Are Wireless Networks Secure ?
Unfortunately, no computer network is truly secure. It's always theoretically possible for eavesdroppers to view or "snoop" the traffic on any network, and it's often possible to add or "inject" unwelcome traffic. However, some networks are built and managed much more securely than others. For both wired and wireless networks alike, the real question to answer becomes - is it secure enough?
You can greatly reduce the security risks associated with running a wireless network by following the general rules below. Most of these settings are found in the wireless router web based administration interface, accessible by typing the router IP address in your web browser. For default IP addresses of common routers, refer to our networking hardware database.
1. Change the default password - many routers/waps are acessible to any wireless client in the vicinity, change the default password! In addition, you should disable administration from the Internet.
2. Enable WPA/WPA2 encryption - it encrypts data packets on the WLAN. Note that there are many flaws in WEP that allow a dedicated attacker to break it using only 20-40k packets of data, it will only fence your network from the casual sniffer that doesn't have a couple of hours to dedicate breaking in. WPA/WPA2 (WiFi Protected Access) with a strong password is a much more secure option, if supported by your router. Although it is more secure, there are some DDoS attacks with malformed packets that can render your WPA router/access point inaccessible. Using a weak password with WPA/WPA2-PSK is also prone to dictionary brute force attacks.
3. Change the SSID to something unique in the AP/router, and turn off its broadcasting. SSID broadcasting advertises your WLAN to everyone within range. The disadvantage being wireless clients may not be able to find your access point, you may have to configure them manually by typing the SSID and key. Even if you decide to leave SSID broadcast enabled, it is important to change it to something unique that does not give information as to the brand/model of the access point. Note that this only slightly delays possible attacks, as sniffing tools like Kismet and airodump-ng can still find your SSID, often within minutes.
4. MAC Address filtering - some Access Points have the ability to filter only trusted MAC addresses. Every network device has a supposedly unique MAC address, and the idea is to authorize only such network devices to connect to the WLAN. The disatvantages of this feature are that you have to manually add authorized MAC addresses for all clients, and that an intruder can still sniff those authorized MAC addresses (sent in clear text over the network) and easily fake their own MAC address. Only use this feature if feasible, considering the drawbacks above.
5. Only provide coverage for the areas that need access - lowering the transmit level on commercial class equipment, using directional antennas where needed reduces the coverage area and range where an attacker can penetrate your network.
6. SNMP community words - many Access Points have SNMP agents sunning. If the community word is left at the default (Usually "public") an intruder can read and potentially write sensitive information and data on the device. This applies to any device that has enabled SNMP agents.
By far, the most important steps are the first two, using a modern WPA/WPA2 AES encryption if possible, changing your default router password, and disabling internet access to its management.