Business-like, isn't he?


 

 




CyberSafety: Networks and wireless


by Alan Zisman (c) 2003 

With more and more homes having multiple computers, home networks are increasingly common. Many of the cybersafety issues for home networks are the same as for standalone computers, but there are also some twists.

This isn't the place to discuss how to set up a home network; if you're running Win95/98/ME (aka Win9x), you might find my tutorial on the subject useful. Windows NT and 2000 are somewhat more complex, but aren't used that often by home users. (One hint-- if you're trying to connect Win9x systems to access files or printers shared on a WinNT or 2000 system, you need to set up your Win9x systems to log in using the Login for Windows Networks, rather than the simpler Windows Login. And the user name you use for that login will need to be a valid user on the WinNT/2000 system as well). WinXP (both Home and Pro) has a usable Network Setup Wizard; open My Network Places, and you'll see the Set Up a Home or Small Office Network link on the left.

Besides the traditional network tasks of sharing files and printers, most people setting up a home network want to share a single Internet connection amongst multiple computers. This is typically done in one of two ways:
-- having one computer that can connect to the Internet, either using a standard dialup connection or a broadband (cable or DSL) connection, then letting that computer act as what's known as a proxy server or gateway, sharing its Internet connection with the other computers on the network. Starting with Win98SE (Second Edition), Microsoft has included Internet Connection Sharing software to make this reasonably easy to do. It's seems magical to open Internet Explorer on one computer and hear a modem in another computer start to dial out in response. Of course, it works much better with an always-connected broadband connection.
-- connecting multiple computers to a router, and using the router to connect to the Internet. Most often, this is done with a broadband connection, though some router models can be connected to a dial-up line. Traditionally, the computers connect to the router using standard Ethernet cables and adapters, though wireless (802.11) connections are increasingly popular (and bring their own set of security issues). Some wireless router models allow for wired Ethernet connections as well.

If possible, the second option-- using a router-- is the better choice. Some of the reasons:
-- the ICS model requires that the proxy server computer must be on for any other computers to have access. If that computer crashes or is just turned off, everyone else is cut off. By contrast, only the router needs to be turned on for the computers on the network to get Net access... and routers are generally simple, robast units that rarely crash. And if they do, they are quickly reset.
-- the computer that is directly connected to the Net will have the best performance; other computers on the network will get slower Net access. When using a router, each connected system gets an equal share of the available Internet bandwidth.
-- most routers include a built-in hardware Firewall. This provides a layer of protection against hackers (though not against spam, spyware, or viruses) that is always working to shield the computers on your network. (It may still be worthwhile to install a software firewall on each system on the network. See the Firewall tutorial in this series). 

(Some people use a sort-of combination of the two approaches; taking a spare computer and set it up as a dedicated proxy server, perhaps using a secure operating system such as Linux or BSD Unix. That can work fine, but takes more computer knowledge and skills then this tutorial is prepared to teach).

Recommendations for home (wired) networks: -- If possible, use a router to connect to the Internet. The router connects to your cable or DSL (or dial-up) modem, and the various computers on your network connect to the router. Yes, if you are starting with a single computer that has a built-in or USB broadband modem you may need to replace it with an external broadband modem with Ethernet connectors, but it will be worth it in the long-run.

-- Even though the router probably includes a hardware firewall, software firewalls on each computer will provide a second level of protection, and will watch outgoing signals, which are not monitored by the router. You still need antivirus software; your firewall (either hardware or software) does not meet this need. Take the time to set up your firewall software, deciding what programs should have access to your internal network, and which really need access to the Internet.

-- Check your router-manufacturer's website now and again (perhaps twice a year) for updates to the router's firmware. These are updates to its built-in operating system, released if bugs or security flaws are found. Just like with your computers' operating systems, it's important to keep your router's firmware up to date. (Keep track of the version of the firmware you've just installed. I write it (along with the date) on the inside cover of my router's user manual).

-- If you are sharing files and/or printers, password protect them (with a non-obvious password). Computers logged into your home network may store these passwords so you don't need to enter them each time, but they will provide another level of protection on your systems.

