Securing Your Wireless Network
Securing Your Wireless Network
In this article, you will learn about the security challenges provided by typical wireless network configurations and how to secure your wireless network against intruders.
Introduction
In 2003, one-third of all laptop computers sold included wireless Ethernet network adapters. May 2003 was the first month that laptop computers outsold desktop computers. Given these facts, and the increasing amount of retail shelf space devoted to wireless Ethernet network hardware for use on existing desktop and laptop computers, its likely that, sooner or later, you will have a wireless Ethernet network.
Wireless Ethernet Standards
Wireless Ethernet hardware meets one or more of the following standards shown in Table 1.
Table 1 Wireless Ethernet Standards
Official Standard |
Maximum Speed |
Frequency |
Interoperable With |
802.11b |
11Mbps |
2.4GHz |
802.11g |
802.11g |
54Mbps |
2.4GHz |
802.11b |
802.11a |
54Mbps |
5GHz |
Although the term Wi-Fi is often used to apply to all wireless Ethernet hardware, it properly refers only to wireless Ethernet hardware which has been certified for interoperability by the Wi-Fi Alliance (www.wi-fi.org). See Figure 1 for an example of a product label found on Wi-Fi certified hardware.
If you have or plan to implement a Wi-Fi network it's important that you understand the security challenges involved in implementing a typical wireless network and how to secure your wireless network against intruders.
How an Unsecured Network Can Threaten Your Privacy and Identity
Typically, most vendors of wireless Ethernet access points and routers (access points connect wireless Ethernet devices to each other; routers connect local wired and wireless networks to the Internet) dont enable security settings in their default configurations. Routers are typically configured to broadcast their SSID values (the SSID identifies the wireless access point or router) to wireless clients, and are not usually configured to require any authentication from those clients.
When a wireless client detects an SSID which doesnt use security, all it takes to join that network is a couple of clicks of the mouse on the wireless network icon in the Windows system tray. Because Windows XPs built-in wireless Ethernet support scans for SSIDs, its easy for an unauthorized user to piggyback on an unsecured wireless network and do anything from borrowing an Internet connection to reading email or snatching documents from a shared folder on the network. Although the comic strip Doonesbury put an amusing spin on Wi-Fi gatecrashing in its July 21, 2002 strip, the potential for identity theft, loss of business trade secrets, and loss of privacy caused by unsecured wireless networks arent very funny in real life.
Why Network Security Is Usually Disabled by Default
Given the risks inherent in unsecured wireless access, why do most network vendors (Microsoft is a notable example) leave network security disabled by default? There are several reasons:
-
Enabling network security complicates wireless network setup. When security is enabled, both the access point or router and the network clients must be configured to use the same security settings. When different vendors products are used, it can be hard for users to determine exactly how to make the necessary changes.
- Settings which dont match (such as incorrect encryption keys or encryption levels) prevent wireless clients from working.
- Wireless throughput often drops when security is enabled, particularly on 802.11b (11Mbps) networks or networks which mix 802.11b and 802.11g hardware.
- Network security settings are not needed for wireless adapters used with a public hot-spot, such as those now available in some public libraries and other locations. These networks are usually separated from internal networks, and are configured to provide Internet access only.
Configuring Your Router or Access Point for Security
You can secure your home or office wireless Ethernet network by using the features included with virtually any combination of access point/router and network adapter. These include:
-
enabling 128-bit WEP encryption
- changing the default SSID used by the network
- disabling broadcast of the SSID
- enabling MAC filtering
- using Wi-Fi Protected Access (WPA) when available
Most wireless access points or routers are configured through a web-based interface. Check the manual for your unit to determine what IP address to use in your browser to start the configuration process. Provide the username and/or password required to continue. Heres a tip: if your router or access point includes a wired Ethernet switch, you should connect it to a computer with a wired Ethernet adapter to configure it.
Enabling 128-bit WEP Encryption
Wireless Equivalent Privacy (WEP) is a type of encryption that all wireless Ethernet products support. WEP uses a fixed encryption key which a network client must provide before a connection can be made. Although a determined hacker can break WEP, enabling 128-bit WEP protects you against casual to moderate snooping.
