• Wireless network security. The sad truth about home Wi-Fi security

    Security issues wireless networks, described in a number of articles, provoked distrust in wireless technologies. How justified is it?

    Why are wireless networks considered more vulnerable than cable networks? IN wired networks data can only be intercepted if the attacker obtains physical access to the transmission medium. In wireless networks, the signal travels over the airwaves, so anyone within range of the network can intercept the signal.

    The attacker does not even have to be on the company’s territory; it is enough to get into the radio signal propagation zone.

    Threats to wireless networks

    When preparing to secure your wireless networks, you first need to understand what might threaten them.

    Passive attack

    Intercepting wireless network signals is similar to listening to radio transmissions. All you need is a laptop (or PDA) and a wireless protocol analyzer. There is a widespread misconception that unauthorized connections to a wireless network outside the office can be stopped by monitoring output power signal. This is not true, since the use of a high-sensitivity wireless card and a directional antenna by an attacker can easily overcome this security measure.

    Even after reducing the likelihood of unauthorized connection to the network, the possibility of “listening” to traffic should not be ignored, therefore, in order to operate securely in wireless networks, it is necessary to encrypt the transmitted information.

    Active attack

    It is dangerous to connect an unsecured wireless network to a cable network. An unsecured access point connected to local network, presents a wide open door for intruders. For businesses, this risks allowing competitors to gain access to confidential documents. Unsecured wireless networks allow hackers to bypass firewalls and security settings that protect the network from attacks via the Internet. On home networks, attackers can obtain free access to the Internet at the expense of their neighbors.

    Uncontrolled access points connected to the network without authorization should be monitored and identified. Such points, as a rule, are established by the enterprise employees themselves. (For example, a sales manager purchased a wireless access point and uses it to stay connected all the time.) Such a point could be specially connected to the network by an attacker in order to gain access to the company’s network outside the office.

    It should be remembered that both computers connected to a wireless network are vulnerable, as are those that have a wireless card enabled with default settings (it, as a rule, does not block penetration through the wireless network). For example, while a user waiting for his flight is browsing Internet resources through the Wi-Fi network deployed at the airport, a hacker sitting nearby is studying information stored on the computer of a mobile employee. Users working via wireless networks in cafes, exhibition centers, hotel lobbies, etc. may be subject to similar attacks.

    Search for available wireless networks

    For active search vulnerable wireless networks (War driving) usually using a car and a kit wireless equipment: small antenna, wireless network card, laptop and possibly a GPS receiver. Using widely used scanner programs such as Netstumbler, you can easily find wireless network reception areas.

    War Driving fans have many ways to share information. One of them (War Chalking) involves drawing symbols on diagrams and maps indicating detected wireless networks. These designations contain information about the strength of the radio signal, the presence of one or another type of network protection, and the ability to access the Internet. Fans of this “sport” exchange information through Internet sites, “posting”, in particular, detailed maps with the location of detected networks. By the way, it’s useful to check if your address is there.

    Denial of service

    Free Internet access or corporate network is not always the target of attackers. Sometimes the goal of hackers may be to disable a wireless network.

    A denial of service attack can be achieved in several ways. If a hacker manages to establish a connection to a wireless network, his malicious actions can cause a number of serious consequences, such as sending responses to Address Resolution Protocol (ARP) requests to change ARP tables network devices in order to disrupt network routing or the introduction of an unauthorized Dynamic Host Configuration Protocol (DHCP) server to issue inoperative addresses and network masks. If a hacker finds out the details of the wireless network settings, he can reconnect users to his access point (see figure), and the latter will be cut off from network resources that were accessible through the “legitimate” access point.

    Introducing an unauthorized access point.

    An attacker can also block the frequencies used by wireless networks by using a signal generator (this can be made from parts microwave oven). As a result, the entire wireless network or part of it will fail.

