It is a well known fact that wireless connections are by nature insecure.  Your chances of being snooped on and valuable data stolen from you is very high, even in the most secure setups.  It's even more likely in a public setting such as an internet cafe or a wireless hotspot.  That is why good solutions are needed to ensure that your wireless connections are as secure as they can be.  So here are several simple steps to securing your wireless connection in a way that, while not unbreakable, will be so difficult to crack that only the most zealous or determined of hackers would even bother to try their chances at breaching it.

But as with any secure network setup, security is no less than a two party affair.   So let's begin our tutorial by looking at your PC and ways to secure it.

Securing Your PC

The first step in any secure wireless setup is to ensure the security of your workstation or laptop first.  As this is typically what a hacker or snooper is after, it is also the first thing you will want to secure, and the one you will want to do the most to secure.  That's not to say that you shouldn't pay careful attention to other parts of your setup, but the highest value targets on your network or internet connection (namely your laptop or workstation) are always the objects that should receive the greatest attention.

Now, the first thing you'll want to do is ensure that your machine is spyware and virus free.  As with the theory of the trojan horse, once the enemy is inside your gates, even the tallest, strongest walls are of little help to you.  There are a number of simple ways to ensure that your machine is free and clear of viruses and spyware.  On Windows, a good spyware program such as ad-aware or spybot can remove any possible spyware on your machine.  Avast or AVG can be used to ensure that you have no viruses, and blacklight rootkit revealer can help you rid your system of any possible rootkits that might be lingering in the shadows.

On MacOS you can use MacScan for spyware, and ClamXav can be used to remove viruses.  There are other applications for MacOS, but none I know enough about to recommend at this time.  As for Linux and BSD, those are secure enough that neither an antivirus, nor a anti-spyware app is needed.  In fact, viruses and spyware are so insanely rare on these two platforms that in most setups you can easily ignore having to do these scans.  If you still want to check and be sure you're clean, ClamAV is a great tool for this.

If you find your system infected with a virus, and most especially a rootkit, it's usually a good idea to reload your system with a fresh copy, because once you've been compromised, you can't trust your system security anymore.  It's like having a hole in your boat.  Once it's there, even if you patch it, it's only temporary until someone jars that patch loose.  And if they do, you'll still sink despite having patched it. 

Now if you just get spyware, and it's benign, such as things like cookies, then you're fine.  But if it's some of the more virulent forms, then you'll definitely want to also reload your OS just for safety sake.  Also be sure not to load any applications into your system afterwards that might reinfect it.  This is why it's important to be aware of what you're loading when you reinstall.  If you suspect something might be loading spyware, don't install it.  That's just good common sense.

Now once that's done, you'll want to setup a firewall on your system.  Due note, if you already have a hardware firewall on your network, and you're running a hard wired Cat5e ethernet connection, a software firewall is not necessary.  You can still add it for piece of mind, but overall you don't really need it if one's already in place elsewhere.  The only thing a local firewall would protect you from is if you're on a large network and someone else in the company, or your home, gets compromised by a virus.   Of course if you're running on a wireless connection, you need one regardless.   So be aware of that.

For Windows users, there's obviously the default Windows Firewall.  While that's a good stopgap solution, you should use something more secure.  Visnetic Firewall is, in my humble opinion, one of the best firewalls you can get for Windows.  There are other solutions out there, but none I can recommend.  For MacOS, I'm not aware of any good quality firewall solutions, but I can recommend two to stay away from.  McAfee and Norton both have very low quality firewalls that are buggy and riddled with security issues.  Those are best avoided.

On Linux and BSD, you have your choice of numerous firewall setups, ranging from IPtables to IPFW.  While all of them are good, I'm partial to IPtables, but ultimately the choice is yours.  Once you have your firewall setup and configured, you're ready to move on to the next part.   If you're unfamiliar with firewalls, I recommend reading our Understanding Firewalls and Configuring Firewalls tutorials.  Now, once you have all these security measures in place, you will now have fortified your computer against a wide range of common, and not so common security risks and attacks.  Now, it's on to the next step, securing your wireless connection.

If all you're concerned with is securing your laptop against snooping on a public wireless network, then you can skip to the next section.  But if you have a home network setup with a wireless router or wireless access point (WAP), then keep reading.

Securing Your Wireless Network

Alright, as of this point you can take everything you know about your wireless network and throw it out the window.  Because I'm about to completely change how your wireless network works.  Here's a typical example of how a wireless network is setup in the home or office.

Internet -> Modem -> Firewall (optional) -> Wireless Router -> PC's (hardwired and wireless)

If you're not using a firewall already in your setup, then you need to make a few changes.  Just trusting NAT on your router to protect your network from attack is like trusting your dog to stop a charging buffalo.  It might slow down the script kiddies, but it won't stop the more seasoned hackers.  If you have no firewall at all, then you're playing with fire and really should have one regardless.  If you're on any kind of high speed internet connection, you need a hardware firewall to protect your network.  If you've never setup one up, might I suggest our Freebsd Firewall Tutorial to help you construct one.

Now once you have that, you'll want to do something a little different than you might typically expect to do.  You're going to create a DMZ.  If you've already setup a firewall, doing a DMZ is very simple.  If you're using a firewall appliance, typically these will have a way to do a DMZ.  Those that don't, well, you'll have to either replace the unit, or find a way to create a DMZ.  On my tutorial, a DMZ is as simple as adding a 3rd network card to the firewall, then replicating the settings for the external interface, and then punching a hole through it on whatever port you will have your SSH server listening on.

