Wi-Fi Gateway – Waving or Drowning

wireless gatewayRecently, there has been a shift in how people choose to connect to the Internet. Previously, when a PC or a laptop was the favored device for web browsing, the faster more robust Ethernet cable was preferred to the unpredictable Wi-Fi connection. However, with the proliferation of Internet-capable smartphone and tables, there has been a growing trend towards Wi-Fi enabled routers in the home. For early adopters a Wi-Fi internet gateway seemed a quick and easy solution. However, as more and more Wi-Fi routers are installed, radio channel interference and unsecured access points are a security problem.

Learn Wi-Fi hacking and security at Udemy.com

Internet Service Providers and Telecom Operators that supplied the consumer market were slow to react and upgrade their fixed ADSL modems or customer terminal equipment, resulting in a spree of DIY Wi-Fi Gateway installations. The problem being, of course, that the manufacturers go to great lengths to make their products simple to install and to work out of the box. However, the quickest, cleanest way to get a Wi-Fi router to work out of the box is to ship it with the minimum Wi-Fi security configured and this has become the start of most wireless security issues. Today, many Wi-Fi gateway routers have little or no security configured, and often the owners are aware of it, but they do not know how to secure them. It takes only a brief glance at the security options screen to make even the most paranoid user decide to leave current settings permanent.

So what are these seeming indecipherable security options?

wifisecurity

Well, that is as clear as mud. The first default option is to disable security – no wonder it remains that way.

The other security options are

  • WEP
  • WPA/WPA2
  • WPA-PSK/ WPA-PSK2

WEP

Wired Equivalent Privacy is an encryption method for securing transmitted data. WEP uses the concept of passphrases, which means that there is no need to enter long strings of characters. Instead, a text pass phrase is used, similar to a long password, which WEP then transforms into an encryption key. With 128 bit encryption there are four keys required so there are four pass phrases, which must be configured identically on all devices that wish to connect to the access point.

WEP has three configuration options:

  • Off – if WEP is disabled, then there is no encryption and anyone can capture the data or connect to the access point and the Internet connection.
  • 64bit (weak security) – Every device must be configured to support 64 bit WEP or they will not be able to connect. WEP is an old security protocol, which is easily broken with today’s powerful computers
  • 128 bit (slightly better security) – this is a bit better, and will take slightly longer to crack the encryption but comes with a higher overhead when transmitting the additional data. If you are concerned about performance, use the 64 bit version. If security is the goal then seriously consider using WPA.

WPA

Wi-Fi Protected Access (WPA)

WPA was developed in response to the weakness in WEP and so is an improvement on the encryption and authentication features of WEP. WPA uses either of two security technologies, Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). There is also an enterprise version, which requires a Radius server – this is a small medium business (SMB) solution.

WPA-PSK

WPA-PSK is a light version that uses a pre-share key instead of a radius server. The encryption key can be anywhere between 8 and 64 ASCII characters. This is a secure robust compromise, which is certainly up to the demand of small office home office (SOHO) network security.

 

NAT (Network Address Translation)

Wi-Fi Gateways require a public IP address configured on its external Internet facing interface. The service provider out of their registered block of addresses will issue this public IP address. On the inside of the network, the host devices will be assigned by DHCP local private addresses that are meaningless out side of the private network. However, when a local device wants to access the internet then NAT lets it share its public address. By keeping all of the hosts in the private network on private IP addresses, it makes them inaccessible from the Internet. The host devices can still reach out to the network but no one can reach them directly, which is how is should be. If there is a web-server or another device that that needs to be directly reached from the internet then Port address translation is required on the firewall.

Want to secure your Wi-Fi? Take a class on wireless security at Udemy.com

Firewall

The Wi-Fi Gateway should have a firewall enabled that is blocking all incoming traffic from outside, though as discussed with private addressing, it is rather academic, and it should allow all outgoing traffic. This will be its default configuration. Again, should there be a web-server inside the firewall then TCP port 80 will need to be opened (inbound) to allow clients on the Internet to connect to its web services.

MAC Filtering

This is another way to stop unauthorized devices connecting to your network. Simply list the MAC (media access address) of all authorized devices and allow them to connect to the access point. Alternatively check the MAC addresses of connected devices and deny access to any device that cannot be identified. This in the business is called the scream test.

wirelessstats

Radio Interference & Pollution

Radio Channels

One very common problem that does not involve security is radio interference. As was discussed earlier the number of Wi-Fi Gateway routers being installed is causing interference and poor performance. The point that needs to be understood here is that adjoining areas or overlapping areas on the same channel will not boost the signal; it will degrade it by half. Always try to avoid have the same frequency as a neighbouring network.

In the Wi-Fi router shown below, there are several choices or radio channel, and several modes of operation. This is the unlicensed radio band, which means it is unregulated and everyone has as much right as the next person to a channel. All that can be done is to experiment, and hope, the more Wi-Fi routers are installed the worse the situation will get.

wirelesssettings

 

Wi-Fi Radio Power Settings

 

wirelessadvanced

Wi-Fi Gateways come with high power as default this again is because range is a big selling point. It is also a waste of time and energy, cuts back the radio power so that it does not spread out past home or garden. This article has discussed the basics of Wi-Fi Gateways if you would like to learn more about radio frequencies.