    Security Considerations in IEEE 802.11 Standards

    The original 802.11 standard provided for the security of wireless networks using a “wired-equivalent privacy” standard (Wired Equivalent Privacy,WEP). Wireless networks that use WEP require a static WEP key to be configured on access points and all stations. This key can be used for authentication and data encryption. If it is compromised (for example, in case of loss laptop computer) you need to change the key on all devices, which is sometimes very difficult. When using WEP keys for authentication, wireless stations send an appropriate challenge to the access point, receiving a clear text challenge in response. The client must encrypt it using its own WEP key and return it to the access point, which will decrypt the message using its own WEP key. If the decrypted message matches the original, this means that the client knows the WEP key. Therefore, the authentication is considered successful and a corresponding notification is sent to the client.

    Having successfully completed authentication and association, wireless device can use a WEP key to encrypt traffic between the device and the access point.

    The 802.11 standard defines other access control mechanisms. The access point can use hardware address filtering (Media Access Control, MAC), granting or denying access based on the client's MAC address. This method makes it difficult, but does not prevent, the connection of unauthorized devices.

    How secure is WEP?

    One of the rules of cryptography is that given the plaintext and its encrypted version, you can determine the encryption method used. This is especially true when using weak encryption algorithms and symmetric keys, such as those provided by WEP.

    This protocol uses the RC4 algorithm for encryption. Its weakness is that if you encrypt a known plaintext, the output will be the key stream that was used to encrypt the data. According to the 802.11 standard, the key stream consists of a WEP key and a 24-bit initialization vector. For each packet, the following vector is used and is sent in clear text along with the packet so that the receiving station can use it in conjunction with the WEP key to decrypt the packet.

    If you receive one key stream, then you can decrypt any packet encrypted with the same vector. Since the vector changes for each packet, decryption requires waiting for the next packet using the same vector. To be able to decrypt WEP, a complete set of vectors and keystreams must be assembled. WEP cracking tools work this way.

    You can obtain plaintext and encrypted text during the client authentication process. By intercepting traffic over a period of time, you can collect the required amount of initial data to carry out an attack. To accumulate the data necessary for analysis, hackers use many other methods, including “men in the middle” attacks.

    When deciding on the frame format for wireless networks, IEEE proposed its own format called Subnetwork Address Protocol (SNAP).

    The two bytes following the MAC header in an 802.11 SNAP frame are always "AA AA". WEP encrypts all bytes following the MAC header, so the first two encrypted bytes always know the plaintext (“AA AA”). This path provides the opportunity to receive fragments of the encrypted and clear message.

    Utilities for cracking WEP are distributed free of charge on the Internet. The most famous of them are AirSnort and WEPCrack. To successfully crack a WEP key using them, it is enough to collect from 100 thousand to 1 million packets. New utilities Aircrack and Weplab for cracking WEP keys implement a more efficient algorithm that requires significantly fewer packets. For this reason, WEP is unreliable.

    Wireless technologies are becoming safer

    Today, many companies use convenient and secure wireless networks. The 802.11i standard took security to a whole new level. The IEEE 802.11i Working Group, whose task was to create a new wireless security standard, was formed after studying the vulnerability of the WEP protocol. It took some time to develop, so most equipment manufacturers, without waiting for the new standard to be released, began to offer their own methods (see. ). In 2004, a new standard appeared, however, equipment suppliers, by inertia, continue to use old solutions.

    802.11i specifies the use of the Advanced Encryption Standard (AES) instead of WEP. AES is based on an implementation of the Rendell algorithm, which most cryptanalysts recognize as strong. This algorithm is a significant improvement over its weak predecessor RC4, which is used in WEP: it uses keys of 128, 192 and 256 bits, instead of the 64 bits used in the original 802.11 standard. The new 802.11i standard also defines the use of TKIP, CCMP, and 802.1x/EAP.

    EAP-MD5 verifies the user's identity by verifying the password. The issue of using traffic encryption is left to the network administrator. The weakness of EAP-MD5 is that it does not require encryption, so EAP-MD5 allows for a “men in the middle” attack.

    The Lightweight EAP (LEAP) protocol, which was created by Cisco, provides not only data encryption, but also key rotation. LEAP does not require the client to have keys because they are sent securely after the user has been authenticated. It allows users to easily connect to the network using an account and password.

