Securing Your Wireless Network
by Seal
Abstract
This article is about demonstrating how to set up a strongly encrypted wireless network, without the use of additional hardware. This is in response to the fact that the traditional encryption system, principally WEP, has become obsolete. The objective is to produce a secure network without having to spend the extra dough on more secure WPA/VPN-based routers. There is an emphasis for Windows users in this article.
The purpose of Local Area Networks (LANs) is to facilitate the sharing of data between multiple computers. Because of their disposition, computers within the LAN treat each other differently than they do those on the Internet. It is that distinction which leaves them vulnerable to certain attacks, such as ARP poisoning. Windows users are even more vulnerable; installing a keylogger across a network takes only a matter of seconds on computers with default settings.
The lack of physical access was the principle means of protection with wired LANs. With the advent of wireless routers, however, that is no longer the case. Wireless Equivalency Protocol (WEP) is the traditional system of encryption to protect wireless communications. Without it, an intruder can easily sniff out sensitive information sent over the airwaves. Unfortunately, WEP is flawed and can now be cracked in a matter of minutes. It has become obsolete and virtually useless as a means of protection against malicious users.
There are a few options to protect oneself. You can upgrade to a router supporting WPA or VPN, both providing more reliable forms of encryption. However, this option costs a fair bit of money, and there's always the potential that the protection algorithm will be cracked in the future. There is another option however: bypassing the router entirely and using SSH tunneling to encrypt our data.
This means that if someone were to intercept the Wi-Fi signals, they would first have to crack SSH in order to see its contents. There are two advantages to this method: the encryption is already strong, and because the solution is software and open-source based (i.e., not reliant on the router), patches could be issued to fix any potential vulnerabilities within the encryption.
The execution of this system necessitates that one computer be connected to the router via Ethernet. This tends to already be the case with most setups. That wired computer will also have to run an SSH server.
Linux users: that's already done.
For Windows users, I recommend that you download free Cygwin (see below for URL) and opt to install the OpenSSH package during the installation. Once that's done, start up Cygwin and type in: net start sshd
From that point on, the server will launch with Windows. Type in net stop sshd to stop the server.
We aren't finished with our server, however.
We must then install a proxy server onto the machine. Windows users, I recommend you download a free program called Proxy from AnalogX (see below for URL).
Install it, and choose what communications you want it to handle and thus have secured (i.e., HTTP, FTP, etc.). At this stage, the setup is complete. We must now configure our clients (a.k.a. wireless computers). Linux users, I recommend you try Squid as the proxy server.
The next stop is to tunnel through sensitive communications.
Windows users, I recommend that you use the free PuTTY (see below for URL). Now you want to forward the information. To do so with PuTTY, in the options select the "Tunnel" category (it's under the "Connection --> SSH banners").
In source port, put in 80 (for web traffic), write localhost as the destination and select the "local" box.
If you're using AnalogX's proxy, write in localhost:6588 as the destination. The destination will vary if you're using another type of proxy server. Press "Add".
Repeat adding ports for what you want to secure, using the following table for reference:
In the "Session" category, write in the internal IP address for your server. If you don't know what it is, on the server computer go into CMD.EXE ("Run --> Type in cmd) and type ipconfig. It will then display its IP.
Once you're done, click on "Open" with PuTTY to connect to the server. When it asks you for credentials, enter the username/password needed to log on to Windows for that machine. All your web, mail, etc. information will now be highly encrypted.
Finally, we have to tell our programs that are transferring the data to use the proxies.
You will want your proxies to be specified as "localhost" (a.k.a. 127.0.0.1). So, for example, in Firefox [Multi-platform Internet Browser] you will want to go into "Tools --> Options", and click the "Connection Settings". In the dialog window that appears, you will want to put in localhost as the HTTP proxy, and write in 80 as the port. The settings for the SSL proxy are the same as that for the HTTP.
Badabing, badaboom, you're done!
Now this was pretty much a one-time process. Assuming you saved your SSH client (i.e., PuTTY) configuration, the only thing you have to do next time you reboot that wireless computer of yours is to reconnect via SSH to your server.
Enjoy your wireless and secure Internet experience!
The possibilities don't end with the borders of your wireless access point. Let's say that you're in a cafe with open Wi-Fi. Why jeopardize your information when you can tunnel via SSH to your server at home and rest assured that your information is virtually impregnable?
Why must the server be connected via Ethernet? If it wasn't, then despite the fact that our wireless computers would send information to it encrypted via SSH, the server computer would itself send information with at most WEP to the router. Defeating the purpose of this exercise.
Resources
Cygwin: www.cygwin.com
PuTTY: www.chiark.greenend.org.uk/~sgtatham/putty/
AnalogX Proxy: www.analogx.com/contents/download/network/proxy.htm
Squid: www.squid-cache.org