The Wireless Network and Segmentation
Author: Derek Burke, Technical Support Engineer, dburke@cubro.com
In the previous installments, we covered separating our work devices from our personal ones to reduce our risk in handling sensitive material as well as steps we need to take to secure our home router.
In this section, we will turn our attention to the wireless portion of the home network because restricting access to our network from the outside world does little good if a bad actor can gain access to our LAN. When setting up our Wi-Fi we absolutely want to be using WPA2 with PSK at a minimum (That’s Wireless Protected Access 2 with Pre-Shared Key). This may be labelled as WPA2 Personal in some routers. We want to select SSID(s) (Service Set Identifier; this is the Wi-Fi name) that do not relate any personal information about us. For example, avoid using your address, family or pet names, and even obvious interests such as sports teams etc.
The reason is it makes it far easier for an attacker to associate which Wi-Fi signal belongs to which residence thus leaking intel to would-be attackers. Case in point, from where I am right now, I can pick up an SSID called ‘EaglesFan’. Now, I don’t know exactly which house this belongs to but I’m willing to bet it is the one flying the Philadelphia Eagles flag from the front porch that also has Eagles stickers on the car in the driveway…just a guess. While this may seem overly paranoid, I will explain how this fits into what is called Open Source Intelligence (OSINT for short) later.
The Pre-Shared Key is our Wi-Fi password and we want strong passwords to get wireless access.
This may be a bit trickier than the router admin login because, unlike the router login, we are going to be typing and using the Wi-Fi password often. This makes it easy for convenience to trump good security practices as we are inclined towards something easy to remember and easy to type. I urge you to resist this temptation and, to help, I suggest the use of passphrases. Here is an explanation of a passphrase. In using a passphrase be sure to emphasize the random nature of the words chosen. A dictionary attack is a common password cracking method in which a word list is used to attempt to break a password by iterating through multiple permutations of words and common character substitutions in the goal of ultimately stumbling across the password.
Often these will be influenced by natural word order and, if the attacker knows anything about the target (like they are big Eagles fans), they will prioritize related words. A passphrase isn’t perfect, but we can’t let perfect be the enemy of good. Feel free to tap into multiple languages in your passphrase to really make the prospect of random guessing improbable.
Even if you are convinced that your Wi-Fi password is good enough, now may be the time to change it. After all, how many people have you, or your family members, given it to? Do you really know who has access right now?
Some additional points worthy of note: You may see the option to hide your SSID, while at face value this seems like a good idea, in practice it does nothing of real consequence. Any attacker attempting to access your wireless network will have tools such as Airodump-ng that will detect your network anyway and the SSID will still be displayed here. Lastly, if your router is reasonably new you probably have dual-band Wi-Fi, with both 2.4Ghz and 5Ghz channels. These will show as independent Wireless signals, each with their own SSID and PSK, but unless your router provides some provision for isolating wireless networks any devices attached to the 2.4Ghz signal can still communicate with the ones on the 5Ghz signal and vice-versa, which leads us to our next topic: network segmentation.
Network segmentation is the process of isolating a portion of our network from the rest of it such that the devices on the isolated part can’t interact with devices on the rest of network and vice versa. Your router may provide a fairly simple way to achieve something like this, at least for our purposes here. If the router supports a Guest Wi-Fi network that restricts access to your LAN we can leverage this for our homework environment. This feature may present as an optional checkbox saying something to the effect of allowing only internet access or not allowing access to the LAN or it could just be the built-in default of the guest network; it varies from router to router.
Typically, we would use a Guest Wi-Fi network so that we can offer Wi-Fi to visitors but keep our network devices protected from them. For our work at home situation, we can flip this and use this feature as internet access for our work machine while preventing any of our network devices from having access to it. We haven’t gone in-depth on the subject yet, but we must assume other devices on our home network, especially IoT devices, are leaking information or present security holes (probably both). If the guest network trick isn’t available then we need to look at alternative options.
At this point, we are starting to get into a more advanced territory and are likely looking at adding or replacing hardware and spending more on our equipment to achieve a higher level of control. If you have implemented the recommendations above, chances are, you are in better shape than most. If you want to take this further then you just might have a developing interest in networking and computer security (Awesome!) and hardware and software from companies such as Ubiquiti, PFsense, Firewalla are going to offer you a level of control and features mirroring more professional systems. Also, projects like DD-WRT and OpenWRT may allow you to breathe new life into the router you already have.
In the final installment, of this guide, we’ll look at user behaviour, make some suggestions towards creating and storing strong passwords, and discuss some things to be aware of when working online. Lastly, I will present an example of how a malicious hacker may go about targeting a victim.