    Early LEAP implementations only provided one-way user authentication. Cisco later added mutual authentication capability. However, the LEAP protocol was found to be vulnerable to dictionary attacks. American Institute Fellow system administration, Telecommunications and Security (SANS) Joshua Wright developed the ASLEAP utility, which carries out a similar attack, after which Cisco recommended using strong passwords of at least eight characters, including special characters, uppercase, lowercase and numbers. LEAP is secure to the extent that the password is resistant to guessing attempts.

    A stronger implementation of EAP, EAP-TLS, which uses pre-installed digital certificates on the client and server, was developed by Microsoft. This method provides mutual authentication and relies not only on the user's password, but also supports rotation and dynamic key distribution. The disadvantage of EAP-TLS is that it requires installing a certificate on each client, which can be quite time-consuming and expensive. In addition, this method is impractical to use in a network where employees change frequently.

    Wireless network manufacturers are promoting solutions to simplify the process for authorized users to connect to wireless networks. This idea is entirely feasible if you enable LEAP and distribute usernames and passwords. But if you need to use a digital certificate or enter a long WEP key, the process can become tedious.

    Microsoft, Cisco, and RSA collaborated to develop a new protocol, PEAP, that combines the ease of use of LEAP with the security of EAP-TLS. PEAP uses a certificate installed on the server and password authentication for clients. A similar solution - EAP-TTLS - was released by Funk Software.

    Various manufacturers support various types EAP, as well as several types at the same time. The EAP process is similar for all types.

    Typical EAP Operations

    What is WPA

    After wireless networks were declared insecure, manufacturers began implementing their own security solutions. This left companies with a choice: use a single vendor solution or wait for the 802.11i standard to be released. The standard's adoption date was unknown, so the Wi-Fi Alliance was formed in 1999. Its goal was to unify the interaction of wireless network products.

    The Wi-Fi Alliance has approved a secure protocol wireless access(Wireless Protected Access, WPA), considering it as a temporary solution until the 802.11i standard is released. The WPA protocol uses TKIP and 802.1x/EAP standards. Any Wi-Fi equipment, certified for WPA compatibility, must work in conjunction with other certified equipment. Vendors may use their own security mechanisms, but must always include support for Wi-Fi standards.

    After the initial announcement of 802.11i parameters, the Wi-Fi Alliance created the WPA2 standard. Any equipment that is WPA2 certified is fully compatible with 802.11i. If your enterprise wireless network does not support 802.11i, you should migrate to 802.11i as soon as possible to ensure adequate security.

    What is MAC Address Filtering?

    If WEP is not secure, can hardware address filtering (Media Access Control (MAC)) protect the wireless network? Alas, MAC address filters are designed to prevent unauthorized connections; they are powerless against traffic interception.

    MAC address filtering does not have a noticeable impact on the security of wireless networks. It requires only one additional action from the attacker: find out the allowed MAC address. (By the way, most drivers network cards allow you to change it.)

    How easy is it to find out the allowed MAC address? To get working MAC addresses, it is enough to monitor wireless traffic for some time using a protocol analyzer. MAC addresses can be intercepted even if the traffic is encrypted because the packet header that includes the address is sent in the clear.

    TKIP protocol

    The Temporal Key Integrity Protocol (TKIP) was designed to overcome the shortcomings of the WEP protocol. The TKIP standard improves WEP security through key rotation, longer initialization vectors, and data integrity checks.

    WEP cracking programs exploit the weakness of static keys: after intercepting the required number of packets, they can easily decrypt the traffic. Regularly changing the keys prevents this type of attack. TKIP dynamically changes keys every 10 thousand packets. Later implementations of the protocol allow you to change the key rotation interval and even set an algorithm for changing the encryption key for each data packet (Per-Packet Keying, PPK).

    The encryption key used in TKIP has become more secure than WEP keys. It consists of a 128-bit dynamic key, to which is added the station's MAC address and a 48-bit initialization vector (twice the length of the original 802.11 vector). This method is known as "key mixing" and ensures that any two stations do not use the same key.

    The protocol also has a built-in method for ensuring data integrity (Message Integrity Cheek, MIC, also called Michael).

