Wireless security is important. It does not matter if you use wireless on the home front or in the office, you still need to protect it. There are many guides online that offer advice and methods for protection when it comes to wireless, but from an IT professional view, some of the ones aimed at homes users complicate matters, and some of the ones aimed at office usage are outdated or simply wrong.
Simple solutions to securing a wireless network. Simple security myths debunked too. (IMG: J.Anderson)
The best way to start this article is to explain what to do to secure your wireless network. These methods work from both the business aspect and the home aspect of security. However, with that said, let’s cover one major myth straight off.
Myth: WEP is better than no security at all
Many guides online tell the home or business user that WEP is better than no security at all. The point they are making is that instead of using no security on the wireless network, you should use WEP at the very least. A valid point to make, but the reality is; if you use WEP, you might as well be using no security at all.
WEP, or Wired Equivalent Privacy, was a great source of security back in 1999. Today however, WEP is easily defeated by several tools, and usage is discouraged by many security vendors.
WPA (Wi-Fi Protected Access) or WPA2 is the security setting you want to enable. Both WPA and WPA2 are based on the IEEE 802.11i standard. Interestingly, if you see the term “Wi-Fi CERTIFIED” on any device for your home or office you can be assured that you’re able to use WPA or WPA2.
If you do not have WPA or WPA2 available to you, your device or network card likely needs a firmware update, which you can obtain from the vendor.
WPA explained and effective usage:
WPA-Personal or WPA-PSK (Pre-Shared Key) is designed – in truth ideal – for home or small office usage. Using a Pre-shared Key, you must enable a passkey in order to access the wireless network. The passkey is supposed to be at a minimum twenty characters. Passkeys can be exactly 64 hexadecimal characters (0-9, a-f, A-F) or range from 8 to 64 characters of any type (0-9, a-z, A-Z) including special characters (!, -, _, @, #, $, %, ^, &, *).
Examples: Wi-Fi<>*&^yhnBgt%$#@
(Note: Using these exact passwords is not advised, as they are public property.)
As you see in the example, pattern based passwords are effective but you should limit their use to non-critical access. The best pass phrases are twenty characters in length or more and are personal sayings or sentences that you could remember. (Avoid things like “oneringtorulethemall” or “goawayorishalltauntyouasecondtime” as popular movie quotes are easy to guess.)
Example: Hellhathnofurylikeanadminwithnocaffeine!
WPA-Enterprise:
WPA-Enterprise (sometimes call 802.11X WPA) is for large scale wireless operations. As the name suggests, Enterprise IT shops are the likely teams to implement this option for security. The setup can be daunting, and this is not recommended for SMB or Home usage.
WPA-Enterprise is popular because it can centralize user credential management using RADIUS. RADIUS (Remote Authentication Dial In User Service) is a complex subject to cover, however if you are in an Enterprise environment and want to research more the best place to start is here: http://www.faqs.org/rfcs/rfc2865.html
While RADIUS will increase security between the RADIUS server and RADIUS client by means of a shared secret, remember that if the RADIUS server is ever breached the attacker can own everything.
Sometimes RADIUS can be costly, for that there is an alternative in the way of GNU RADIUS. (http://savannah.gnu.org/projects/radius/ )
Proven methods for wireless security:
1. Change the default password on the device. Locating information about the default username and password scheme on a wireless device is as simple as pie if you use Google. That or you can visit here: http://www.irintech.com/x1/blogarchive.php?id=764
2. Use a good, strong, rock solid WPA or WPA2 key and NEVER use WEP.
Note:
For IT Shops, if WPA can not be supported in any format (WPA or WPA2) because of lack up firmware upgrades or older equipment, then you need to buy better equipment. The cost of these upgrades is low. There is simply no excuse for not using WPA in the office.
For home users, WPA is available on almost all of the recent wireless devices, such as network cards and access points. If you do not see support for WPA check with the vendor (D-Link, Belkin, or Linksys for example) to see if there are firmware upgrades. If you cannot support WPA, you should invest in hardware upgrades as well if security is your top concern. The cost is low, and in most cases upgrading three computers and getting a new access point can cost you under $100. Remember to look for “Wi-Fi CERTIFIED” on the device or the packaging as this means WPA is supported.
3. (Home) (IT Departments) Disable the remote management features if they are not needed. If it is needed for a business environment access it via a secure tunnel.
4. (IT Departments) Attempt to crack your own wireless network, with permission from the management teams, and correct any flaws.
That’s it; it is that simple to ensure you are starting on the right foot for wireless security.
