Wireless Home Networking, Part III – Wi-Fi Security

Security is an important concern on any network, but it’s especially so for
a wireless one where information travels back and forth through the air and
is open to eavesdrop and intercept by anyone within range. As a result issues
surrounding security come up in almost any discussion of implementing a WLAN.

New security techniques and standards are constantly under development, and
a comprehensive discussion of security is beyond the scope of this tutorial,
but we’ll outline some of the security features you can take advantage of to
help safeguard your data and protect against unauthorized access to your network.

The method by which WLANs protect wireless data streams today is called Wireless
Equivalent Privacy, or WEP. Despite the implication of its name, WEP doesn’t
really provide privacy equivalent to that of a wired network. As mentioned earlier,
a wireless network is inherently less secure than a wired one because it eliminates
many of the physical barriers to network access.

The way WEP attempts to overcome this is by encrypting the data transferred
between two wireless devices. This could be for example a computer and an access
point, two access points, or two computers. A data stream encrypted with WEP
can still be intercepted or eavesdropped upon, but the encryption makes the
data unintelligible to the interloper, at least in theory. The principle behind
WEP is similar to that used by SSL (Secure Sockets Layer) which encrypts data
sent between a computer and a Web server, say, when you order something from
an online store.

There are different levels of WEP available, depending on the type of hardware
you are using. The strength of WEP is measured by the length of the key used
to encrypt the data. The longer the key, the harder it is to crack (in terms
of the time and computing power required).

The earliest 802.11b implementations provided 40-bit WEP, which was generally
regarded as too weak to afford any real protection. Later 802.11b products (like
the ones on the market today) strengthened WEP to use 64-bit (which is actually
the same as 40-bit) or 128-bit keys.

802.11a products offer those same WEP levels but add a yet higher level–152-bit,
while the some of the latest 802.11b+ products often feature 256-bit WEP.

To maximize your security, you should always utilize the highest level of WEP
that your hardware supports. Sometimes, if you use hardware from several different
vendors, you may find that they support varying levels of WEP. In these cases,
you should use the highest level common to both devices. Although generally
WLAN products from different vendors communicate with each other just fine,
enabling WEP is often a way to expose interoperability problems. If security
is your paramount concern, consider getting all of your hardware from a single
vendor.

Although the calculations required to encrypt data with WEP can impact the
performance of your wireless network, it’s generally seen only when running
benchmarks, and not large enough to be noticeable in the course of normal network
usage. The performance penalty on enabling WEP will generally be a little higher
when using a router that incorporates a built-in WLAN access point, because
of the added load of WEP encryption on a CPU that is already handing routing
and switching functions for Internet sharing. When using a stand-alone access
point, the performance penalty is usually imperceptible.

Enabling WEP on your WLAN equipment is not very difficult. Any WEP-enabled
router, access point, or NIC will have a WEP configuration section that lets
you specify the type of key you want to use as well as the key itself. Most
devices let you specify your key using either ASCII (alphanumeric characters)
or hex numerals (0-9 and A-F). If you’d rather let the computer do the work
for you, you can usually input a plain-text passphrase (like "monkeyboy")
which the device will use to automatically generate the WEP key.

Whichever level of WEP you decide to use, it’s crucial to use identical settings–the
key length, and the key itself, obviously– on all devices. Only devices with
common WEP settings will be able to communicate. Similarly, if one device has
WEP enabled and another doesn’t, they won’t be able to talk to each other.

Filtering

When considering security on a WLAN, WEP is not the whole story. WEP may obscure
the true nature of your data to eavesdroppers, but it doesn’t prevent unauthorized
computers from getting on your network via your access point. (In fact, WEP
encrypts only the data portion of a TCP/IP packet, not the headers, which means
that source and destination address of every packet is clearly identifiable.)
The job of a WLAN access point is to always broadcast its presence. By default,
it grants access to any computer that requests it.