-- change the default password used to log onto your router. After installing a firmware update, you may find that the password has been reset to the default; be prepared to change it again.

-- Similarly, use log-ins and passwords on your computers. Change the default password on your router and any default passwords already installed for the Administrator account of your Win NT/2000/XP computer.

-- If you must write down your password(s), don't leave them in a piece of paper on the top of your desk, in your desk drawer, or (worst of all!) on a sticky note stuck on your monitor. Don't ever give out a password over the phone, even if the caller claims to be a tech support person. The #1 cause of security problems are users who are careless with their passwords, not hackers with extraordinary computing powers.

-- (optionally) Windows 2000 or XP users may want to learn about turning off unneeded services. Many of these are set up by Microsoft as part of these operating systems, running in the background, without your knowledge. If you don't actually need them, they both waste system resources, reducing performance, and carry a security risk. For instance, if you aren't actually sharing HTML files, you don't need a web server running. A website called Black Viper has good information on what services are typically running in the background on these operating systems, what each does, and whether they can be safely turned off by typical users. (It also explains how to do so). Start with the step-by-step guide (which also spells out precautions at: http://www.blkviper.com/WinXP/supertweaks.htm. Then, Windows 2000 users can go to: http://www.blkviper.com/WIN2K/servicecfg.htm, while the WinXP equivalent is at: http://www.blkviper.com/WinXP/servicecfg.htm.

Wireless networks These have become increasingly popular, letting home users connect multiple computers without having to run cables, either through the walls or along the floor. As well, if you've got a notebook with a wireless connector (known as 'WiFi' or 802.11), you may be able to connect to the Net in a growing number of 'hot spots' in hotels, airports, cafes, and more.

Wireless networks require adapters in the computers (built right into some models, such as notebooks built around Intel's Centrino). They connect to a wireless base station. Range varies with a number of factors including the location of the base station, the arrangement of its antennae, and the type of construction of the building. (Steel and concrete reduce the range, while wood frame buildings are relatively invisible to the radio waves). Notebooks with built-in antennae generally get better wireless performance than models that use a smaller antenna built-into a plug-in card. Even the material of a notebook computer's case can affect performance. Apple's high-end G4 Titanium Powerbook, for instance, has worse wireless range than the same company's much lower-priced plastic-shelled iBooks.

Officially, 802.11b base stations are supposed to have a range of about 300' (100m) out of doors; in the real world, range varies. But that implies standard antennae. Using specialized antennae on the transmitting base stations and on the receiving computers, range can be improved dramatically. A Swedish experiment suspended a wireless base station from a balloon, and got a range of miles.

And that means that your signal may be able to be picked up by computers outside your home network; neighbours, people in parked cars, maybe even people further away than you thought. Some people are using this in a positive way-- choosing to create unofficial local neighbourhood networks sharing a broadband connection, for instance. Or setting up informal free public hotspots. (See for instance, the international 802.11 Community List: http://www.toaster.net/wireless/community.html) . But it may also mean people are tapping into your broadband connection without your knowledge or consent, or tapping into the computers on your local area network.

Part of the problem is that to make it easier for home users to quickly get a wireless system up and running, most manufacturers have turned off their hardware's security features by default. (Microsoft, to its credit, sets the security features of its Broadband Networking Wireless products on by default.

Users of wireless network should do everything that users of wired network should do (see above). In addition:

-- change your wireless base station's default Network Name (referred to in some hardware models as the SSID). If your router includes the option to turn off SSID Broadcasting, do it... with that turned off potential users will have to know your SSID name in order to connect.

-- consider turning on wireless encryption (referred to in some hardware models as WEP for wireless encryption protocol). WEP isn't perfect; presumably, a motivated and skilled hacked could break the encryption within a couple of hours-- but I would probably notice anyone sitting in a car outside my house in that time). Note that turning on encryption will reduce performance, as the computer and router both have the extra work of encoding and decoding all the packets of Internet information that pass through).

