Closing your network

Closing your network
The last step that we recommend you take in the process of securing your
wireless home network (if your access point allows it) is to create a closed
network — a network that allows only specific, pre-designated computers and
devices onto it. You can do two things to close down your network, which
makes it harder for strangers to find your network and gain access to it:
Turn off SSID broadcast: By default, most access points broadcast their
SSID out onto the airwaves. This makes it easier for users to find the network
and associate with it. If the SSID is being broadcast and you’re in
range, you should see the SSID on your computer’s network adapter
client software and be able to select it and connect to it. That is, assuming
that you have the right WEP key, if WEP is configured on that access
point. When you create a closed network, you turn off this broadcast so
that only people who know the exact name of the access point can connect
to it.
You can find access points even if they’re not broadcasting their SSID
(by observing other traffic on the network with a network sniffer program),
so this is an imperfect security measure — and no substitute for
enabling WEP. But it’s another layer of security for your network. Also, if
you’re in an area where you will have a lot of people coming into your
home and wanting to share your connection, you might not want to
close off the network, thus balancing convenience for your friends
against the small exposure of a more open network.
Set access control at the MAC layer: Every network adapter in the
world has a unique number assigned to it known as a Media Access
Controller (MAC) address. You can find the MAC address of your network
adapter either by looking at it (it’s usually physically printed on
the device) or using software on your computer:
• Open a DOS window and use the winipcnfg command in
Windows 95/98/Me or the ipconfig/all command on Windows
NT/2000/XP.
• Look in the Network Control Panel/System Preference on a Mac.
With some access points, you can type in the MAC addresses of all the
devices that you want to connect to your access point and block connections
from any other MAC addresses.
Again, if you support MAC layer filtering, you’ll make it harder for
friends to log on to when visiting. If you’ve got some buddies who like
to come over and mooch off your broadband connection, you’ll need to
add their MAC addresses as well, or they won’t be able to get on your
network. Luckily, you need to enter their MAC address only one time to
get them “on the list,” so to speak, so you won’t need to do it every time
they show up — at least until you have to reset the access point (which
shouldn’t be that often).
Neither of these “closed” network approaches is absolutely secure. MAC
addresses can be spoofed (imitated by a device with a different MAC address,
for example), but both are good ways to add to your overall security strategy.
Looking Into the Crystal Ball
The limitations of WEP have become a bit of an embarrassment to the wireless
industry. Although a whole big boatload of businesses has begun using
wireless LANs, many are waiting on the sidelines until security issues are a
bit better sorted out. And although we think that WEP is okay (but not great)
for home use, it’s certainly not good enough for a business that relies upon
the security of its data.
Several efforts are underway to create newer, better, and more secure ways
of protecting wireless LANs . . . efforts that will pay off for home users in the
long run. In this section, we talk about some of the most important of these
efforts and give you a quick overview of them.
This is our “Gaze into the crystal ball and chant voodoo incantations” section
of the chapter. None of this stuff is available yet (although some of it is due in
2003 . . . sometime . . .).