The feature that deals with the issue of unauthorized access is MAC filtering.
Every piece of network hardware ever made has a MAC (Media Access Control) address
. MAC addresses have the benefit of being both unique
(no two network devices have the same MAC address) and permanent (they’re "burned"
into the hardware, and cannot be changed). A MAC address is an attribute of
the NIC, not the computer it’s in. Therefore, an access point will grant access
to any computer that is using a NIC whose MAC address is on its "allow"
list. The only time a MAC address can be absolutely tied to a computer is when,
say, a notebook has a built-in WLAN adapter, as some do nowadays.

Wi-Fi routers and access points that support MAC filtering let you specify
a list of MAC addresses that may connect to the access point, and thus dictate
what devices are authorized to access the wireless network. When a device is
using MAC filtering, any address not explicitly defined will be denied access.

You can almost always find a device’s MAC address on a label physically affixed
to it. If not, go to the computer you need a MAC address from, get a DOS command
prompt up by going to the Start Button, selecting Run, then typing "command’.
At the prompt type "ipconfig /all" (without the quotes).

In Windows 95/98/ME, you can type "winipcfg" in the Run dialog box
to get a list the MAC address of each network card in the system.

Some products take MAC filtering a step further and let you grant or deny access
to either the LAN or the WAN (or both). This added flexibility comes in handy
if you’re trying to control internal computers– for example, to allow a particular
computer access to your internal network but not to the Internet, such as your
kid’s computer.

Unfortunately, not all WLAN routers and access points provide MAC filtering
capabilities, so be sure to check before buying. Some devices let you filter
access by IP address, but because IP addresses are not always unique, can be
changed, and are easily spoofed, they’re not a good basis to control network
access.

Security — Why Bother?

Like the WLAN standards themselves, the security features within them are new
and far from foolproof. That doesn’t mean, however, that they’re worthless and
should not be implemented.

Think of it in the following terms– do you typically leave your car unlocked
with the keys in the ignition? Probably not; more likely, you take the keys,
lock the doors, and maybe even use a supplemental security feature like an alarm
or steering wheel lock. This doesn’t guarantee that your car won’t be stolen,
but it does greatly reduce the chances that it will.

You should approach security on your WLAN the same way. The security features
currently available will probably not stop a determined hacker who wants to
access your network, but they likely will thwart just about everyone else.

The worst thing you can do is set up your wireless network, leave all the default
settings in place, and leave security features turned off. Even in business
environments where the wireless networks were set up by supposedly knowledgeable
IT people, you’d be surprised how often people do exactly that. Don’t be one
of them.

Wi-Fi Protected Access

Although it is far, far better than nothing, WEP has been roundly criticized
for providing both insufficient and incomplete security. For example, the encryption
key used by WEP, regardless of its length, is static and never changes unless
it is periodically and manually changed by the administrator on all devicesa
daunting task one even a small network, to say the least.

This means that an intruder eavesdropping on wireless transmissions could theoretically
monitor network traffic over time and possibly gather enough information to
decipher the key and decrypt the data. The heavier the network traffic and the
more computing power the intruder had at his or her disposal, the less time
it would take.

The second major weakness of WEP is that it does nothing to authenticate users
on the network, which is why schemes like MAC address filtering were developed.
Remember though, that the MAC address is a property of a network device, not
a user or even a computer. Therefore, if an intruder stole a wireless NIC whose
MAC address was in the allow list of an access by an access point they would
be granted network access.

In response to these criticisms, the Wi-Fi Alliance recently announced a new
wireless security protocol that will be available in early 2003. Its called
Wi-Fi Protected Access (WPA), and is designed to take the place of WEP and address
many of its shortcomings.

For starters, WPA requires the user to provide a master key, but this does
not become a static encryption key. Instead, the master key is simply a password
used as a starting point through which WPA derives the key it will use to encrypt
network traffic. Moreover, the key is regularly and automatically changed (and
never reused), reducing the likelihood that it will be compromised. The master
key also serves as a password by which users can be authenticated and granted
network access.

WPA was designed to be a software upgrade to WEP, so most existing wireless
devices should be upgradeable to WPA via a firmware
update. In order to take advantage of WPA, all network devices like access points
and clients must be upgraded.

The first WPA-enabled products are expected in the early Spring of 2003, and
upgrades for existing products should be available at around the same time or
shortly thereafter.

Coming in Part IV: Placing your Equipment

802.11 Planet Conference

News Around the Web