    Over the past few years, the popularity of wireless networks has increased significantly. The growth in popularity of wireless access is largely influenced by factors such as the integration of wireless access cards into modern laptops, the emergence of PDA devices, radio IP phones, etc. According to IDC, by the end of 2004 it is planned that sales of wireless access equipment will reach 64 million devices (for comparison, 24 million devices were sold in 2002). Nowadays, wireless access can be found in restaurants, hotels and airports, many companies use wireless networks to connect users to their IT infrastructure, home network users use wireless access to connect to the Internet. However, only a few people put the issue of wireless network security first.

    Introduction

    Over the past few years, the popularity of wireless networks has increased significantly. The growth in popularity of wireless access is largely influenced by factors such as the integration of wireless access cards into modern laptops, the emergence of PDA devices, radio IP phones, etc. According to IDC, by the end of 2004 it is planned that sales of wireless access equipment will reach 64 million devices (for comparison, 24 million devices were sold in 2002). Nowadays, wireless access can be found in restaurants, hotels and airports, many companies use wireless networks to connect users to their IT infrastructure, home network users use wireless access to connect to the Internet. However, only a few people put the issue of wireless network security first.

    Wireless Security Issues

    1. SSID positioning

    The SSID parameter is the wireless network identifier. It is used to divide wireless network users into logical groups. The SSID allows the user to connect to the desired wireless network, and can be mapped to a virtual local area network (VLAN) identifier if necessary. Such a comparison is necessary to differentiate the levels of access of wireless users to corporate infrastructure resources.

    Some network engineers, when designing a wireless network, believe that the SSID is one of the security features and disabling broadcasting of the SSID value will enhance the security of the network. In fact, disabling broadcasting of this setting not only will not improve the security of the wireless network, but will also make the network less flexible with respect to clients. Some clients will not be able to work correctly with a radio access point that does not broadcast the SSID value. It should be kept in mind that even if SSID broadcasting is disabled, it is still possible to determine this identifier, since its value is transmitted in probe response frames. You also need to understand that by dividing users into different logical groups using SSID, the likelihood of eavesdropping on traffic remains, even for users who are not registered at the wireless access point.

    2. Authentication using MAC address

    Authentication is the process of determining the identity of a client based on information provided by the client, such as name and password. Many wireless equipment manufacturers support authentication of user devices using MAC addresses, but the IEEE (Institut of Electrical and Electronic Engineers) 802.11 standard does not provide for this type of authentication.

    Authentication by MAC address without using additional methods security provision is ineffective. It is enough for an attacker to simply gain access to a wireless network in which only authentication by MAC address is configured. To do this, you need to analyze the radio channel on which the radio access point works with clients and obtain a list of MAC addresses of devices that have access to the network. To access network resources over a wireless network, you need to replace the MAC address of your wireless card with the known MAC address of the client.

    3. Problems with encryption using static WEP keys

    WEP (Wired Equivalent Privacy) is a key that is designed to encrypt traffic between a radio access point and its users. WEP encryption is based on the weak RC4 encryption algorithm. The WEP key length is 40 or 104 bits. An unencrypted sequence of characters is added to the key to successfully decode the 24-bit signal on the reverse side. Thus, it is customary to talk about key lengths of 64 and 128 bits, but the effective part of the key is only 40 and 104 bits. It is worth noting that with such a length of the static key, there is no need to talk about increased cryptographic stability of the wireless network. On the Internet you can easily find programs that allow you to obtain a WEP key based on the traffic collected by the analyzer. Such programs include, for example, WEPCrack and AirSnort. To increase cryptographic stability, a 64-bit static key must be changed approximately once every 20 minutes, and a 128-bit key once per hour. Imagine that you need to change the static WEP key on the access point and all its clients every hour. What if the number of users is 100 or 1000? Such a solution will not be in demand due to the unreasonable complexity of operation.

    4. Network attacks

    Network attacks can be divided into active and passive.

    Passive attacks include attacks that do not actively impact the operation of the wireless network. For example, an attacker using WEPCrack or AirSnort programs calculates a secret WEP encryption key of 128 bits over the course of 3-4 hours of passive surveillance and analysis.

