Securing Your Wireless
Network
By Mark Joseph Edwards
In the Mar. 8
newsletter, I talked about securing wireless routers. One of the
suggestions I made was to enable encryption, if your router and
wireless network cards support that feature. Doing so helps prevent
someone from snooping in your network traffic and using your bandwidth.
There are three basic types of
encryption for most wireless networks:
Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and Wi-Fi
Protected Access 2 (WPA2). When considering encryption, the basic thing
you need to know is that encryption is accomplished using some type of
cipher and some length of encryption key to scramble and unscramble the
data.
WEP and WPA both use the RC4 stream
cipher. WEP uses a 40-bit encryption key, while WPA uses a longer
128-bit key. Naturally, WPA
provides stronger protection. WPA also uses dynamic keys, whereas WEP
keys are static. Dynamic keys change at a interval, which adds to the
strenth of WPA protection by making your keys a moving target.
WPA can also support 802.1X
authentication. In very simplified terms, this is a logon mechanism
that verifies who the user is. Without 802.1X in place, WPA isn´t
as strong as it could be. In fact, some experts argue that without
802.1X, WPA isn´t much better
than WEP.
For more information about
weaknesses in WPA without 802.1X, see Joel Snyder and Rodney Thayer's
2004 article in Network Computing entitled, " WPA — An accident waiting to happen."
Be aware that one popular tool for
Mac OS X, called kismac, has the ability to discover encryption keys
for both WEP and WPA. Other tools, such as WPA Cracker and CoWPatty,
can do the same thing.
By contrast, WPA2 uses dynamic
encryption keys and the Advanced Encryption Standard (AES) block
cipher. This is far stronger than the RC4 cipher used in WEP and WPA.
To date, no one has published a way to defeat WPA2
encryption, although that does not mean it isn't possible. In fact,
several people have theorized ways that WPA2 could be defeated — it
simply hasn't been demostrated yet.
So, if you require encryption between
your computer and wireless router, and your network hardware and
operating system supports WPA2, be sure to use it. If you can't use
WPA2, then use WPA; and if you can't use
WPA, then use WEP. Just be aware that both WPA and WEP can be cracked
with relative ease. Doing so does require specialized software
that the average person won't bother locating and using. On the other
hand, determined intruders will obtain such software and try to use it.
Keep in mind that network security
essentially means controlling access.
Therefore anything you do to control access is part of your security
procedures.
Good network security requires a
layered approach. The reason is simple and somewhat obvious: If one
layer fails, then another layer can help protect your systems and
network. For example, if someone found a way to crack your WPA2, then
you would already have other layers in place
that would help protect your network — if only for a little while
longer.
There are some additional steps you
can take to help protect your wireless network that will make it more
difficult for a bad guy to break in. The extra time it takes to crack
your system might be just enough for you to power off your network gear
because you're going to bed for the evening. A coincidence, yes, but
you never know!
You can configure your router so that
it doesn't broadcast its Service Set Identifier (SSID), which is
basically the router's common name. While taking this step doesn't
completely eliminate a person's ability to find your router's name
(that, too, can be done with special software), it will stop the
average passerby from finding it.
Yet another
step you can take is to configure the router so that
it only accepts connections from specific Media Access Control (MAC)
addresses, which are unique hardware numbers assigned to network
interfaces.
As with disabling SSID broadcasts, taking this step doesn't completely
prevent someone from connecting to your router.
With enough knowledge and the right tools, someone could clone a MAC
address that is allowed
to connect to your router. But again, the average user who is merely
looking
for a quick way to check e-mail or view a Web page won't bother with
that. They'll simply move on to find another nearby wireless network.
So, while both of these precautionary
steps can be defeated by a savvy intruder, they will still go a long
way towards keeping most, if not all, of your neighbors and strangers
from connecting to your network without your permission.
And finally, one more step you can
take to protect your wireless network is to simply turn it off when you
aren't using it! There's no sense in leaving it on when it's not in
use, especially at night when you're sleeping.