Types of Security
In Part 1 of this series I mentioned WEP, SSID and MAC Address filtering as three methods of wireless networking security. Here we will get to know a little more about these and what other methods of security are available.
WEP (Wired Equivalent Privacy)
Developed in the late 1990s, WEP is a basic protocol that is sometimes overlooked by wireless administrators because of its numerous vulnerabilities. The original implementations of WEP used 64-bit encryption (40-bit + 24-bit Initialization Vector). By means of a Brute Force attack, 64-bit WEP can be broken in a matter of minutes, whereas the stronger 128-bit version will take hours. It’s not the best line of defense against unauthorized intruders but better than nothing and mainly used by the average home user. One of the drawbacks of WEP is that since it uses a shared key, if someone leaves the company then the key will have to be changed on the access point and all client machines.
WEP2 (Wired Equivalent Privacy version 2)
In 2004, the IEEE proposed an updated version of WEP; WEP2 to address its predecessor’s shortcomings. Like WEP it relies on the RC4 algorithm but instead uses a 128-bit initialization vector making it stronger than the original version of WEP, but may still be susceptible to the same kind of attacks.
WPA (Wi-Fi Protected Access)
WPA provides encryption via the Temporary Key Integrity Protocol (TKIP) using the RC4 algorithm. It is based on the 802.1X protocol and addresses the weaknesses of WEP by providing enhancements such as Per-Packet key construction and distribution, a message integrity code feature and a stronger IV (Initialization Vector). The downside of WPA is that unless your current hardware supports WPA by means of a firmware upgrade, you will most likely have to purchase new hardware to enjoy the benefits of this security method. The length of a WPA key is between 8 and 63 characters – the longer it is the more secure it is.
WPA2 (Wi-Fi Protected Access version 2)
Based on the 802.11i standard, WPA2 was released in 2004 and uses a stronger method of encryption – AES (Advanced Encryption Standard). AES supports key sizes of 128 bits, 192 bits, and 256 bits. It is backward compatible with WPA and uses a fresh set of keys for every session, so essentially every packet that sent over the air is encrypted with a unique key. As did WPA, WPA2 offers two versions – Personal and Enterprise. Personal mode requires only an access point and uses a pre-shared key for authentication and Enterprise mode requires a RADIUS authentication server and uses EAP.
MAC Address Filtering
I covered this is Part 1 and talked about it briefly in the Troubleshooting Wireless Networks Article, but it’s worth another mention for the benefit of those who haven’t read my previous literature on the subject and also to refresh one’s memory. MAC Address Filtering is a means of controlling which network adapters have access to the access point. A list of MAC Addresses are entered into the access point and anyone whose MAC address on the wireless network adapter does not match an entry in the list will not be permitted entry. This is a pretty good means of security when also used with a packet encryption method. However, keep in mind that MAC addresses can be spoofed. This type of security is usually used as a means of authentication, in conjunction with something like WEP for encryption. Below is a basic image demonstrating the MAC Address Filtering process:
A laptop, with MAC Address 00-0F-CA-AE-C6-A5 wants to access the wireless network via the access point. The access point compares this Address to its list and permits or denies access accordingly.
SSID (Service Set Identifier)
An SSID, or Network Name, is a “secret” name given to a wireless network. I put secret in inverted commas because it can be sniffed pretty easily. By default, the SSID is a part of every packet that travels over the WLAN. Unless you know the SSID of a wireless network you cannot join it. Every network node must be configured with the same SSID of the access point that it wishes to connect, which becomes a bit of a headache for the network administrator.
VPN (Virtual Private Network) Link
Perhaps the most reliable form of security would be to setup a VPN connection over the wireless network. VPNs have for long been a trusted method of accessing the corporate network over the internet by forming a secure tunnel from the client to the server. Setting up a VPN may affect performance due to the amount of data encryption involved but your mind will be at rest knowing your data is secure. The VPN option is preferred by many enterprise administrators because VPNs offer the best commercially available encryption. VPN software uses advanced encryption mechanisms (AES for example), which makes decrypting the traffic a very hard, if not impossible, task.
For a clearer understanding of the VPN link method, see the image below.
There are various levels of VPN technology, some of which are expensive and include both hardware and software. Microsoft does however provide us with a basic VPN technology – commonly used in small to medium enterprise networks – Windows 2000 Advanced Server and Windows Server 2003. These are more than capable of handling your wireless VPN requirements.
With 802.1X the authentication stage is done via a RADIUS server (IAS on Windows Server 2003) where the user credentials are checked against the server. When a user first attempts to connect to the network they are asked to enter their username and password. These are checked with the RADIUS server and access is granted accordingly. Every user has a unique key that is changed regularly to allow for better security. Hackers can crack codes but it does take time, and with a new code being generated automatically every few minutes, by the time the hacker cracks the code it would have expired. 802.1X is essentially a simplified standard for passing EAP (Extensible Authentication Protocol) over a wireless (or wired) network.
Below is an image showing the 802.1X process.
The wireless client (laptop) is known as the Supplicant. The Access Point is known as the Authenticator and the RADIUS server is known as the Authentication server.
General Tips and Tricks
- When purchasing a wireless NIC card, try and get one that can take an external antenna. This will allow you to change it for a stronger one if ever required.
- When you are out and about with your Wi-Fi enabled laptop, disable Microsoft File and Printer sharing (which enables other computers to access resources on your computer) so as not to leave your computer vulnerable to hackers.
- If you are concerned about the interference from other Wireless Access Points or wireless devices in the area, set the AP and wireless clients to use a non-overlapping channel such as 1, 6 or 11.
- Change the configuration interface password of the access point before you enable it. This is more common sense than a tip but most people overlook this part of setting up a wireless network.
- Only buy an access point that has upgradeable firmware. This will allow you to take advantage of security enhancements or interface updates.
- On the same note as above, keep the access point firmware up to date. Upgrade your firmware whenever a new one is available. It will probably consist of a new or improved feature.
- When you are not using Wi-Fi on your Wi-Fi enabled laptop, turn it off. As well as protecting yourself from hackers you will be saving battery power.
- From time to time, scan the area for rogue access points. If an employee went out and bought a cheap AP and NIC card, and plugged it into the corporate network behind the firewall then all your hard work securing the network will go out the window. This is commonly seen on university campuses where students purchase hardware and setup a rogue access point in their dorm rooms.
That concludes Part 3, and brings my Introduction to Wireless Networking series to a close. I hope that they have made for an interesting read, and given you a general insight into the world of wireless networking. There is no doubt that wireless is a big thing of the future – the near future.
Convenience and mobility are just two of the benefits that attract enterprise and home users alike. Will the world of networking ever be ‘completely’ wire free? I guess we’ll have to wait and see!