Wireless Access Points Tutorial

6.1 Securing WAPs pt. 1

[SOUND] Let's take this opportunity to talk about securing wireless access points. Now, we're going to talk about this subject over the next few sessions, because there are several aspects to securing WAPs. First of all, we have hardening the access point itself. This is where we basically go in and configure the different configuration aspects of the box to make sure that it's secure, that its operating system is secure, it's updated and patched. It has a good password and so forth. We also want to secure the traffic that flows through it. It basically is connection device like a router or switch or even firewall and it has all of those functions to it As a matter of fact, most WAPs, even the ones you find in your home, have rudimentary firewall and switch functions. Well also want to secure the clients that connect to it. And we can do this in various ways. Now Now all of the things we're going to talk about interconnect into each other. But we're going to break them out a little bit in terms of what we're discussing. Whether it has to do with hardening the box, securing the traffic, or securing the clients that connect to it. Now securing the ap itself involves a few things .Basically we get it brand new we get it out of the box and it's configured through its factory defaults and we don't want that. We want to change a few things up Obviously, we want to change its IP address because it comes with a default range of IP addresses, just like all access points do. We may want to change that. The SSID, obviously we want to change. We don't want to keep the default. We want to change its host name, its password, and several other configuration aspects. These could be usernames that are used to log in to the box and also more importantly, user access to the box and by that, I mean admin rights. People who can get into the box and configure it. We also want to configure how they get into the box and by this, I'm talking about remote administration. A lot of access points are configured to allow anyone to configure them from any machine using unsecure protocols that's what we don't want, so we want to change these default configurations. Now, typically, Typically when you take your wireless access point out of the box, it's not going to be configured. It's not going to have a wireless access point configured properly. So you don't want to just turn it on and have it broadcast out and connect to it via wireless. SImply because you are connecting to it, you're changing passwords and security settings. And you don't want that sent in the clear over wireless network. So you almost always want to connect to the wireless access point through a wired connection an internet cable. So typically you'll take your laptop to wherever this wireless access point is, plug it up, plug an internet cable to your laptop get an address and start configurating. And that's what we're going to do over the next few sessions. We're going to configure a wireless access point that's been blanked, that has no configuration on it, assuming it's right out of the box. And we're going to connect to it through an Ethernet connection, a wired connection, and configure it. Now the Linksys box that we're going to be connecting into Is not an older box it's one that you might typically find in the so ho environment. And is inbox and you'll find it in routers typically have more configuration options that the typical B or G box will. And this is a typical one of the mill type of wireless access point. Now Linksys is very popular it's used both in home and the small business and even the larger business environment. But you'll find that most of the boxes that you configure, whether it's Linksys, D-Link, or whatever, have very similar configuration settings. So it's not to say that if you can configure one, you can configure all of them. But they have similar settings so you can figure them out. And we're just going to go through some of these configuration settings so you can see how it works. So let's go ahead and take a look at configuring a LINKSYS wireless access point.