Once you've got your firewall in place, remove your wireless router from the network and set it aside for now.  After that, setup your network to look something like this:

Internet -> Modem -> Firewall -> Wired router -> Switch (optional if network is small).

Now here's the kicker.  If you don't have any wired connections in your home or office, and everything is wireless, I'm going to recommend that anything you can hard wire to your network be changed over and wireless taken away.  Typically, unless a device is mobile, it *DOES NOT* need a wireless connection.  Printers, servers, desktops, etc all should have Cat5e wired connections to a router or switch on your network.  I know it may be difficult, but there are ways in which you can easily connect anything via a standard Cat5e ethernet cable.  If you need help figuring out how to do a hard wired home network, I recommend our "Building a Simple Home Network" tutorial to get you started.

I've likely got one of the more convoluted apartment layouts around, and if I can wire my entire apartment for internet, then I know you can as well.  You just have to be willing to do it.  And if you want greater security, you'll go with wired connections wherever you can.  Trust it, it's better this way.  Now before you panic and think that there's too much stuff now on your home or office internet connection, take one thing into consideration.  Security will require some extra hardware.  If you tuck this into a small cabinet or somewhere out of the way, such as a closet, the extra hardware you'll have will be out of sight and out of mind.

Now, once you've got your DMZ setup, and everything that you can connect via Cat5e ethernet cable and a hard wired router and/or switch, you'll next need to reconnect your wireless router to the DMZ port on your firewall.  Next, make sure your wireless router has the maximum possible security setup.  Once you're sure everything's done, this is how your network should look.

The idea behind this setup is to essentially firewall your wireless router.  This way, only people who are setup properly and know how to connect to the internet through your wireless router will get any internet access.  And in the next part, I'll show you how to keep them from snooping on your internet traffic as well.   But before we do, we have one last step to do.  If your firewall is an appliance type firewall, then you'll need a separate machine with SSH access to achieve this next part.  If your firewall is a linux or bsd box, then all you'll need to do on your DMZ port is open a hole in your firewall and point it towards port 22 where your SSH server is running.  Once that's done, you're ready for the next step.

Securely Connecting Through Wireless

Alright, now the last step in our little guide switches back to focusing on your laptop or workstation that is still using wireless.  If you're using MacOS or Windows, you'll need an appropriate SSH client to make this next step possible.  I recommend using Bitvise Tunnelier.  This will create the same local Socks proxy connection that you would get via OpenSSH in Linux or BSD.  To set that up, you'll first need to start with the login tab.  Enter the IP address and port number of your local ssh server on your network.  If you're at an internet cafe or on a public wireless connection, then it will be the ip and port number of your home or business internet connection.  Examples are as follows:

If at home or work, you'd have something like this: IP: 192.168.0.150 port 22 (use a different port number if your ssh server is listening on a different port)

If at a internet cafe or public hotspot: 12.24.198.27 port 22 (ditto on the port number)

Now, enter your username and password on the right, and then click on the "services" tab.  Put a checkmark in "Enabled" under "Socks / HTTP Proxy Forwarding".  For Listen Interface, put 127.0.0.1 for your machine and 8080 for the port.  Leave everything else alone.  Now, connect to your ssh server by pressing connect below.  If you like, you can also save your profile and password at this time as well.

Next, go to your browser, open up the settings dialog, and set your browser to connect through a proxy server for all traffic.  On Firefox, click Tools -> Options in Windows, or Edit -> Preferences in Linux/BSD.  I'm not sure where the options menu is in MacOS, but once you find it, the rest should be the same.  Next, click on Advanced, and then select the Network tab.  Click on Settings, select "Manual Proxy Configuration", type "localhost" next to "Socks Host", and 8080 in the adjoining port field.  Leave everything else the same.  Click ok, click close, and then you're all set.  You're ready to surf the web securely from your laptop or workstation.

On Linux and BSD, to initialize the ssh connection, you'll simply need to open a console window, and type the following command:

ssh -D 8080 -p 22 username@192.168.0.150

Remember to replace the "22" for the ssh port number with the port number of your local or remote ssh server, username with your login id on that server, and "192.168.0.150" with the ip address of that server on the internet or your local network.

Now, while this seems like a lot of work, all but two steps are one time setups.   After this you'll only need to establish the ssh connection, and then open your browser to surf securely.  Once you're on a wired connection again, you can skip the ssh step and turn off proxy access in your browser.  To secure communications for other browsers, instant messenger clients, or other such programs, you'll need to configure all proxy aware applications to use localhost on port 8080 for the proxy, and set it as a socks 5 proxy.  If you must connect to anything at this point through an insecure connection, such as ftp, I recommend replacing your client with something that will make use of any of a variety of secure transfer technologies such as secure ftp, SCP, and more.

Also, remember that once your data reaches the ssh server and is forwarded on to the internet, your data is no longer secure.  That's why you'll need to add additional layers of security, such as SSL via HTTPS for websites, and other secure means of communication.  Also, in this kind of configuration, SMB file sharing and printing services (Windows file sharing and printing counts in this category too), as well as netbeui and other local sharing protocols won't work.  If the protocol is a local network only, non routable protocol, you're stuck.  But then again, I never recommend file sharing over a wireless connection in the first place, unless it's done through either SCP, SSHFS, or SSHD.