Wireless Security

Securing Your Wireless Network
By Mark Joseph Edwards

In the Mar. 8 newsletter, I talked about securing wireless routers. One of the suggestions I made was to enable encryption, if your router and wireless network cards support that feature. Doing so helps prevent someone from snooping in your network traffic and using your bandwidth.

There are three basic types of encryption for most wireless networks: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and Wi-Fi Protected Access 2 (WPA2). When considering encryption, the basic thing you need to know is that encryption is accomplished using some type of cipher and some length of encryption key to scramble and unscramble the data.

WEP and WPA both use the RC4 stream cipher. WEP uses a 40-bit encryption key, while WPA uses a longer 128-bit key. Naturally, WPA provides stronger protection. WPA also uses dynamic keys, whereas WEP keys are static. Dynamic keys change at a interval, which adds to the strenth of WPA protection by making your keys a moving target.

WPA can also support 802.1X authentication. In very simplified terms, this is a logon mechanism that verifies who the user is. Without 802.1X in place, WPA isn´t as strong as it could be. In fact, some experts argue that without 802.1X, WPA isn´t much better than WEP.

For more information about weaknesses in WPA without 802.1X, see Joel Snyder and Rodney Thayer's 2004 article in Network Computing entitled, " WPA — An accident waiting to happen."

Be aware that one popular tool for Mac OS X, called kismac, has the ability to discover encryption keys for both WEP and WPA. Other tools, such as WPA Cracker and CoWPatty, can do the same thing.

By contrast, WPA2 uses dynamic encryption keys and the Advanced Encryption Standard (AES) block cipher. This is far stronger than the RC4 cipher used in WEP and WPA. To date, no one has published a way to defeat WPA2 encryption, although that does not mean it isn't possible. In fact, several people have theorized ways that WPA2 could be defeated — it simply hasn't been demostrated yet.

So, if you require encryption between your computer and wireless router, and your network hardware and operating system supports WPA2, be sure to use it. If you can't use WPA2, then use WPA; and if you can't use WPA, then use WEP. Just be aware that both WPA and WEP can be cracked with relative ease. Doing so does require specialized software that the average person won't bother locating and using. On the other hand, determined intruders will obtain such software and try to use it.

Keep in mind that network security essentially means controlling access. Therefore anything you do to control access is part of your security procedures.

Good network security requires a layered approach. The reason is simple and somewhat obvious: If one layer fails, then another layer can help protect your systems and network. For example, if someone found a way to crack your WPA2, then you would already have other layers in place that would help protect your network — if only for a little while longer.

There are some additional steps you can take to help protect your wireless network that will make it more difficult for a bad guy to break in. The extra time it takes to crack your system might be just enough for you to power off your network gear because you're going to bed for the evening. A coincidence, yes, but you never know!

You can configure your router so that it doesn't broadcast its Service Set Identifier (SSID), which is basically the router's common name. While taking this step doesn't completely eliminate a person's ability to find your router's name (that, too, can be done with special software), it will stop the average passerby from finding it.

Yet another step you can take is to configure the router so that it only accepts connections from specific Media Access Control (MAC) addresses, which are unique hardware numbers assigned to network interfaces. As with disabling SSID broadcasts, taking this step doesn't completely prevent someone from connecting to your router.

With enough knowledge and the right tools, someone could clone a MAC address that is allowed to connect to your router. But again, the average user who is merely looking for a quick way to check e-mail or view a Web page won't bother with that. They'll simply move on to find another nearby wireless network.

So, while both of these precautionary steps can be defeated by a savvy intruder, they will still go a long way towards keeping most, if not all, of your neighbors and strangers from connecting to your network without your permission.

And finally, one more step you can take to protect your wireless network is to simply turn it off when you aren't using it! There's no sense in leaving it on when it's not in use, especially at night when you're sleeping.