    The essence of active attacks is to influence a wireless network in order to obtain data, after processing which will gain access to radio network resources. These include attacks such as initialization vector reuse and bit manipulation attacks.

    Reusing the initialization vector.

    The attacker repeatedly sends the same information (previously known content) to the user who works in the attacked wireless segment through an external network. While the attacker is sending information to the user, he is also listening to the radio channel (the channel between the user and the attacked radio access point) and collecting encrypted data that contains the information sent to him. The attacker then calculates the key sequence using the received encrypted data and known unencrypted data.

    Bit manipulation.

    The attack is based on an integrity vector vulnerability. For example, an attacker manipulates bits of user data within a frame in order to distort information 3 th level. The frame has not undergone any changes to link level, the integrity check at the radio access point is successful and the frame is transmitted further. The router, having received the frame from the radio access point, unpacks it and checks the checksum of the network layer packet; the packet checksum is incorrect. The router generates an error message and sends the frame back to the radio access point. The radio access point encrypts the packet and sends it to the client. The attacker captures an encrypted packet with a known error message and then calculates the key sequence.

    5. DoS attacks

    DoS (Deny of Service) attacks include types of attacks that result in a denial of service to wireless network clients. The essence of these attacks is to paralyze the operation of a wireless network.

    Experts from the Queensland University of Technology have published information about a discovered vulnerability related to radio channel availability assessment in Direct Sequence Spread Spectrum (DSSS) technology. The widely used 802.11b standard is implemented on the basis of this technology.

    An attacker uses a vulnerability to simulate a constantly busy wireless network. As a result of such an attack, all users working with the radio access point in relation to which the attack occurred will be disconnected.

    It should also be noted that this attack can be applied not only to equipment operating in the 802.11b standard, but also to equipment of the 802.11g standard, although it does not use DSSS technology. This is possible when the 802.11g radio access point is backward compatible with the 802.11b standard.

    Currently, there is no protection against DoS attacks for 802.11b equipment, but to avoid such an attack, it is advisable to use 802.11g equipment (not backward compatible with 802.11b).

    What's the best way to build a secure wireless network?

    When designing and building a wireless network, it is necessary to pay primary attention to security, reliability, and also simplify the operational process as much as possible.

    As an example, let's take the following task, in which it is necessary to provide access to conference room users to corporate resources. In this example, we will look at building such a network based on equipment offered by various companies.

    Before building a wireless access network, it is necessary to study the area, i.e. armed with a radio access point and a laptop computer, go to the site of the proposed installation. This will allow you to determine the most successful locations of radio access points, allowing you to achieve maximum coverage area. When building a wireless access security system, you need to remember three components:

    authentication architecture,

    authentication mechanism

    mechanism to ensure confidentiality and data integrity.

    The IEEE 802.1X standard is used as the authentication architecture. It describes a unified architecture for controlling access to device ports using various subscriber authentication methods.

    We will use EAP (Extensible Authentication Protocol) as an authentication mechanism. The EAP protocol allows authentication based on username and password, and also supports the ability to dynamically change the encryption key. Usernames and passwords must be stored on the RADIUS server.

    We will use WEP and TKIP (Temporal Key Integrity Protocol) protocols as a mechanism to ensure confidentiality and data integrity. The TKIP protocol allows you to strengthen the security of WEP encryption through mechanisms such as MIC and PPK. Let's take a closer look at their purpose.

    MIC (Message Integrity Check) improves the integrity of the IEEE 802.11 standard by adding SEC (sequence number) and MIC fields to the frame to help prevent IV reuse and bit manipulation attacks.

    PPK (Per-Packet Keying) packet-by-packet change of the encryption key. It reduces the likelihood of successful attacks aimed at determining the WEP key, but does not guarantee complete protection.

    To avoid denial of service attacks based on vulnerabilities in DSSS technology, the wireless network will be built on the new 802.11g standard (and the 802.11g standard should not be backward compatible with the 802.11b standard). The 802.11g standard is based on OFDM (Orthogonal Frequency Division Multiplexing) technology. this technology allows you to achieve speeds up to 54Mbps.