6.2 Securing WAPs pt. 2

Now we're gong to actually look at securing a wireless access point. We're going to look again at securing a Linksys wireless access point, which is fairly common in SOHO environments. So let's go ahead and And take a look at it. Now you'll find that most wireless access points have default configuration settings built in such as an IP address, it usually comes with a default with something like or 100.1, it depends on the brand. They'll also each come with a preconfigured username and password. And unfortunately, that's the part you gotta change, because everybody knows what they are. For example, on a Linksys box, it's admin and admin. Not very secure. So, we're going to connect to this, and the first thing we're going to do Is configure a few things like IP address and host name and so forth. Typically, you'll have a basic setup page, such as this one. So, we're going to change the host name to VTC-1, and we're going to look at the domain name. We can call that VTC if we like. You don't always have to configure some of these. We also can look at the ip address. Now i like to change the ip addresses on bos simply because you don't want to go with the defaults. You could change it to something like 172 dot 16, Which is the private address space. And maybe change it to like 20.1 if you like. And you can keep the subnet mask if you like. You can change the URL address to configure it. You can also enable or disable the DAPC server. Now if your going to have clients attached to it, obviously you want to keep the DAPC server going. Otherwise you have to manual configure these IP addresses. And you'll find that the DHCP scope is largely based on what your IP address is that you assigned for the box. So you could change your DHCP address to whatever the range is you've changed it to. It actually is typically should automatically pick that up. You should also change the Time zones if you like so it will pick up updates and so forth. So, you can save your settings obviously. And it's going to take a couple of seconds. And you may actually find where you have to go back and type a new address. And we probably are going to have to authenticate back into the box as well. There we go. And actually, what probably happened, you have to be careful of this. Our laptop already had a particular IP address so when I changed it, it had to go back and get another IP address from the DHCP server which it did. So we can look now and say that our DHCP [INAUDIBLE] address is also changed. So we have a new DHCP scope. Now some other things we probably need to look at, we can change the host name and so forth but let's go to administration, we want to make sure that we change the administration on the box. One of the things we want to do initially is change the password, so I'm going to change it to something different. And your going to want to change that very quickly. Simply because this a default password that is preconfigured on here, and you don't want that to stay on there. Now, you can also change whether or not the box. Actually is able to be configured with HTTP or HTTPS. Obviously, it's more secure to go with HTTPS if you want to. And you can turn this off as well. Let's leave these settings where they're at for now. We can also actually change it so you can't administer the box Over HTTP if you don't want to, you can disable remote management. You can keep the box from remotely upgrading itself, in terms of firmware. You can also make sure that any box that configures the wireless router has a certain IP address. There are various other configuration settings you can make here. But definitely the password is one thing you want to change. As well as the user account. Now you can go back into setup, and take a look at your settings. We've got the automatic configuration, we've got a new IP address and so forth. So we've changed the very basics of the setup for the wireless access point. And this is pretty good in that we changed the password and so forth. Now there are other things we can look at too and we're going to look at those over the next few sessions. We're not going to spend all of one session doing everything. So in our next section we'll look at securing the traffic through the box.

6.3 Securing WAP Traffic pt. 1

In addition to hardening the wireless access point, we also want to secure the traffic that goes through it. Now this means setting up the security options and really it means setting up the wireless part of it, the WPA, the WPA 2, whatever. The different encryption authentication mechanisms that the access point will use to secure it's traffic. There's also an option we'll look at that uses something called wi-fi protected set up. and this is something that the wi-fi alliance came up with to make it easier for non-technical users to set up their wireless access points and still to make them secure. So we'll take a look at how this works as well. So let's go ahead and take a look at securing the access point traffic. On the wireless tab, there's several different things we can look at. We have basic wireless settings, wireless security, the wireless MAC filter, which we'll take a look at a little bit later, and advanced wireless settings. Now the first thing we see is Wi-Fi Protected Setup. And we can do two things. We can do it manually- which we'll take a look at- or we can use Wi-Fi Protected Setup. And Wi-Fi Protected Setup essentially gives us the option of pushing the button on the box and then setting up a client similarly. We can push the button on the box and it gives us the information we need to set up the client. Or we can have a client device that has WiFi protected setup engaged on it. We can essentially take that box, and if it's set up properly, we can take the PIN from it and set it up on the wireless access point. Now also we can take the wireless access point's own pin, which is right here, and set that up on the box, on the client if it allows it, if it permits this type of setup. Now that's WiFi protected setup. And that's an automated thing, again. You really should consult the directions with each wireless access point that you purchase and see how they Implement Wi-Fi Protected Setup. Now, as far as a manual set up here there's different things we can do. We can change our network mode. This has to do with security especially backwards compatibility. We can change to BG Mixed, Wireless-G only, Wireless-B only or Wireless-N only. Typically, in a mixed environment when you have N and G and B clients, obviously it's going to be NBG mixed, but if you know you're only going to have wireless G or wireless N, set it there. As far as a network name, we really don't want Default SSID. We don't want to keep Linksys, or whatever the name of your wireless access point is, in there. Now as far as channel width, if you're using B or G, 20 MHz is fine. If you're using N, you can go with 20 or 40 MHz, because wireless N Has a water channel width We can also change the channel here and you might do that for interference reasons if there are other wireless access points around that are operating on the same channel or adjacent channel. That can cause interference. But some people do it actually as a form of security through obscurity thinking that if they change the channel it's harder to pick up the wireless access point and it can be for inexperienced hackers but an experience one knows how to find that by scanning all channels. We can also disable SSID Broadcast if we want to. And if we disable it, obviously that makes it a little bit harder for clients to connect. But it doesn't do a lot for security force it can keep an uninform not techincal hacker out but not and informed one out very long. Now let's look at the wireless security portion, we have obviously the security modes here that we'd discussed WEP, WPA2, WPA, WPA Enterprise Let's take a quick look at each one of them. If we look at WEP, we know that we can have a key length in here of 40 or 64 bit key, which is ten hex digits or 104/128 bit key, which is 26 hex digits. Now obviously putting ten hex digits in there is Not easily for someone who is nontechnical to do. So you would typically put in a passphrase here. And that passphrase would be converted to Hex for you. Let's say we put in something called VTC111 and then we generate that key. We're going to get the first key right there and that's our webkey basically and that's what we'd use. On the different boxes to configure it to attach the wireless router. Now let's look at WPA. We have WPA and WPA2 personal, and obviously the big differences are going to be something like whether it uses AES or TKIP. Now that we're looking at WPA2 personal, we have an encryption method of Tkit or AES so can use either one, or we can just go with AES since we know all of our clients can support it. And this is really going to be hardware based as to whether they can support AES or not. Here we can also out a passphrase in there. And we can make it anywhere from 8 to 63 characters. You can say, vtc training is great And that would generate our key. Now we actually don't see her key because it's generated by a pending the IV along with it in WPA2. So that's how to configure WPA and WEP and basically configuring any of the other ones that's not difficult as all either Let's look at WPA2 Enterprise for example, we still have the option of going with TKTP or AES but here we also put a ready on server in here and that's an IP address that we can go to that the box can go to, to authenticate this properly. Now, we can use a shared secret in here. To connect to the enterprise level server but it's typically going to be used in order to exchange keys. That's really what a shared secret is going to do, is be used to exchange keys. Now there are other options as well We have just a radius option here, where we basically put the IP address in, a shared secret and we can go ahead and use a particular type of encryption and a pass phrase. So theres different wireless security options here that we can use. Now the ones you want to use are the ones that your network is using, if you are using if you're using an enterprise level type of security then obviously WPA or WPA enterprise is what you want but you need a centralized authentication server for that if you are using a small or Business type of environment then you want to use obviously, WPA or WPA 2 personal. And that's basically how you configure the wireless security portion of the wireless access point.

