50

Appendix B: Wireless Security

Security Precautions

Wireless-G Cable Gateway

Appendix B: Wireless Security

Linksys wants to make wireless networking as safe and easy for you as possible. The current generation of

Linksys products provide several network security features, but they require specific action on your part for

implementation. So, keep the following in mind whenever you are setting up or using your wireless network.

Security Precautions

The following is a complete list of security precautions to take (at least steps 1 through 5 should be followed):

1.

Change the default SSID.

2.

Disable SSID Broadcast.

3.

Change the default password for the Administrator account.

4.

Enable MAC Address Filtering.

5.

Change the SSID periodically.

6.

Use the highest encryption algorithm possible. Use WPA if it is available. Please note that this may reduce

your network performance.

7.

Change the encryption keys periodically.

For information on implementing these security features, refer to “Chapter 5: Configuring the Wireless-G Cable

Gateway.”

Security Threats Facing Wireless Networks

Wireless networks are easy to find. Hackers know that in order to join a wireless network, wireless networking

products first listen for “beacon messages”. These messages can be easily decrypted and contain much of the

network’s information, such as the network’s SSID (Service Set Identifier). Here are the steps you can take:

Change the administrator’s password regularly.

With every wireless networking device you use, keep in mind

that network settings (SSID, WEP keys, etc.) are stored in its firmware. Your network administrator is the only

person who can change network settings. If a hacker gets a hold of the administrator’s password, he, too, can

change those settings. So, make it harder for a hacker to get that information. Change the administrator’s

password regularly.

51

Appendix B: Wireless Security

Security Threats Facing Wireless Networks

Wireless-G Cable Gateway

SSID.

There are several things to keep in mind about the SSID:

1.

Disable Broadcast

2.

Make it unique

3.

Change it often

Most wireless networking devices will give you the option of broadcasting the SSID. While this option may be

more convenient, it allows anyone to log into your wireless network. This includes hackers. So, don’t broadcast

the SSID.

Wireless networking products come with a default SSID set by the factory. (The Linksys default SSID is “linksys”.)

Hackers know these defaults and can check these against your network. Change your SSID to something unique

and not something related to your company or the networking products you use.

Change your SSID regularly so that any hackers who have gained access to your wireless network will have to

start from the beginning in trying to break in.

MAC Addresses.

Enable MAC Address filtering. MAC Address filtering will allow you to provide access to only

those wireless nodes with certain MAC Addresses. This makes it harder for a hacker to access your network with

a random MAC Address.

WEP Encryption.

Wired Equivalent Privacy (WEP) is often looked upon as a cure-all for wireless security

concerns. This is overstating WEP’s ability. Again, this can only provide enough security to make a hacker’s job

more difficult.

There are several ways that WEP can be maximized:

1.

Use the highest level of encryption possible

2.

Use “Shared Key” authentication

3.

Change your WEP key regularly

WPA

. Wi-Fi Protected Access (WPA) is the newest and best available standard in Wi-Fi security. Five modes are

available: WPA-Personal, WPA2-Personal, WPA-Enterprise, WPA2-Enterprise, and RADIUS. WPA-Personal gives

you a choice of two encryption methods: TKIP (Temporal Key Integrity Protocol), which utilizes a stronger

encryption method and incorporates Message Integrity Code (MIC) to provide protection against hackers, and AES

(Advanced Encryption Standard), which utilizes a symmetric 128-Bit block data encryption. WPA2-Personal only

uses AES encryption, which is stronger than TKIP. WPA-Enterprise offers two encryption methods, TKIP and AES,

52

Appendix B: Wireless Security

Security Threats Facing Wireless Networks

Wireless-G Cable Gateway

with dynamic encryption keys, while WPA2-Enterprise only uses AES encryption. RADIUS (Remote Authentication

Dial-In User Service) utilizes a RADIUS server for authentication.

WPA-Personal

. If you do not have a RADIUS server, select the type of algorithm you want to use, TKIP or AES,

and enter a password in the

Passphrase

field of 8-63 characters.

