Wireless security is hard. Securing a wireless network means starting with some different assumptions than you would with wired. On top of that, 802.11 is still relatively new tech with frequent updates, and learning how it works is often like trying to hit a moving target. With that in mind, here is a quick primer on a few of the basic things you absolutely must know to protect your wireless network.

Learn to share

WiFi is a shared medium, meaning everyone can see everything on the network all the time. You should assume an attacker (lets call him Walter) can see all the traffic on your network. Walter can probably see your traffic from the parking lot or even the Starbucks across the street, especially with a high-tech coffee-can-and-usb-adapter antenna. Wally can also inject packets into your network, spoofing the MAC address to make them look like they are coming from a legitimate user, even if the user is currently connected.

Encryption is not magic

Beyond the fact that encryption does not, on its own, make any network secure (a topic for another day), you should not treat encryption as if it works by magic, and you should know that not all encryption is created equal. As you may know, WEP (the first popular attempt at WiFi encryption) is broken. No matter how complex you make your key, it can easily be cracked in a few hours or even, with a few tricks and a little luck, in a few minutes. DO NOT USE WEP.

WPA does not suffer from the same weaknesses as WEP, but it can still be used incorrectly. For WPA using Pre-Shared Keys (sometimes referred to as PSK or WPA-Personal), keys can be cracked offline, meaning that after a few minutes in your parking lot, Walter can go home to his cluster of Linux-infused PS3s and let them work on breaking your encryption while he takes a nap (Walter is a lazy hacker). If you have to use WPA-PSK, you can prevent Walter’s cluster from cracking your key in any reasonable amount of time by selecting a long, random password. If you are feeling crazy and insist on using a password that isn’t entirely random, be sure to change your wireless SSID to something uncommon to protect against a pre-computed dictionary attack, which can crack a weak password in seconds.

Paper walls

There are a couple of wireless “security measures” that might give you a warm fuzzy feeling, but provide no real protection against a motivated attacker. Disabling SSID broadcasting prevents the access point from advertising its existence, but it does nothing to hide an active network. The SSID of a network is transmitted with every data packet and is visible even when the data is otherwise encrypted. MAC filtering is a common way to control access by allowing only certain network devices to connect. However, like the SSID, the MAC address of legitimate clients is transmitted unencrypted with every packet. All Walter has to do (now that he has woken up) is wait for a legitimate client to connect, steal the client’s MAC address, and spoof the address to connect with his own computer. Don’t think that these measures are totally useless; they would probably prevent your curious neighbor from stealing your bandwidth, but they should not be confused with security.

This article has only covered security at the access point. Look for future articles about securing other aspects of a wireless network.