6.4 Securing WAP Traffic pt. 2

In addition to configuring the wireless portion of the access point, we need to secure to secure the access point traffic by configuring various options such as the firewall, filtering and the application restriction settings. Now we can do this obviously Through the configuration settings of the wireless access point. Let's go ahead and take a look at that now. We're looking at the configuration page on the Linksys wireless access point. And we're looking at the Security tab. Now again, most wireless access points have these configuration settings. They just may look a little bit differently, or be in different places. But you'll be able to navigate your way through them, regardless of the brand, typically. Now, for this setting, we're looking at the firewall setting, which really doesn't give you a lot. We can turn the firewall on and off, And it really only gives us the options to filter anonymous send network requests would just turn on by default to filter multicast in other words not receive a multicast broadcast. And the filter internet net redirection or to filter ident port 113. And that's typically an older attack that we don't see much anymore but it's turned on by default for a reason. There are some attack out there that can take advantage of that port. You can also turn off things like proxying, Web Java, ActiveX and cookies. I don't recommend that you turn them on. Its better to configure those things in the browser of the host typically because if we turn them off or on here, you turn them on or off for everyone. So there's not much of a firewall configuration setting on this page. If you look at the VPN pass through, this would allow you to have a VPN that goes through your wireless router into your network and you have to be careful how this is setup. Obviously you want to use secure VPN software client End server software. But if you are doing that, all this does is let that pass through, let those protocols pass through, whether it's IPSec or PPTP or even L2TP. If you don't use VPNs at all, you should probably turn those off. Now let's look at the access restrictions portion of this. Now, this is what we're typically used to seeing for a real firewall, where you can have access policies. And on this particular router, we can configure several access policies. Most likely, we can configure about 10 of them. And we can enter the policy name, and it can be used for a wide variety of reasons. We can enable, or disable the policy, depending upon if we want to test it or not. Now, we can also edit a list of PC's, or hosts, that this applies to. We can deny or allow internet access, and we can do this during certain days of the week and at certain times. We can also deny certain URLs, up to four of them per policy. And we can block certain keywords. And if you want to block certain things that have to do with hacking or pornography Or file sharing or something of that nature, you could use this particular setup here to block those things. But understand it's very limited to just a few things per policy. You can also block certain applications. If you scroll through the list here, you can see several typical ones. Or you can go ahead and create your own if you like. Now you can only do this on each policy only a few of them. But you can create up to 10 policies. So you may want to create several policies that get your network the way you want it. Rather that use this functionality however A lot of larger businesses and larger tops of organizations use a regular firewall for this type of filtering so you may not see this actually engaged expect maybe in a small business or in a home office type of environment. You may see a larger firewall that does a much better job of this and is more robust than setup in wireless router. Now if we look at the applications in gaming. This is so you can actually port forwarding. A lot of games require port forwarding, and some applications do as well. And what you would do is you would set up the application, and there are some preconfigured ones for you. What external port you want to listen to it for, and what internal it goes to, what protocol it is. And what IP address you want to send it. This is basically so that you can send, for example, email to an email server or web traffic to a web server and not have it go to any other host on the network. And you can configure your own individual rules as well. So you can also have TCP or UDP set up. By port or by protocol. And you can enable or disable these as you need. Now that single port forwarding, you can set up an entire range to do this as well. So you set up the range starting in ports because some applications use a range of ports instead of just one port. So you can't nail it down to one particular port. You can also use port range triggering And it basically doe's the same thing. There's a triggered range and a forded range and you can turn this off or on and you can make it by application as well. The dmz part of this also affects security Because you can turn it on or off and put any source address inside this particular field here. And what this does, if there's a particular host that you want to be in the DMZ such as a web server for example. It will be in the DMZ and will not be subject to the firewall's rules. That can be a security risk. But if you need it, it's there. So those are the different ways we can restrict traffic within this access point. And basically we see this across other access points as well. Now this is very simplified. This is not as robust as you might find on a full enterprise level firewall. But it is there if you need it for a Soho type of environment. So you can restrict traffic, you can restrict access. You can turn the firewall on and off and so forth. So that's how you can also secure traffic on the wireless access point.