    In order to increase the level of security of your wireless network, it is advisable to consider using the Cisco WLSE (Wireless LAN Solution Engine) server. The use of this device will make it possible to detect unauthorized established points radio access, as well as centralized management of the radio network.

    To ensure fault tolerance of wireless access points, it is advisable to use standby mode. Thus, it turns out that 2 points will work on one radio channel, one as an active one, the other as a backup one.

    If you need to provide fault tolerance in authenticated access, you must install two ACS authentication servers. In this case, one will be used as the main one, and the second as a backup one.

    Thus, when building a wireless network taking into account the requirements for security and fault tolerance, we used a wide range of components that will protect us from attacks by intruders and prevent possible attacks.

    Of course, the described solution is not minimal in terms of price characteristics, however, by paying primary attention to security issues in the wireless network, the risks associated with a possible leak of internal corporate information were minimized.

    Evgeniy Porshakov, System Engineer INLINE TECHNOLOGIES www.in-line.ru

    We are accustomed to taking special security measures to protect our property: locking the door, installing a car alarm, security cameras. Because in this day and age it is not safe to leave everything unattended, and if you need to go away, you need to protect your property. The same applies to virtual world. If available, there is a possibility that they will try to hack you and use the network without your knowledge. Not only will your Internet be available to them, one might say, for free, but they can also use your computer and steal valuable data. There is always a possibility that an attacker will not just download music or browse a social network, but will send messages of an extremist nature, some kind of spam, and other messages that will cause harm. In this case, one day you will meet police officers, since all this information was supposedly sent from you.

    So, in this article we will look at several ways to help protect your Wi-Fi network from unauthorized connections.

    Set a password and appropriate encryption type for the network

    This rule applies to all wireless networks. You must set a password and (the most recent and reliable one on at the moment, although this also has its own nuances, which I will discuss below). Should not be used WPA type, which is not only old, but also limits network speed. WEB encryption is generally the latest topic. It is quite easy to hack this type using brute force methods and more.

    Take your password just as seriously. The default minimum password length is 8 characters, but you can make it longer, for example 10-15 characters. It is advisable that the password contain not only letters or numbers, but a whole set of characters, plus special characters.

    IMPORTANT! Disable WPS

    So, WPS technology has some flaws and with this help people can easily hack your network using distribution kits on Linux based and entering the appropriate commands in the terminal. And here it doesn’t matter what kind of encryption is used, but the length and complexity of the password decides a little; the more complex it is, the longer it will take to crack. WPS can be disabled in the router settings.


    By the way, if anyone doesn’t know, WPS is needed to connect equipment to a Wi-Fi network without a password, you just press this button on the router and, for example, your smartphone connects to the network.

    Hide Wi-Fi network (SSID)

    On all types of routers or, as they are also called, routers, there is a function that allows you to, that is, when searching for a network from other devices, you will not see it, and you must enter the identifier (network name) yourself.

    In the router settings you need to find the item "Hide access point", or something similar, and then reboot the device.


    MAC Address Filtering

    Most of the newest routers, and older ones too, have functionality that limits connected devices. You can add to the list of MAC addresses those that have the rights to connect to the Wi-Fi network or limit them.

    Other clients will not be able to connect, even if they have the SSID and password from the network.



    Activate the Guest Network feature

    If your friends, acquaintances or relatives, whom you have allowed, have access to the network, there is an option to create a guest network for them, isolating the local network. As a result, you don't have to worry about losing important information.

    Organization guest access enabled in the router settings. There you check the appropriate box and enter the network name, password, set encryption, etc.

    Change the login and password to access the router admin panel

    Many who have a router (router) know that when entering its settings you need to enter a username and password, which by default is the following: admin(entered both in the login field and in the password field). Those who have connected to the network can easily go into the router settings and change something. Set a different password, preferably a complex one. This can be done in the same settings of the router, system section. Yours may be a little different.


    You should definitely remember the password, as it will not be possible to recover it, otherwise you will have to reset the settings.