Some early wireless Ethernet adapters dont support 128-bit encryption without a driver upgrade; check the manual for your adapter if youre not sure of the WEP encryption levels it supports. To enable WEP, select the encryption level within the access point or routers WEP configuration screen and enter the required length of encryption key in either HEX or ASCII (Figure 2). The higher the encryption level, the longer the key; longer keys are also harder to break. 128-bit encryption uses a 13-character key, while 256-bit encryption (used primarily in enterprise settings and not supported by most home-market wireless hardware) uses a 26-character key. Be sure to record the key, because it must be provided to each network client for access.
Changing the Default SSID
The Service Set Identifier (SSID) is used to identify the wireless network access point or router. Manufacturers store a default value for the SSID in the non-volatile memory of these devices. Even if the SSID is not broadcast, a hacker who discovers what brand and model of access point or router you have can use the default SSID to gain access to your network if it is not secured. Consequently, its a good idea to change the default SSID supplied with the device.
Disabling SSID Broadcast
By default, wireless access points and routers broadcast the SSID for detection by all wireless network clients in the vicinity. To help reduce intrusion attempts, you can disable this behavior in the device setup.
Figure 3 shows a wireless router after SSID broadcast has been disabled, but before changing the default SSID.
Enabling MAC Filtering
If you want to limit access to the wireless network to specific network adapters, some routers and access points offer a feature called MAC filtering. MAC filtering uses the media access control (MAC) number assigned to each network adapter to enable or block access to the network. If you dont know the MAC address of a particular adapter, you can use the Windows program Winipcfg (Windows 9x/Me) or the command-line program ipconfig /all (Windows NT/2000/XP) to display this information. Figure 4 shows how to use this information to configure your wireless access point or router.
(Click to Enlarge) |
After you enable the network security features you want to use on your router, be sure you save the changes to the router or wireless access points non-volatile memory. See your product manual for details.
Upgrading to Wi-Fi Protected Access (WPA)
The biggest weakness in current wireless security settings is the WEP encryption key. Even if your network hardware supports 256-bit encryption, the key is a fixed key which could eventually be cracked by a determined intruder. Some wireless Ethernet hardware now supports Wi-Fi Protected Access (WPA), which uses a new dynamic keying method which generates trillions of keys from a single key entry. Unfortunately, although WPA was introduced in 2003, many vendors have still not upgraded their hardware to support it. Check with your wireless network vendors for hardware updates if your wireless access point/router or network adapters dont include WPA support. If a single device on your wireless network doesnt support WPA, you will need to continue to use WEP encryption instead.
Connecting to a Secured Network
After you secure your wireless access point or router, each client must be supplied the WEP or WPA key necessary to connect to the network. The key must be provided to make a connection. Figure 5 shows a typical connection dialog requiring a WEP key.
The first time you connect to a wireless network access point or router which uses WEP, you might also need to click the Advanced button to bring up the properties sheet for the connection. Select the connection and click Configure. Check the boxes for Data encryption and network authentication, then enter the network key and other information as prompted. Figure 6 shows this dialog. On subsequent connections, the key is stored for automatic access. You can just click on the wireless network shown in the available networks dialog to make your connection.
Conclusion
Wireless networking has become an extremely popular way to build home and office networks. However, wireless networks present extreme security risks unless the network is secured against invaders. Use the methods in this article to secure your network and upgrade the security as WPA becomes available.
For Further Research
Learn more about Wi-Fi Protected Access (WPA) from the Wi-Fi Alliances official web page:
http://www.wi-fi.org/OpenSection/protected_access.asp?
Fred Langas Langa Letter for Information Week on sharing a Wi-Fi connection discusses security and other issues. Read it at http://www.wi-fi.org/OpenSection/protected_access.asp?
US Robotics offers some useful white papers which discuss wireless access point and router features which improve security (requires Adobe Reader/Acrobat Reader). A business-oriented paper is located at http://www.usr.com/download/whitepapers/lan-security-wp.pdf. A white paper discussing including security features built into their 802.11g-compatible network products is located at http://www.usr.com/download/whitepapers/80211g-wp.pdf.
Copyright©2004 Pearson Education. All rights reserved.