WPA2-Personal

. Enter a password in the

Passphrase

field of 8-63 characters.

WPA-Enterprise

. WPA used in coordination with a RADIUS server. (This should only be used when a RADIUS

server is connected to the Router or other device.) WPA-Enterprise offers two encryption methods, TKIP and

AES, with dynamic encryption keys. Enter the RADIUS server’s IP Address and port number, along with a key

shared between the device and the server. Last, enter a Group Key Renewal period, which instructs the device

how often it should change the encryption keys.

WPA2-Enterprise

. WPA2 used in coordination with a RADIUS server. (This should only be used when a

RADIUS server is connected to the Router or other device.) WPA-Enterprise offers two encryption methods,

AES and TKIP + AES, with dynamic encryption keys. Enter the RADIUS server’s IP Address and port number,

along with a key shared between the device and the server. Last, enter a Group Key Renewal period, which

instructs the device how often it should change the encryption keys.

RADIUS

. WEP used in coordination with a RADIUS server. (This should only be used when a RADIUS server is

connected to the Router or other device.) First, enter the RADIUS server’s IP Address and port number, along

with a key shared between the device and the server. Then, select a WEP key and a level of WEP encryption,

and either generate a WEP key through the Passphrase or enter the WEP key manually.

Implementing encryption may have a negative impact on your network’s performance, but if you are transmitting

sensitive data over your network, encryption should be used.

These security recommendations should help keep your mind at ease while you are enjoying the most flexible

and convenient technology Linksys has to offer.

53

Appendix C: Finding the MAC Address and IP Address for Your Ethernet Adapter

Windows 98 or Me Instructions

Wireless-G Cable Gateway

Appendix C: Finding the MAC Address and IP Address for

Your Ethernet Adapter

This section describes how to find the MAC address for your computer’s Ethernet adapter so you can use the MAC

filtering feature of the Gateway. You can also find the IP address of your computer’s Ethernet adapter. This IP

address is used for the Gateway’s filtering, forwarding, and/or DMZ features. Follow the steps in this appendix to

find the adapter’s MAC or IP address in Windows 98, Me, 2000, or XP.

Windows 98 or Me Instructions

1.

Click

Start

and

Run

. In the

Open

field, enter

winipcfg

. Then press the

Enter

key or the

OK

button.

2.

When the

IP Configuration

screen appears, select the Ethernet adapter you have connected to the Gateway

via a CAT 5 Ethernet network cable. See Figure E-1.

3.

Write down the Adapter Address as shown on your computer screen (see Figure E-2). This is the MAC address

for your Ethernet adapter and is shown in hexadecimal as a series of numbers and letters.

The MAC address/Adapter Address is what you will use for MAC filtering. The example in Figure D-2 shows

the Ethernet adapters’s MAC address as 00-00-00-00-00-00. Your computer will show something different.

The example in Figure E-3 shows the Ethernet adapter’s IP address as 192.168.1.100. Your computer may

show something different.

Figure C-2: MAC Address/Adapter

Address

Figure C-1: IP Configuration Screen

NOTE:

The MAC address is also called the Adapter Address.

54

Appendix C: Finding the MAC Address and IP Address for Your Ethernet Adapter

Windows 2000 or XP Instructions

Wireless-G Cable Gateway

Windows 2000 or XP Instructions

1.

Click

Start

and

Run

. In the

Open

field, enter

cmd

. Press the

Enter

key or click the

OK

button.

2.

At the command prompt, enter

ipconfig /all

. Then press the

Enter

key.

3.

Write down the Physical Address as shown on your computer screen (Figure D-3); it is the MAC address for

your Ethernet adapter. This appears as a series of numbers and letters.

The MAC address/Physical Address is what you will use for MAC filtering. The example in Figure D-3 shows

the Ethernet adapters’s MAC address as 00-00-00-00-00-00. Your computer will show something different.

The example in Figure E-3 shows the Ethernet adapter’s IP address as 192.168.1.100. Your computer may

show something different.

Figure C-3: MAC Address/Physical Address

NOTE:

The MAC address is also called the Physical Address.