If you're going to use WEP, you'll get a choice of 64Bit or 128Bit encryption. Pick the more complex 128-bit encryption. You'll be asked to enter a Passphrase-- a piece of text that will be used to generate a long string in the mix of standard numbers and letters known as hexadecimal numbers. Store both the passphrase and the hexadecimal key... you'll need them to set up your computers. When each wireless computer on your network tries to connect to your base station, you'll be asked to enter either the passphrase or the more obscure key code. (Note that if you're trying to connect a Mac to a Linksys base station (and probably some other models as well), you'll need to enter first a '$' followed by the 26-digit key code). Luckily, you should only have to do this once!

(Once again, Microsoft handles this well-- when you install their Broadband Networking Wireless base station, you have the option of creating a floppy disk that stores the passphrase, and simplifies connecting at your various computers. Of course, that's only usable with Windows systems).

-- Most routers include the ability to specify the MAC addresses of adapters allowed to connect; every wireless (and wired) network adapter has a unique 'MAC address', a sort of serial number. If you track down the MAC addresses of your adapters, you can set your router to allow only those adapters to be part of your wireless network. When you do that, however, and your friend drops by with her new wireless-enabled notebook, she won't be able to make it work with your router.

In Windows, going to a DOS prompt, and typing: ipconfig /all |more  (note the '/' and '|' characters) will give a lot of information about your Internet Protocol configuration (hence the name), including the MAC address-- in this case referred to as the 'Physical Address'. It will look something like:  00-08-47-E8-10-97

There are lots of changes afoot in the wireless area; better encryption protocols should be expected soon. When that happens, there may be firmware upgrades for your wireless router, as well as operating system patches for Windows (as well as the Mac OS, etc). Moreover, as this is written (spring 2003), many companies are selling models using offering faster 802.11g-style wireless connections. The problem is that the 802.11g standard is still in flux, with an official standard being promised for summer-2003 (more or less). When that happens, there will be firmware upgrades for virtually all models, to bring the hardware up to spec, hopefully with improved security.

-- Make sure that any router you buy has flashable firmware, enabling you to download security and performance fixes from the manufacturer.

Again, check your manufacturer's website regularly; download and install the latest firmware, and check the configuration options, changing default settings, and applying security options like encryption. Remember to reset these each time you upgrade the firmware.

Good luck!

Homework

(obviously, this only applies if you've got a home network!)

-- if you've got a router connected to an Internet device, log onto it and change its password
-- log onto your router manufacturer's website and check for firmware updates for your model. Download and install any. (Make sure you've got firmware specifically made for your model).
-- make sure any shared folders (Win9x) or printers (any Windows version) are password-protected with none-obvious passwords
-- make sure you don't have any passwords written down in a visible or obvious location

(wireless users):
-- check the 802.11 Community List and see if there are any public access points near you; if so, try and access them.
-- if you have a notebook with a wireless adapter, take it outside for a walk around your block; see how far you can get a usable Internet connection from your base station
-- change the SID (Network Name) and turn off SID Broadcasting
-- enable WEP (encryption). Make note of your passphrase and key code

Some other links NakedWireless.ca: http://www.nakedwireless.ca Naked is the perfect description of an unsecured wireless network

Practically Networked: http://www.practicallynetworked.com/support/wireless_secure.htm Securing your wireless network

ExtremeTech: http://www.extremetech.com/article2/0,3973,31255,00.asp Exploiting and Protecting 802.11b Wireless Networks


A word from our sponsor:
This tutorial is part of my Internet Security series, accompanying CyberSafety, a Continuing Education course at BC's Capilano College. The entire series consists of:

The CyberSafety course includes the following modules:

Introduction
Know your PC
Computer Viruses
Email and Spam
Firewalls
Spyware
Networks and wireless issues

Links
 
Or cut to the chase with 7 Steps to Internet Security!



Google

Search WWWSearch www.zisman.ca

Alan Zisman is a Vancouver educator, writer, and computer specialist. He can be reached at E-mail Alan