Securing the WCG200 Wireless Access Point

When you are being chased by a lion, you do not have to out run the lion, you need only to out run the antelope in front of you.

I’m sure you’ve heard a joke similar to this at some point in your life, and I think its a good synonym to security (in all facets, not just computers). Your goal, when trying to secure something, is to make so the would-be thief, or hacker decides you are not the easiest target, and moves on to an easier one.

This guide, is in my opinion a marriage between simplicity of use, and high level security. There are more secure ways to do this, but they come at a cost of being difficult to manage. As well, while the step-by-step instructions are written for the Linksys WCG200 cable gateway, the concepts are applicable to any consumer level, or small business wireless access point.

Alright… you read? Lets go…

My approach to securing a wireless access point involves 3 separate security measures, all working together to keep your bits and bytes off somebody else’s hard drive. Think of it like the questions from The Holy Grail. Any hacker must overcome all 3 measures, independently, in order to gain access.

Here is how you can picture these security measures working together to keep your information, and connection safe. Imagine you are a person, wanting to get into a club. The club is the internet. The very first thing you have to do is find the front door. Its hidden. You have to know where it is, and what combination of bricks to push in order to open it (this is the hidden SSID security). Once you get inside the front door, the bouncer asks for your name, and checks if its on the list before he’ll let you talk to the guy behind him (This is the MAC filtering). Once you get past Bruno the bouncer, you have to talk to the guy behind him to ask for anything from the club, but he doesn’t speak any language you know. You have to use your special translator device to translate anything you say into something he can understand. If you don’t have the right translator, you wont be able to talk to him, also, anybody overhearing your conversation wont be able to understand it either unless they have the same translator (this is WEP encryption).

The security of your network will be based on Something you Know (the SSID), Being Known (MAC filter), and Something you have (WEP Key)

So lets start with the easiest, and usually most overlooked security measure of all. Change the locks. When I see a wireless network named Linksys, Netgear, D-Link or some other brand name it usually means that the person who setup the network didn’t do anything except plug in the box. So the very first thing you should do is log into your device, change the username (if you can), password, and network name. Specifically on the WCG200:

I recommend you grab a network wire, and actually plug your laptop/computer into the router, otherwise when we get to the steps that involve configuring the wireless stuff, you wont be constantly having to change your wireless settings on your laptop.

  1. plug-in-wire.jpgSo first, get an ethernet wire and plug in your laptop/computer directly to one of the lan ports on the device. Which one in particular you use doesn’t matter. You should have been provided in the box with the gateway, an ethernet wire that you can use for this.
  2. Now, we need to get logged into the device. So open up your favorite web browser (Internet Explorer, Firefox etc). And assuming you haven’t already changed any of the settings enter the Gateway’s default IP address of 192.168.0.1 in the address bar and press enter.
  3. A password request page will appear. Leave the User Name blank, and enter admin (the default password) in the Password field and click the OK button.
  4. There should be 7 main tabs across the top of the page once you get logged in. First things first, lets change that password.
  5. Click on the Administration tab, and you’ll see another list of sub-tabs appear under the main tabs once the page loads. We want to be on the Security tab (which should be what you go to by default).
  6. Find the Gateway Password box, and change the password to something besides admin. This password is your last line of defense against a hacker, so make it good but don’t forget it.
    • While its generally not recommended to write passwords down, this one may not get used often, and you will probably forget it. So choose a good strong password that is unique for just this device (read this guide here for help in creating strong passwords). And write it down either in the manual for the device, or actually write it on a sticker and place it on the under side of your device. If somebody has physical access to your router, its not really going to matter how strong your password is anyway.
    • Enter the password in both the Gateway Password box, and the Re-enter to confirm box and click save. You will be logged out of the device when it does a soft restart. It should ask you to log in again, this time enter the new password you created (still leaving the username blank).

Next, we are going to effectively hide the wireless network from prying eyes. This is your first line of defense, and admittedly a fairly week one. It does more to keep the honest people honest than anything else so I’m going to say that the actual hiding part is optional, but changing the name of the network is not.

  1. Once you’re logged back into the device. Click on the Wireless Tab. You should be taken to the Basic Wireless Settings sub-tab by default.
  2. Now is the somewhat fun part. You get to name your network. The particular name you choose doesn’t really matter as long as its easy to remember as being yours, and isn’t the name brand of the device. Pick something fun, but keep it to one word. Even your own name works. Put the name you chose in the Wireless Network Name (SSID) box and click Save Settings. The device will do that whole restart thing again, and you may be asked to log in again.
  3. Now, the optional part. Actually hiding the network from the world. Head over to the wireless tab again, and go to the Wireless Security sub-tab, and click the disable radio button (Don’t save just yet, we aren’t done here).

The reason I say this step is optional is because it provides almost no security. What it does is hide the network, so when the guy in the apartment next to yours searches for wireless networks to hack into on Friday night when he is bored, yours doesn’t show up in his list of networks. Which is nice, but it also means the network doesn’t show up when YOU do a search, which can be a little cumbersome sometimes. If you have only one computer to setup it may not be a big deal though, as long as you know the name of the network you can connect to it.

Continuing on though, our next step is to setup WEP encryption on the device. WEP (wired equivalent privacy) is not as secure as WPA (wireless protected access), but its easier to manage and should be sufficient for home users.

What WEP does is creates a secured link between your computer and the wireless device. Similar to the kind of encryption you have when you log into your bank’s web site. It makes it so that people watching the data you send back and fourth between you and the wireless device get nothing useful out of it.

  1. We should still be on the Wireless Security sub-tab, if not head back that way and select “WEP” from the pull down box, and you’ll suddenly get a bunch more option boxes to fill out.
  2. Starting from the top: Set the Wireless Encryption Level to 128-bit Encryption.
  3. YOu can leave the “Default Key” at 1.
  4. The next box (Passphrase for Keys) is part of a tool to help you generate the WEP keys. Type some gibberish into this box (no more then 32 chars though), you can type something meaningful and it will help you later in connecting to the device, but it only works if everything you have is a Linksys device, so I don’t recommend using it in this way.
  5. What you’ll have in the next 4 boxes are 128-bit, hexadecimal numbers. Since we said the Default Key would be #1 in the above box, that’s really the only one we care about. Get out a piece of paper and a pencil… and write down the number in your manual.
  6. Click “Save Settings”, the device will restart and you may have to log in again.

So at this point your access point is fairly secure, starting with your first line of defense, its hidden from would-be hackers, the name of the network isn’t something that somebody could quickly guess, and the connection between your computer and the access point requires an encryption key. But we are going to take it one step further, and specifically tell the router who is allowed to connect to it. Think of it like a VIP list at a club. If your name isn’t on the list, you aren’t getting past the security guard. To do this we are going to do what’s called MAC filtering. And as funny as it sounds, it has nothing to do with keeping Macintosh/Apple computers off your network. MAC stands for Machine Address Code and EVERY network device has a unique one. Its like a Social Security, or VIN number for network devices. There are no two with the same one.

  1. The first thing you need to do is figure out what your computers MAC address is, and I’m going to assume you are using Windows XP for these steps, which may differ slightly on 2000, and probably wont help at all for Windows 98 or older (do all this from the computer with the wireless radio enabled and on, you don’t have to connect to any network yet, it just has to be on).
    • Click on the Start menu, towards the bottom will be “Run”. When you click on that, it will pop up a little box in the bottom left of your screen. Type “cmd” in the box (without the quotes) and click the OK button. This will pop up a Command Prompt (black screen, looks like DOS)
    • At the command prompt, type the following command and hit enter.

      ipconfig /all

    • What you should see is a whole bunch of stuff that probably doesn’t make sense to you. But that’s ok, because we are only looking fro one thing, and its fairly clearly labeled.
    • If your doing this on a laptop, chances are there are two network devices in the laptop. A wireless radio, and a wired ethernet adapter. And you’ll get information for both these devices after you enter this command.
    • Its hard for me to say exactly what to look for, because it could be different for you, but here is an example of what you might see:
    • I’ve highlighted in RED the things to look for, you are looking for the properties under the Wireless Connection, and specifically for the Physical Address. Write down this Physical Address (the number, in my case I would write down “00-13-78-B5-20″.

    2. Windows IP Configuration

    Host Name . . . . . . . . . . . . : ws109
      Primary Dns Suffix . . . . . . . : electdesign.net
      Node Type . . . . . . . . . . . . : Hybrid
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : electdesign.net

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . : electdesign.net
      Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
      Physical Address. . . . . . . . . : 00-13-72-B5-A2-20
      Dhcp Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      IP Address. . . . . . . . . . . . : 192.168.3.43
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . : 192.168.3.1
      DHCP Server . . . . . . . . . . . : 192.168.3.5
      DNS Servers . . . . . . . . . . . : 192.168.3.5
      Primary WINS Server . . . . . . . : 192.168.3.5
      Lease Obtained. . . . . . . . . . : Tuesday, September 19, 2006 7:52:30 AM
      Lease Expires . . . . . . . . . . : Wednesday, September 27, 2006 7:52:30 AM

    Ethernet adapter Wireless Connection:
      Connection-specific DNS Suffix . : electdesign.net
      Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
      Physical Address. . . . . . . . . : 00-13-78-B5-B2-20
      Dhcp Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      IP Address. . . . . . . . . . . . : 192.168.3.43
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . : 192.168.3.1
      DHCP Server . . . . . . . . . . . : 192.168.3.5
      DNS Servers . . . . . . . . . . . : 192.168.3.5
      Primary WINS Server . . . . . . . : 192.168.3.5
      Lease Obtained. . . . . . . . . . : Tuesday, September 19, 2006 7:52:30 AM
      Lease Expires . . . . . . . . . . : Wednesday, September 27, 2006 7:52:30 AM

  2. Now, you can close the command prompt and head back over to your browser with the web page for the wireless device and go to the Wireless Main tab, and the Wireless Network Access sub-tab.
  3. Click the Enable radio button to enable the MAC filtering.
  4. Type the MAC address you wrote down into the first available spot (all zeros means its available, MAC1 should probably be the first available).
  5. Save your settings and the device will restart and may ask you to log in again.

We are now done setting up the wireless access point. Now, we just need to get your laptop or computer connected to the wireless network. I’m going to assume you are using the Windows Zero Point Configuration tool for your wireless network card, because everybody should have that (This is ONLY available for Windows XP with Service Pack 2). But this usually isn’t the default. If your wireless card is trying to use its own software to configure your wireless access you are going to have to find the check box or button that will transfer control to the Windows Zero Point Configuration tool instead. Post a comment if you need help doing this and I’ll do my best to help you out.

  1. So, with the wireless radio turned on, you should have a little icon in the bottom right of your computer (near the clock) that looks like this: . It may have a red X in it, that’s ok. Double click on it to open the Windows Configure tool.
  2. If you didn’t hide your network, you should be able to just click on the “Refresh Network list” link in the left toolbar, and you’ll see your network (and probably others if you live near people) show up in the list of wireless networks.
    • If this is the case, all you have to do is double click on your network to connect to it.
    • You’ll be asked to type in the WEP key, and then again to confirm it. Its really annoying because you can’t see what your typing, so just have some patience with it. You only have to do this once. Your computer will remember the key in the future.
    • At this point, you should be done setting up your wireless security, so skip down past the rest of these numbered steps.
  3. If you did hide your network, you will need to use the wizard to connect to it, so click on the link labeled “Set up a wireless network for a home or small office” on the left toolbar and it will bring up the wizard.
  4. Skip past the first page that just tells you about the wizard, on the second page type in the name of the network that you setup earlier. And select the radio for “Manually assign a network key”. Leave the checkbox at the bottom of the page blank un-checked.
  5. On the next page, you’ll have to type in the WEP key we created twice, I would recommend un-checking the box to hide the characters as you type, as it will make it easier to find any mistakes you make when typing in the number. Once you have that key typed in, click Next.
  6. For the purposes of this guide, select the “Set up a network manually” on the next page of the wizard, but if you have more than one computer to do you may want to follow the wizard through the “Usa a USB flash drive” portion to quickly setup the other computer, but that’s beyond the scope of this guide. I may add it later once I test it out for myself. Click Next
  7. Your all done, the last page gives you the option of printing out all the info about your connection settings. It should be the same info you wrote down throughout this guide, but if you want it in a nice format, go ahead and print it. Just don’t loose this paper. It is the key to 3 of the 4 levels of your security (everything except the MAC filtering).

So that’s it. You now have a secured wireless network setup. I really hope that this guide has been helpful to you, if you find any mistakes or have any questions I would ask that you please leave comments below. I do read them, and I will make updates as necessary.

September 21st, 2006 in Story | tags: ,

Leave a comment

Your comment