    Disabling the DHCP server

    There is one interesting point, which you can do in the router settings. Find the DHCP server item there and turn it off, usually it is located in the LAN network settings.

    Thus, users who want to connect to you will have to enter the appropriate address that you specify in the router settings. Usually the IP address is: 192.168.0.1/192.168.1.1, then you can change it to any other, for example, 192.168.212.0. Please note that from your other devices you must also specify this address.


    Well, we’ve figured out how to increase the security of a Wi-Fi wireless network. Now you don’t have to worry about your network being hacked and information being lost. I think using at least a few of the methods in this article will greatly improve Wi-Fi security.

    WiFi network protection- another question that faces us after we have created a home network. The security of a wifi network is not only a guarantee against unwanted third-party connections to your Internet, but also a guarantee of the security of your computer and other network devices - after all, viruses from other people’s computers can penetrate through holes and cause a lot of trouble. Security key wifi, which is usually limited to most users, is not enough in this case. But first things first...

    First of all, to organize the protection of a wifi network, take care of the mandatory ones, for which I recommend using a WPA2/PSK wifi security key. It requires a fairly complex seven-digit password, which is very difficult to guess. But it's possible! I seriously thought about this problem when, during the next review of the devices included in the network, I discovered not one, not two, but 10 of them! Then protecting the wifi network seriously interested me, and I began to look for additional, more reliable methods and, of course, I found it. Moreover, this does not require any specific protection program - everything is done in the settings of the router and computer. Now I will share with you! Yes, demonstration of methods will be carried out on devices ASUS- modern ones have an identical interface, in particular, in the video course I did everything on the WL-520GU model.

    Protecting a wifi network - practical ways

    1. Disable SSID broadcast

    Anyone who watched my video course knows what I'm talking about. For those who don’t, I’ll explain. SSID is, speaking in Russian, the name of our network. That is, the name that you assigned to it in the settings and which is displayed when scanning routers available for connection.


    If your SSID is visible to everyone, then anyone can try to connect to it. In order for only you and your friends to know about it, you need to hide it, that is, so that it is not on this list. To do this, check the “Hide SSID” checkbox. After that, it will disappear from the search results. And you can join it in the following way:

    That's it, after this you should log into your secure wifi, although it was not visible.

    2. Filtering devices by MAC address

    It's even more reliable way protect wifi from uninvited guests. The fact is that each device has its own personal identifier, which is called a MAC address. You can allow access only to your computers by entering their ID in the settings home router.


    But first you need to find out these MACs. To do this in Windows 7, you need to go through the chain: “Start > Control Panel > Network and Internet > Control Center > Change adapter settings” and double-click on your wifi connection. Next, click on the “Details” button and look at the “Physical Address” item - this is it!

    We write it without a hyphen - only numbers and letters.
    Then go to the “Wireless Network MAC Address Filter” tab in the router’s admin panel.
    Select “Accept” from the drop-down list and add MAC addresses computers that are on your local network - I repeat, without hyphens.

    After that, save the settings and be glad that someone else’s device won’t log in!

    3. Filtering devices by IP address

    This is an even more advanced method. Here computers will be screened out not only by MAC, but also by their IP, manually assigned to each one. Modern technologies make it possible to replace the MAC, that is, having learned the number of your gadget, you can imitate it and log in, as if you had connected yourself. By default, IP is distributed to all connected devices automatically within a certain range - this happens due to the router operating in the so-called DCHP server mode. But we can disable it and set IP addresses for each manually.


    Let's see how this is done in practice. First, you need to disable the DCHP server, which distributes addresses automatically. Go to the “LAN” section and open the “DCHP Server” tab. Here we disable it (“No” in the first paragraph).

