RealTime IT News

How to: Secure Your WLAN

MichaelSecuring a wireless network isn't a hard task. The cheat sheet is relatively small. However, the technical press continues to be flooded with articles and blogs containing technical mistakes.

Take, for example, everyone's trusted information source, Consumer Reports magazine. I'm a big fan of the magazine, having subscribed to the hard copy edition for years. But they seem out of their league, when it comes to computers.

On August 6, 2009, a blog posting at the magazine's website suggested using WEP security for wireless networks. This is very poor advice. A week after the posting, an editor corrected it, to say they recommend WPA security. This too, is not the best option. Even after being shamed into a correction, they still got it wrong.

So, let me try to offer up just what most people (and Consumer Reports) need to know about securing a wireless network.

Starting at the beginning

To begin with, there are four types of Wi-Fi networks (a, b, g, and n). But the security is not tied to any one type.

If you can connect to a wireless network without entering a password, then there is no security. In this context, the term "security" refers to encrypting data as it travels over the air.

The idea being to prevent a bad guy from capturing all the information coming into and out of a victims' computer and, in effect, looking over their shoulder despite being a few hundred feet away.

Wi-Fi networks offer three security options: WEP, WPA, and WPA2. As a simplistic introduction, think of WEP as bad, WPA as just fine, and WPA2 as great.

WEP is the oldest security option and it has been shown to be very weak. It may be better than no security at all, but not by much. Don't use it. Other than Consumer Reports magazine, the last recommendation to use WEP was issued in 2005.

WPA is technically a certification, not a security standard, but since it includes only one security protocol, TKIP, they are often confused. When people refer to WPA security, they are really referring to the TKIP protocol.

The combination of WPA and TKIP is not the best, but it's reasonably good. If you have a choice, you should opt for the best security (next topic), but if you don't have a choice (more later) TKIP is reasonably strong.

WPA2 is also, technically, a certification rather than a security standard. WPA2 includes two security standards: TKIP and CCMP. If you are using TKIP, it doesn’t matter whether the router is WPA or WPA2. TKIP is TKIP either way.

The best security option is CCMP and it's only available in WPA2, so, here again, the security protocol is often confused with the certification. When people refer to WPA2 security, they are really referring to CCMP.

But no one refers to CCMP (don't ask what it stands for). For whatever reason, the CCMP security protocol is referred to, incorrectly, as AES. So, when you are configuring a router, you need to first select WPA2, then you need to select AES (rather than TKIP) to get the best possible security and encryption.

WPA TKIP flaws

The TKIP security protocol (often referred to as WPA) is flawed. The first flaw came to light in November 2008, the second one just recently. But neither flaw is serious.

The first flaw can be defended against simply by disabling Quality of Service (QoS) in your router. Very few people make use of QoS.

The second flaw was described by security expert Steve Gibson as mostly theoretical. For example, it requires that the victim’s computer be out of radio reception range from the router. The bad guy has to connect to the router on one side and the victim on the other side. The bad guy has to be logically and physically positioned between the victim and the router.

Neither flaw lets the bad guy recover the password and they only support decrypting very small data packets. None of these small packets will contain any of your data.

It's not the flaws themselves that make WPA2-AES the best option, but the fact that they are cracks in the dam. Who knows what will turn up next? There are no known flaws in WPA2-AES, which was developed last and built on and improved the work in the earlier security protocols.

Problems getting to WPA2

Everyone who can should opt for WPA2-AES, but there may be roadblocks.

WPA2-AES requires more computational horsepower than WPA-TKIP. Older routers may not have sufficient horsepower. If your router does not offer WPA2, you can check for a firmware update, but most likely you'll have to buy a new router to get the best security. Then too, since it is the latest and greatest, WPA2-AES may not be supported on the computer, smartphone, gaming machine, Internet radio or whatever other device you want to use with your wireless network.

For example, Windows XP SP2 does not support WPA2, even if it has been kept up to date on patches. A "hotfix" (KB893357) needs to be installed to add WPA2 support to Windows XP SP2.

A WPA2 router may offer both TKIP and AES simultaneously. Start with AES only and hope for the best. Only chose this option if you have to, to support an older device.

The AES-CCMP security protocol was a long time coming. Rather than wait, some hardware manufacturers added early versions of the protocol to WPA routers. Since these were based on draft, rather than final versions of the protocol, they may or may not work with newer hardware and software.

Still, if replacing an old WPA router is a big deal, I suppose it's worth a try.

Two other aspects of security

WPA and WPA2 both come in two flavors, Personal and Enterprise. In the Personal version there is a single password, in the Enterprise version each user of the wireless network gets their own password. The Personal version is also known as Pre-Shared Key or PSK for short.

So, technically, the best security for consumers and small businesses is WPA2-PSK-AES-CCMP.

However, this entire alphabet soup falls down if you chose a poor password.

Data is still traveling over the air and can be captured and saved by a bad guy who can then try to guess the password offline – thousands of guesses a second for days on end.

Perhaps no one will attack the network you connect to this way, but if they do, the only defense is a long, reasonably random password. WPA and WPA2 support passwords up to 63 characters long. Better yet, think "pass sentence" rather than password. For more on this see my blog, What no one is saying about WPA2 security.

Article courtesy of