NetStumbler (see last week's article) to perform your own security audit. Take your notebook for a walk around the perimeter of your building and find out what a would-be hacker might see. It’s also useful for detecting levels of electrical interference, which directly affects coverage.

Wi-Fi security don’ts
WPA and WEP use encryption, which unavoidably incurs a bandwidth overhead. Some prefer to rely on controlling access to their wireless networks based on the MAC (media access control) address of the network card attached to the PC requesting access. It’s simple to set up an ‘approved’ list of PCs and works very simply: ‘if your name ain’t down, you can’t come in.’

The major flaw with this approach is that the MAC address is just a 12 digit long HEX number that can be viewed in clear text with a sniffer. All you have to do is wait and watch until a PC connects to the wireless network, and detect its permitted MAC address, which you can then spoof to gain entry. So it’s not very secure.

Some folks are also big fans of hiding the AP’s SSID. Why broadcast the fact there’s a wireless network?

Well, turning off SSID broadcasts does undoubtedly make it awkward for casual hackers - and genuine users - to find your network but, like MAC filtering, it’s not the ultimate in security. Why? Because the SSID is still broadcast by other mechanisms on the AP, such as probe requests and responses. Again, turning off SSID broadcasts doesn’t make your WLAN quite as stealthy as you might imagine.

While you’re setting up your wireless network it will help if you don’t turn off SSID broadcasting until after you know that everything is working smoothly. By the same token, don’t enable encryption until you have got the network up and running.

It can also help during this phase if you could turn off firewalls on the PCs themselves - in my experience many network-communication problems are caused by firewalls and are swiftly fixed by turning them off, even if it’s only for a little while.

Finally, there is some debate over the real value of disabling auto-connect features. DHCP (dynamic host configuration protocol) automatically doles out IP addresses to users joining the network, making the life of the hacker just that little bit easier.

Again, this is likely to deter casual hackers but the seasoned variety won’t be too fazed by it: in reality it shouldn’t take more than about 10 seconds to figure out the IP scheme of any network and simply assign your own IP address to it.