If you’re planning to take the Security+ exam, you should have a basic understanding of other security concerns to secure wireless networks. This includes identifying the wireless access point (WAP) configuration settings.
For example, can you answer this question?
Q. Homer is able to connect to his company’s wireless network with his smartphone but not with his laptop computer. Which of the following is the MOST likely reason for this disparity?
A. His company’s network has a MAC address filter in place.
B. His company’s network has enabled SSID broadcast.
C. His company’s network has enabled CCMP.
D. His company’s network has enabled WPA2 Enterprise.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
The use of WPA2, and especially WPA2 Enterprise, clearly provides the highest level of security for wireless networks. However, you can take some additional steps to secure them. The settings described here are normally accessible via a group of web pages hosted on your wireless router. You can often access these web pages with your web browser by entering either http://192.168.0.1 or http://192.168.1.1 to access the home page.
WAP Default Administrator Password
Many WAPs come with a default Administrator account of “admin,” and default passwords of “admin.” Some even ship with blank passwords. The WAP’s technical manual identifies the default account names and passwords and most manuals stress changing the password. However, many home users do not change the default password.
If the default password isn’t changed, anyone who can access your WAP can log on and modify the configuration. Additionally, anyone with access to the Internet can easily download instruction manuals for the popular WAPs to identify the default administrator names and passwords. As an example, http://portforward.com/ has lists of usernames and passwords for a wide assortment of routers.
An attacker can easily bypass an otherwise secure wireless network if the administrator password is not changed. The attacker can log on and simply turn off security. Unless you go back into the WAP configuration, you may never know that security is disabled.
Enable MAC Filtering
An additional step you can take to provide a small measure of security to a wireless network is to enable media access control (MAC) filtering. As a reminder, the MAC address (also called a physical address or hardware address) is a 48-bit address used to identify network interface cards (NICs). You will usually see the MAC address displayed as six pairs of hexadecimal characters such as 00-16-EA-DD-A6-60. Every network interface card (NIC) including wireless adapters has a MAC address.
MAC filtering is a form of network access control. It’s used with port security on switches, and you can use it to restrict access to wireless networks.
For example, the following figure shows the MAC filter on a Cisco WAP. In the figure, you can see that the system is set to Permit PCs Listed Below to Access the Wireless Network. The MAC 01 through MAC 02 text boxes include MAC addresses of two devices.
MAC filter on a WAP
Theoretically, MAC addresses are unique. With this in mind, the MAC filter in the figure limits access to only the two devices with these MAC addresses. This may sound secure, but an attacker with a wireless sniffer can easily identify the MAC addresses allowed in a wireless network. Additionally, it’s very easy to change a MAC address. An attacker can launch a spoofing attack by changing the MAC address on his laptop to impersonate one of the allowed MAC addresses.
Many operating systems include built-in functionality to change a NIC’s MAC address. For example, in Windows 7 you can access the NIC’s properties from Device Manager, click the Advanced tab, and configure the Network Address setting with a new MAC.
Remember this
MAC filtering can restrict access to a wireless network to specific clients. However, an attacker can use a sniffer to discover allowed MAC addresses and circumvent this form of network access control. It’s relatively simple for an attacker to spoof a MAC address.
Q. Homer is able to connect to his company’s wireless network with his smartphone but not with his laptop computer. Which of the following is the MOST likely reason for this disparity?
A. His company’s network has a MAC address filter in place.
B. His company’s network has enabled SSID broadcast.
C. His company’s network has enabled CCMP.
D. His company’s network has enabled WPA2 Enterprise.
Answer is A. A media access control (MAC) address filter allows (or blocks) devices based on their MAC addresses, so it is likely that the filter is allowing Homer’s smartphone but not allowing his laptop computer.
Enabling the service set identifier (SSID) makes the network easier to see by casual users, but it does not block access even if SSID broadcast is disabled.
Wi-Fi Protected Access II (WPA2) and Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) both provide strong security, but they do not differentiate between devices.