Securing WiFi Access Points

Wireless Access Points (WAPs) are being increasingly deployed both in the office environment as well as in many homes to make internet access more convenient. At home, they can allow lawyers to access the internet from anywhere in the house or backyard. In the workplace, they can allow a lawyer to take a laptop from office to office and remain connected. They can also be used to facilitate internet access for clients and guests.

However, by default, these devices are sold with their security features disabled – to make them easier to set up and more “user friendly”. Left in this state, a WAP can serve as an open door for a hacker who can be located up to ¼ mile away. To help reduce the risk of such intrusions, certain precautions should be considered

The most important action that should be taken is to enable the WAP’s data encryption feature. This will both help protect the data stream from being intercepted, as well as block access to a user who does not know the proper password. Almost all WAPs support an the oldest encryption standard called Wired Equivalent Privacy (WEP). More recently designed products will support a more secure standard called Wi-Fi Protected Access (WPA) or a second release known as WPA2. If you’re using WEP, choose the more secure 128 bit version over the 64 bit version.

The following are other prudent precautions that should be considered:

  • Upgrade the device’s firmware to the latest version available from the vendor’s website. Newer versions of firmware typically contain bug fixes and plug up security holes that may have gone undetected when the product first shipped.
  • Each WAP has a Service Set Identifier (SSID) which is used to allow remote devices connect to the WAP. Most WAPs utilize default SSIDs which correspond to their vendor’s name (such as Linksys, Dlink, etc.). Change the SSID to that is not as obvious. Then, unless you need to use a remote wireless device that will only work if the SSID is active on the WAP, disable SSID broadcasting. This will help hide your network from outsiders.
  • Turn on any firewall features that may be available on the WAP. These may be labeled as SPI or Statefull Packet Inspection. Their purpose is to restrict any data coming in from the Internet-side of the WAP except in response to a request sent from one of the attached computers. Unfortunately, such features are typically not of much use against an intruder who attempts to access the WAP wirelessly. Firewall software should also be installed and configured on each computer attached to the network.
  • Most WAPs require a username/password in order to access their configuration menu. However, most use commonly known defaults such as “admin” or the name of their vendor as the username and either “admin” or nothing for the password. These should be changed to something more secure.
  • The configuration menu on some WAPs can be accessed from the Internet for remote support. This functionality is best turned off.
  • Each network device is assigned a unique physical network address known as a Media Access Control or MAC address. Some WAPs can be set to limit or “filter” access to only devices with specific MAC addresses. Although it means having to update the WAP’s internal MAC database each time a new wireless device needs to be connected, setting the WAP to limit wireless access to only devices whose MAC address is in such database can provide another useful measure of security.
  • Some WAPs may allow the user to configure its power output. Where long range access is not required, turn down the power to the minimum required to cover the desired access area. If output power is not user configurable, consider whether the WAP can be located in a place which will still allow it to be accessed from the desired access area but will nevertheless reduce its overall range – for example, locating a WAP in the basement may make it less accessible by neighbors or someone on the street.
  • More information about WAPs and related topics can be found in practicePRO’s managing the security and privacy of electronic data in a law office booklet.

    Note: The above appeared as a Bits & Bytes article published by Law Times on February 25, 2005.