6.5 Securing Client Access

[SOUND] We've already looked at securing the traffic that goes through the wireless access point. And we've looked at hardening the configuration of the wireless access point to protect it. Securing client access is the next thing we'll look at Now we've already looked at most of the things we can do to a wireless access point To secure it. Now there's a few things as well we can look at and all of these help configure client access for security as well. A couple things we can also look at include MAC filtering and we've also already looked at DHCP ranges, but we'll talk about that again as well. Let's go ahead and take a look at our wireless access point again. Now, we're looking at the wireless configuration tab of our Linksys wireless access point, and we see that we're on the wireless MAC filter portion of that Tab. Now here we can disable or enable MAC address filtering. Now disabling it turns it completely off and we're not filtering at all by MAC address. Turning it on however allows us to do a couple of things. Now again, go back to our discussion on MAC. MAC means the hardware address. The actual network card that is in the host. Whether it is a wireless card. Or even a wired card. Now with wireless MAC filter, we're actually more concerned with the wireless clients, because most typical wireless access points, only have about four or five ethernet wireless Wired connections to them or typically, not concerned about those. So, you only see wireless clients in this list, now what you can do, is you can populate this manually or you can go to your wireless client list and enter any wireless client associated with it, then, you can actually grab those from there and populate that list with it. Now, there's two ways you can do this. If you enable it, you can prevent the PCs or hosts that you've put in here from accessing the wireless network, at all. Now, that's pretty much a default allow perspective. And the reason it's default allow is, you're allowing everybody who can connect to it, who has the right credentials to do so except for these particular machine. These maybe people, your neighbors down the street, a particular guest that comes into your business that you do not want to connect to this network at all. So it's by exception. That they are not allowed to connect. Now the other way to this is default deny type of action. And that only allows certain host to connect to the wireless network. So you're default denying except for a few hosts. So obviously you'd need their MAC addresses and you'd populate this table with their MAC addresses and only those few hosts would be allowed to connect. No one else will be allowed to. Now this seems like a very secure setup, and actually it did its job for a number of years. But as people realized that it's very easy to spoof a MAC address even with a wireless network, then it became somewhat less effective as a security measure. So it's not something you should necessarily do and rely on solely, but you can enable this just to add an extra added layer of security to your network. By itself it's not extremely effective but it can help. You can at least monitor what MAC addresses are connected to the network and you can turn one of them off or add one of them if you need to. But again, a determined hacker can spoof their MAC address. And they can actually get into your network if that's the only thing stopping them so obviously don't let that be your only security measure. So that's mac address filtering. The other thing we discussed, let's go back to setup, and we looked at DHCP scope Now obviously when we changed the IP address of the wireless access point, we also changed the DHCP scope as well because it's dependent upon the wireless access points IP address. Now the reason we want to look at this is because We may want to change this from the defaults and obviously once we've changed the IP address, we also change the default DHCP scope as well. We change this because we don't want hackers to have any pre-knowledge about our network because we're using the defaults And know what our IP address range is. So we kind of disguise that by changing that. We can also use DHCP reservations to assign certain hosts certain IP address so that they always have that when they get to this wireless access point. Now it's not really a security measure per se. And it is kind of security through obscurity. But every little bit helps so definitely change your DHCP code, change your IP address and assign reservations to important clients that you always want to have the same address. So that's essentially how you would configure a wireless client in terms of MAC address filtering in DHCP.

