Post on 15-Jan-2015
description
DHS IT FairMarch 12, 2009
Barry CaplinChief Information Security Officer
Minnesota Department of Human Servicesbarry.caplin@state.mn.us
WiFi for DummiesSmart People who aren’t sure how
set it up securely
Agenda
• Why wireless?
• Wireless basics
• Top 10 tips
• Wireless at DHS
Why Wireless?
Wireless Basics
You need:• Computer/Laptop
– Built-in wireless (or WiFi)– a/b/g/n– Connects to Access Point
• Wireless Access Point or Router– Receives/transmits signals between
wireless computer and network
Wireless Basics
What, Me Worry?
• If you can connect to your wireless network.
• An outsider can:– Connect to your home network– “listen” to what you do: taxes, banking,
personal communication
And will look like they are part of your home network, so if they do something bad…
… what stops anyone else?
Wireless Basics
• WiFi– Not an acronym
– Trademark
– Play on words (Hi Fi)
Top 10 Tips
• Netgear WGR614v6
• Why?– Cheap
– Available locally
• Not an endorsement!(also Belkin F5D7230-4)
Top 10 Tips
Log in to the wireless Access Point/Router
Top 10 Tips
1. Change the default SSID
Name (SSID): Enter a value of up to 32 alphanumeric characters. The same Name (SSID) must be assigned to all wireless devices in your network. The default SSID is NETGEAR, but NETGEAR strongly recommends that you change your network's Name (SSID) to a different value. This value is also case-sensitive. For example, NETGEAR is not the same as NETGEAr.
Top 10 Tips
1. Change the default SSID
Top 10 Tips
Top 10 Tips
2. Disable SSID Broadcast
(but it was unclear how!)
Wireless network name broadcast can be turned off so that only devices that have the
network name (SSID) can connect.
Top 10 Tips
2. Disable SSID Broadcast
Top 10 Tips
3. Use Encryption (WPA/WPA2)
Top 10 Tips
Key Sharing:
Top 10 Tips
But WEP and WPA-TKIP have been cracked…
• This Netgear only has WPA-TKIP (need newer model)
• The Belkin has WPA2
still OK for suburbs but not for city, apts, or rural (maybe).
Top 10 Tips
Top 10 Tips
4. Change the default administrator passwordFigure 3-2: Log in to the router
When prompted, enter admin for the router user name and password for the router password, both in lower case letters
Top 10 Tips
4. Change the default administrator password
Top 10 Tips
1. Change the default SSID
2. Disable SSID Broadcast
3. Use Encryption (WPA/WPA2)
4. Change the default administrator password
Defaults are Dangerous!
FEATURE DEFAULT FACTORY SETTINGS
Wireless Access Point Enabled
Wireless Access List (MAC Filtering)
All wireless stations allowed
SSID broadcast Enabled
SSID NETGEAR
Authentication Type Open System
WEP Disabled
Top 10 Tips
5. Use HTTPS (and enable “inside only” admin)
(Neither device has
https)
Top 10 Tips
6. Enable Firewall (and any other security features)
Top 10 Tips
7. Turn it off when not in use.• The safest computer is one that is off!
Top 10 Tips
8. Access Point placement (and lower the power)
(Belkin. Netgear does not provide range.)
•Typical indoor operating range for your wireless devices is between 100 and 200 feet.
•Depends on interference - typically 50–300 ft. indoors
Top 10 Tips
Top 10 Tips
Top 10 Tips
9. Patches/Updates• Not automatic• You need to check• Not frequent
The routing software of the WGR614 v6 router is stored in FLASH memory, and can be upgraded as new software is released by NETGEAR. Upgrade files can be downloaded from the NETGEAR Web site.
To upload new firmware:1. Download and unzip the new software file from
NETGEAR.2. In the Router Upgrade menu, click the Browse
button and browse to the location of the upgrade file
3. Click Upload.
9. Patches/Updates
Top 10 Tips
Top 10 Tips
10. NAT/Static IP Addresses/Disable DHCP(don’t disable DHCP if you are connecting your DHS laptop
to your home wireless)
(bonus!) Top 10 Tips
11. MAC address filtering
Top 10 Tips
1. Change the default SSID2. Disable SSID Broadcast3. Use Encryption (WPA2)4. Change the default administrator password5. Use HTTPS6. Enable Firewall/Security Features7. Turn it off when not in use.8. Access Point placement9. Patches/Updates10. Static IP Addresses/Disable DHCP11. MAC address filtering (bonus!)
Wireless at DHS
• DHS wireless networks have been assessed by Information Security and use most of the controls we’ve listed here (and some others)
• If you need wireless access, request form is at: InfoLink>Forms>Technology>Remote Access/Wireless Request Form(requires supervisor and director approval)
Wireless outside of DHS
• Home wireless is OK if you are authorized for remote access and wireless; otherwise:
– Business need– Use identified, named networks
And always:– Use a VPN to access DHS(when you connect to an “unknown” network, start your
VPN before doing anything else)
Wireless outside of DHS
For your own personally owned laptop:
• Turn on the Windows firewall
• Encrypt sensitive files
• Don’t type in credit card numbers, passwords, or similar info
• Turn off wireless if you’re not using it.
Discussion?