    After this, you need to configure each computer or other device. If you are using Windows 7, then go to “Control Panel> Network and Internet> Network and Sharing Center> Change adapter settings> Wireless connections(or whatever else you call it).” Double-click on it and go to “Properties > Internet Protocol Version 4 (TCP/IP)”. Here we got all the parameters automatically. Check the box “Use the following IP” and set:

    • IP is the one you assigned when setting up the router, that is, for me it is 192.168.1.3
    • Mask - 255.255.255.0
    • Gateway - router IP, that is, by default on ASUS it is 192.168.1.1

    4. Router operating time

    This method Suitable for those who work at the computer at the same certain time. The bottom line is that the router will distribute the Internet only at certain hours. For example, you come home from work at 6 pm and stay online until 10. Then we set the device to operate only from 18:00 to 22:00. It is also possible to set specific switching days. For example, if you go to the country on the weekend, you can not broadcast wifi at all on Saturday and Sunday.

    This mode is set in the “Wireless Network” section, “Professional” tab. We set the days of the week for work and hours.

    5. Prevent automatic connection to the network

    This setting is made on the computer itself and most likely it is not even wifi protection, but to protect the computer from connecting to someone else’s network, through which a virus can be caught. Click on your wireless connection in “ Network connections"(see point 3) and select "Wireless network properties" here.

    For maximum protection connection to a wifi network, it is recommended to uncheck all the boxes here in order to enter the password each time you connect. For the lazy, you can leave it at the first point - automatic connection To current network, but you cannot activate the other two, which allow the computer to independently join any other that is available for connection.

    As you can see, WiFi network protection is provided not only by WPA2 encryption - if you follow these simple tips, the security of your wireless network will be guaranteed! Very soon you will also learn how to protect your entire local network at once, and in order not to miss this article, I recommend subscribing to blog updates. If you have any questions, the comment form is at your service 😉

    If the article helped, then in gratitude I ask you to do 3 simple things:
    1. Subscribe to our YouTube channel
    2. Send a link to the publication to your wall in social network click on the button above

    The main difference between wired and wireless networks

    associated with a completely uncontrolled area between network endpoints. In a fairly wide area of ​​networks, the wireless environment is not controlled in any way. Modern wireless technologies offer

    a limited set of tools for managing the entire network deployment area. This allows attackers in close proximity to wireless structures to carry out a range of attacks that were not possible in the wired world. We will discuss the security threats unique to a wireless environment, the equipment that is used in attacks, the problems that arise when roaming from one access point to another, shelters for wireless channels, and cryptographic protection open communications.

    Eavesdropping

    The most common problem in open and unmanaged environments such as wireless networks is the possibility of anonymous attacks. Anonymous pests can intercept radio signals and decrypt transmitted data. The equipment used to eavesdrop on a network may be no more sophisticated than that used for routine access to that network. To intercept a transmission, an attacker must be close to the transmitter. Interceptions of this type are almost impossible to register, and even more difficult to prevent. The use of antennas and amplifiers gives the attacker the opportunity to be at a significant distance from the target during the interception process. Eavesdropping is carried out to collect information on a network that is subsequently intended to be attacked. The attacker's primary goal is to understand who is using the network, what information is available on it, what the capabilities of the network equipment are, at what moments it is being exploited most and least intensively, and what the territory of the network deployment is.

    All this will be useful in order to organize an attack on the network.

    Many public network protocols carry this important information, as username and password, in clear text. An eavesdropper can use the obtained data to gain access to network resources.

    Even if the transmitted information is encrypted, the attacker ends up with text that can be remembered and then decoded. Another way to eavesdrop is to connect to a wireless network. Active eavesdropping on a local wireless network is usually based on misuse of the Address Resolution Protocol (ARP).

    Initially, this technology was created to “listen” to the network. In reality, we are dealing with a MITM (man in the middle) attack at the data communication level. They can take many forms and are used to destroy the confidentiality and integrity of a communication session.

    MITM attacks are more complex than most other attacks: they require detailed information about the network. An attacker usually spoofs the identity of one of the network resources.

    When the attack victim initiates a connection, the scammer intercepts it and then terminates the connection to the desired resource, and then passes all connections to that resource through his station. In this case, the attacker can send information, change what was sent, or eavesdrop on all conversations and then decrypt them. The attacker sends unsolicited ARP responses to the target station on the local network, which forwards all traffic passing through it to him. The attacker will then send packets to the specified recipients. In this way, a wireless station can intercept traffic from another wireless client (or a wired client on the local network).

    Read more: