WEBVTT

0
00:01.780 --> 00:09.070
In this lecture we’ll discuss how to configure the WiFi Network for Maximum Security and mitigate

1
00:09.130 --> 00:13.560
the attacks we have seen. To secure a wireless network

2
00:13.570 --> 00:20.320
we have to secure both the access point or the wireless router and the wireless communication between

3
00:20.650 --> 00:26.160
the AP and the WiFi clients. In this lecture

4
00:26.160 --> 00:34.950
I'll show you how to configure a  wireless router for maximum security. For other models

5
00:34.960 --> 00:41.200
there is probably another interface but the options and the concepts are the same.

6
00:42.840 --> 00:47.580
To secure the WiFi router we should follow the next steps.

7
00:47.580 --> 00:55.760
Change the default password of the  router with a strong one; each home wireless router comes with a

8
00:55.760 --> 00:58.610
default username and password.

9
00:58.610 --> 01:01.230
If you do not change it with a strong one

10
01:01.250 --> 01:06.880
a hacker could log into your router and see the wireless password or even change it.

11
01:08.610 --> 01:13.110
Connect to the WiFi router only using https.

12
01:13.290 --> 01:21.540
If you use http, like in this example, the connection is not secure and the hacker could launch a simple

13
01:21.640 --> 01:28.640
attack of type Men in the Middle like arp poisoning and capture the log in password.

14
01:28.830 --> 01:32.530
So the strong password you have set will be of no use.

15
01:34.530 --> 01:36.300
I am logged into the router.

16
01:38.850 --> 01:48.100
Disable remote administration of the router which means connecting to the router from the Internet.

17
01:48.150 --> 01:55.990
This way you avoid denial of service or brute force attacks to your router. In this example

18
01:55.990 --> 02:05.180
the remote management function is disabled configure it from your local wired or wireless network; disable

19
02:05.180 --> 02:11.840
services that are running on your router but are never used; for example if you do not use Telnet

20
02:11.870 --> 02:21.470
or SSH to connect to the router disable them; each running service is a security vulnerability. Update

21
02:21.470 --> 02:28.470
the firmware to its latest version available to avoid the exploitation of known vulnerabilities.

22
02:32.730 --> 02:40.140
Many vendors release new updates to patch vulnerabilities that have been previously discovered.

23
02:40.140 --> 02:48.360
Check regularly on the official website if there is any firmware available for your model.  These were

24
02:48.370 --> 02:52.290
the most important security settings for your router.

25
02:52.300 --> 02:58.030
Depending on the router model there could be other settings available as well.

26
02:58.030 --> 03:07.050
You could simply search on Google for secure and your router model. To secure the wireless communication

27
03:07.140 --> 03:10.320
between the WiFi router and the clients

28
03:10.440 --> 03:14.390
you should use only WPA with a very strong password.

29
03:18.440 --> 03:22.640
Do not use WEP no matter the circumstances.

30
03:22.650 --> 03:32.950
A strong WPA2-PSK  password means at least 12 random characters or 6 random words.

31
03:33.150 --> 03:34.960
This isn't a good password

32
03:34.980 --> 03:42.900
for example; it's a dictionary word and we've already cracked it in the previous lecture. At the end of

33
03:42.900 --> 03:43.700
the day

34
03:43.740 --> 03:55.270
the wireless security is as strong as the WPA 2 password. Disable WPS or WiFi protected setup.

35
03:55.840 --> 04:01.760
WPA is a very secure protocol as long as the password is strong enough.

36
04:01.870 --> 04:06.890
That means at least 12 random characters or 6 random words.

37
04:07.030 --> 04:14.710
This can be a bit inconvenient as you have to enter this long passphrase on each new device that connects

38
04:14.800 --> 04:22.280
to the network. WiFi protected setup or WPS was created to solve this problem.

39
04:22.510 --> 04:30.070
When you connect to a router with WPS enabled you'll see a message saying you can use an easier way

40
04:30.070 --> 04:34.020
to connect rather than entering your WiFi passphrase.

41
04:34.060 --> 04:41.230
There are two different ways to connect to the WiFi router using WPS: using a PIN configured on the

42
04:41.230 --> 04:50.140
router or using the push button connect. A PIN is an eight digit number that you need to enter on your

43
04:50.140 --> 04:56.350
devices to connect. the WPS pin is very easy to brute force.

44
04:56.500 --> 05:03.820
The second option is the push button connect. Instead of entering a PIN you simply push a physical button

45
05:03.910 --> 05:06.700
on the router after trying to connect.

46
05:06.700 --> 05:13.250
This is more secure but anyone with physical access to the router could push the button and connect

47
05:13.390 --> 05:19.920
even if they don't know the WiFi password. WPS should be disabled.

48
05:19.920 --> 05:28.740
Keep this in mind, it's really important! You could also use MAC address filtering, only if possible, but

49
05:28.740 --> 05:31.150
do not rely too much on it.

50
05:31.440 --> 05:39.510
MAC address filtering allows you to define a list of devices and allows on your WiFi network only 

51
05:39.510 --> 05:42.320
those devices. You can implement

52
05:42.330 --> 05:48.720
this feature only on small private networks where all clients are known in advance.

53
05:48.720 --> 05:57.350
However this is not a strong security measure because MAC addresses can be easily spoofed. All an attacker

54
05:57.350 --> 06:05.220
has to do is monitoring WiFi traffic using a tool like airodump-ng, examine a packet to find to

55
06:05.240 --> 06:12.920
the MAC address of an allowed device, change their devices MAC address to that allowed the MAC address

56
06:13.280 --> 06:16.710
and connect in that device's place.

57
06:16.730 --> 06:23.540
You may be thinking that this will not be possible because the device is already connected but a 

58
06:23.540 --> 06:31.130
deauthentication attack that disconnects a device from the WiFi network will allow an attacker to reconnect

59
06:31.250 --> 06:38.070
in its place. WPA2 with a strong password should be enough.

60
06:38.070 --> 06:46.290
Imagine that someone that knows how to capture the WPA2 4-way handshake and crack the password will

61
06:46.290 --> 06:51.930
have no difficulty bypassing the MAC filtering security feature.

62
06:51.960 --> 06:53.650
Okay that's all.

63
06:53.670 --> 07:01.590
There is no network that's 100 % secure but implementing these options you are seeing right now

64
07:02.070 --> 07:07.020
will make your WiFi network secure enough in most cases.