6.6 AP Physical Security

Now, one aspect of wireless security that we don't often look at is physical security, simply because wireless is not bound by the same physical constraints that wired networks are. However, physical security is still important, especially if when we're talking about wireless access points. There are still considerations present that we have to look at To secure these WAPs. Now the goal of securing WAPs physically is obviously to prevent access, but also to prevent unnecessarily transmitting wireless signals all over the place so they can be easily intercepted. So that's where physical security can help us out Now, as far as physical security goes, for an AP, we want to follow the same physical access guidelines that we use for other wired network devices, things like hubs, switches, routers, firewalls, and so forth. So, obviously, common sense should prevail here. We want to keep these in a locked area with limited access. We don't want just any one to be able to come in and touch these devices because in the mind of a penetration tester, if you can get physical access to the device, you own the device. So we want to keep those devices away from the general population. We also want to make sure that access is controlled by possibly having a sign in log. Or limited access to the combination to the com clause or whatever. Now, in addition to those typical physical security guidelines that we should probably follow for wired devices, there's also some for wireless access points, that we typically want to look at as well. First of all, we don't want to place them near external walls, or windows, or the roof. And that's simply because if they're closer to the outside walls, the external walls, regardless of whether they're made out of rebar, concrete or wood or whatever, they can bleed signals out into the parking lot. So someone could potentially just drive up into our parking lot and eavesdrop on our wireless networks, or at least try to. So we don't when them near walls, windows or even near the roof. What we want to do is locate the APs to the center of the building if we possibly can. A centralized calm closet, wiring closet, whatever. That way, the radiation from the wireless access point, the signal in other words Will be distributed even across the building. Now, in addition to that, we also want to limit our power output. Now on a lot of devices you can't regulate the power output, they come pre-configured. On some devices you actually have to make a firmware change, to be able to change the power output on device but in the end a lot of them don't allow you to change the power settings. And also keep in mind that power settings can be regulated by the area you live in. Either by country or by state or even by local municipality. So you may not want to play with the power settings until you know that you're legally allowed to. Or that you can play with them because the device allows it. How you would basically determine if your power is too low or too high is you would perform a site survey. And a site survey basically would be a little bit of trial and error. You'd take a wireless device and walk outside the perimeter of the facility seeing if you could pick up that particular wireless signal. And if you can, then you want to go in and reduce the power a little bit. And you'll play with these power settings until you can basically walk up to an external wall outside the facility and not get much of a signal. Now, understand you may get some signal. You may get some bleedover. But the closer you can keep that inside the facility, the better. It's better to have someone have to risk security by coming up to the edge of the building where they probably don't want to due to guards or floodlights or whatever than have them be able to sit out on the road or the edge of a big parking lot and be able to intercept your signal. So do a site survey, and that will help you determine your power output. In addition to security There's also some other things you want to look at for wireless access points and these actually do affect security to a degree. One of them is keeping the wireless access point away from potential interference source. A lot of things especially in the 2.4 gigahertz range for BGNN are active within the organization things like microwave ovens, wireless handsets. And so forth. A lot of this electrical equipment can also generate interference and noise and that can degrade your signal. And that affects the availability portion of the CIA triad. That can keep your legitimate users from accessing the wireless network. So, it is, potentially, from a security perspective, but it's also, really, from an availability perspective. That you want to do this. This can help keep you from jamming yourself in a sense. You also want to protect any cables that go to wired networks. A lot of access points actually connect to wired networks so that they can access further resources within the network or even go on to the internet. Those uplink cables are security risks because if the wireless access point is not protected And someone can get to the facility, can get to the access point. They can unplug that cable and get access to wired network. So they are not really even breaking your access to do it. They're breaking into the wired network from the wireless access point. So these are just some physical security things you need to keep in mind with wireless access points.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Phone Number*
Job Title*