Other Methods for Wireless security:
Some of the following methods are found all over the web when securing a wireless network. These are mostly vendor supported security practices, and for the most part looked at with a healthy dose of skepticism.
MAC Address filtering:
Many guides will tell you that MAC Address filtering is a solid way to secure a wireless network. This is paramount to the same guides that offer “WEP is better than nothing” in their security advice as well.
MAC addresses are 12-digit HEX codes assigned to a network card. Using the wireless router to allow only certain MAC addresses on the network is like only allowing people with red ties into the staff break room with the cool doughnuts.
How long do you think it will take before everyone wears a red tie? Likewise, a simple scan of the wireless traffic will yield MAC addresses in every packet sniffed. An attacker wanting access to your network will know how to clone a MAC address. Once they clone a MAC on the allowed list, they are granted permission to enter.
Hide your SSID:
Several online guides advise you to disable your SSID (Service Set Identifier). This is a tricky area, as you can hide your SSID and still make the connection to the network. In truth, there are options on most modern wireless cards that allow for this security practice.
Sadly, hiding your SSID is moot, as you can’t truly hide the SSID to start with. The best paper debunking this myth is one written by Robert Moskowitz. (http://tinyurl.com/ynnvsd )
“The broadcast of the SSID improves the performance of a wireless network and the SSID cannot be hidden without degrading proper WLAN operations. Efforts to hide the SSID are at best half-measures which lead to a false sense of security and to a degradation of wireless network performance, particularly in a roaming situation,” the paper states.
It’s worth a read when researching wireless security.
What you should do regarding your SSID, is change its name. Most open networks start with the SSID of Linksys. The odds of the network being open or insecure if it still has a default SSID are high.
NOTE:
Changing the SSID to Linksys1 for example or Wireless1 is just lazy. Naming schemes should be relevant to the operation or nature of the device. Take for example a company that offers wireless to marketing, development, and sales. Using Wireless1, Wireless2, and Wireless3 is silly and offers little management and control.
Cube workers will not know or care what connection is what, and simply use the stronger signal. This can lead to an assortment of problems you do no want or need when designing a network.
Disable DHCP on the wireless network:
Let’s think for a moment on this security tip for wireless security. If you started to chuckle, then you are taking the approach to security all administrators should, think like a criminal. Removal of DHCP as a method of security is a joke. Without naming the source for this quote – it’s a popular source of information – read the following and think maliciously.
“Turn off DHCP on the router or access point, set a fixed IP address range instead, then configure each connected device to match. Use a private IP address range (like 10.0.0.x) to prevent computers from being directly reached from the Internet.”
How long do you think this network will last? There are so many different scanning tools; it’s hard to mention the right one for the job of cracking into a network protected like this. Kismet is a fun toy, http://www.kismetwireless.net/ , it would do the trick here wonderfully.
From the Kismet website, “Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, de-cloaking) hidden networks, and inferring the presence of non-beaconing networks via data traffic.”
In short, removing DHCP as a means of security is worthless.
Access Point Placement:
Another myth, and yet another popular security tip from vendors and online guides. Again, read the quote below, and ponder this advice. (Again, citation is removed)
“If you haven't yet installed your wireless home network, make sure to position the router or access point in the center of the home rather than near windows or doors….”
Another source lists similar advice, “Wi-Fi signals normally reach to the exterior of a home. A small amount of signal leakage outdoors is not a problem, but the further this signal reaches, the easier it is for others to detect and exploit. Wi-Fi signals often reach through neighboring homes and into streets, for example. When installing a wireless home network, the position of the access point or router determines its reach. Try to position these devices near the center of the home rather than near windows to minimize leakage.”
The placement of wireless devices has nothing to do with security. Centering the access point in the middle of a room, or as mentioned in other guides cutting the power signal, will only hinder Wi-Fi usage. Why would a company or family invest in wireless technology only to limit its usage?
Read this: http://seattlewireless.net/index.cgi/DirectionalYagi
After you read that, the assumption that lowering power in the antenna or centering the access point offers good security should be fully removed. (The point is that attackers or criminals, who are looking for wireless networks, will still find yours in the center of the room, and in some cases on the other side of town.)
Again the best method of security for wireless networks is mentioned in the four steps on page one. If you want to learn about the tools used by malicious hackers, better known as criminals, take a look at the other feature in the security section; Security: Tools of the Trade – Wi-Fi
Chris BlalockSep 9th, 2008 - 21:31:56
So why exactly is unencrypted better than WEP? Ya, go for the better security if you can, but there are still some legacy devices around that only do WEP.
Report this comment