Caution! Wireless Networking: Preventing a Data Disaster

Modifying the broadcast parameters of your access point to limit the distance your network’s radio signals travel is another way to increase the security of your WLAN. Limiting the signals makes it harder to detect network settings.

Adjusting the power

For security, you can decrease the power of the radio signal that your access point broadcasts to limit propagation of radio waves outside of your home or office. This can reduce the chances that crackers or wardrivers will detect the signal.

Unfortunately, most common access points manufactured for home or small-office use do not have a built-in way to reduce the broadcast power. If this is the case with your access point, and you want to reduce its power output, you can use inline attenuators.

Inline attenuators are devices that attach to your access point and reduce the signal output by creating resistance and absorbing some of the output power. Most RF attenuators come with standard connectors, and you install them between the access point and the antenna (see Figure 11-17).

Figure 11-17: An inline attenuator

You need to do a site survey to be sure that the signal from your access point still reaches the areas of your home or office that you need it to. The easiest way to do this is to use a portable wireless client like a Wi-Fi-equipped PalmOS or Pocket PC handheld PDA, or a Wi-Fi-equipped laptop computer.

For software, you can use any of the free wireless stumblers or sniffers available online. You may also be able to use the configuration software that came with your Wi-Fi adapter if it has a site-survey mode (see Figure 11-18). Walk around your home or office with the wireless client, and make a note of where you can and cannot receive the access point’s signal. Make sure that by reducing the power output of your access point that you don’t prevent your own network clients from accessing the WLAN.

Figure 11-18: Wi-Fi adapter utility in site-survey mode

Note 

There are also small handheld Wi-Fi access point detectors available. I’ve had mixed results with these devices. They aren’t a reliable way to determine if intruders can detect your WLAN’s signal because they aren’t as sensitive or reliable as a wireless laptop or PDA.

Turning off SSID broadcast

By default, every access point announces itself to the world by broadcasting its SSID. Every few seconds the access point broadcasts a data packet known as a beacon frame. The beacon frame contains the SSID. Any Wi-Fi client can detect the SSID broadcast and attempt to connect with the access point.

In addition to changing the default SSID name, you can also disable the SSID broadcast on most access points. To do this you have to use the access point’s configuration utility or the Web interface.

When combined with the other security steps in this chapter, turning off the SSID broadcast helps conceal your WLAN from casual wardrivers or crackers. However, even if you disable the SSID broadcast, a cracker can still discover the SSID. Beacon frames aren’t the only data packets that contain the SSID, and a determined cracker can capture and analyze network traffic to discover the SSID. However, it takes extra effort to do so, and disabling the SSID broadcast will hide your access point from many wardrivers.

Setting a minimum connection speed

On many access points, you can set a minimum connection speed for any client attempting to associate with the access point. Because the connection speed drops the farther you are from the access point, the effect is similar to reducing the broadcast strength of the access point.

Presumably, wardrivers and other persons located outside of your home do not have a signal that is strong enough to enable them to connect at the minimum speed you decide on. Conduct a site survey to determine if the signal is strong enough for your own computers to connect at the minimum speed.

Категории