An Introduction to Wireless Networking (Part 3) - Security, Tips & Tricks ITNW 2313 – Networking Hardware Prof. Michael P. Harris, CCNA, CCAI Types of Security In Part 1 of this series I mentioned WEP, SSID and MAC Address filtering as three methods of wireless networking security. Here we will get to know a little more about these and what other methods of security are available. WEP (Wired Equivalent Privacy) Developed in the late 1990s, WEP is a basic protocol that is sometimes overlooked by wireless administrators because of its numerous vulnerabilities. The original implementations of WEP used 64-bit encryption (40-bit + 24-bit Initialization Vector). By means of a Brute Force attack, 64-bit WEP can be broken in a matter of minutes, whereas the stronger 128-bit version will take hours. It’s not the best line of defense against unauthorized intruders but better than nothing and mainly used by the average home user. One of the drawbacks of WEP is that since it uses a shared key, if someone leaves the company then the key will have to be changed on the access point and all client machines. WEP2 (Wired Equivalent Privacy version 2) In 2004, the IEEE proposed an updated version of WEP; WEP2 to address its predecessor’s shortcomings. Like WEP it relies on the RC4 algorithm but instead uses a 128-bit initialization vector making it stronger than the original version of WEP, but may still be susceptible to the same kind of attacks. WPA (Wi-Fi Protected Access) WPA provides encryption via the Temporary Key Integrity Protocol (TKIP) using the RC4 algorithm. It is based on the 802.1X protocol and addresses the weaknesses of WEP by providing enhancements such as Per-Packet key construction and distribution, a message integrity code feature and a stronger IV (Initialization Vector). The downside of WPA is that unless your current hardware supports WPA by means of a firmware upgrade, you will most likely have to purchase new hardware to enjoy the benefits of this security method. The length of a WPA key is between 8 and 63 characters – the longer it is the more secure it is. WPA2 (Wi-Fi Protected Access version 2) Based on the 802.11i standard, WPA2 was released in 2004 and uses a stronger method of encryption – AES (Advanced Encryption Standard). AES supports key sizes of 128 bits, 192 bits, and 256 bits. It is backward compatible with WPA and uses a fresh set of keys for every session, so essentially every packet that sent over the air is encrypted with a unique key. As did WPA, WPA2 offers two versions – Personal and Enterprise. Personal mode requires only an access point and uses a pre-shared key for authentication and Enterprise mode requires a RADIUS authentication server and uses EAP. MAC Address Filtering I covered this is Part 1 and talked about it briefly in the Troubleshooting Wireless Networks Article, but it’s worth another mention for the benefit of those who haven’t read my previous literature on the subject and also to refresh one’s memory. MAC Address Filtering is a means of controlling which network adapters have access to the access point. A list of MAC Addresses is entered into the access point and anyone whose MAC address on the wireless network adapter does not match an entry in the list will not be permitted entry. This is a pretty good means of security when also used with a packet encryption method. However, keep in mind that MAC addresses can be spoofed. This type of security is usually used as a means of authentication, in conjunction with something like WEP for encryption. Below is a basic image demonstrating the MAC Address Filtering process: A laptop, with MAC Address 00-0F-CA-AE-C6-A5 wants to access the wireless network via the access point. The access point compares this Address to its list and permits or denies access accordingly. SSID (Service Set Identifier) An SSID, or Network Name, is a “secret” name given to a wireless network. I put secret in inverted commas because it can be sniffed pretty easily. By default, the SSID is a part of every packet that travels over the WLAN. Unless you know the SSID of a wireless network you cannot join it. Every network node must be configured with the same SSID of the access point that it wishes to connect, which becomes a bit of a headache for the network administrator. VPN (Virtual Private Network) Link Perhaps the most reliable form of security would be to setup a VPN connection over the wireless network. VPNs have for long been a trusted method of accessing the corporate network over the internet by forming a secure tunnel from the client to the server. Setting up a VPN may affect performance due to the amount of data encryption involved but your mind will be at rest knowing your data is secure. The VPN option is preferred by many enterprise administrators because VPNs offer the best commercially available encryption. VPN software uses advanced encryption mechanisms (AES for example), which makes decrypting the traffic a very hard, if not impossible, task. For a clearer understanding of the VPN link method, see the image below. There are various levels of VPN technology, some of which are expensive and include both hardware and software. Microsoft does however provide us with a basic VPN technology – commonly used in small to medium enterprise networks - Windows 2000 Advanced Server and Windows Server 2003. These are more than capable of handling your wireless VPN requirements. 802.1X With 802.1X the authentication stage is done via a RADIUS server (IAS on Windows Server 2003) where the user credentials are checked against the server. When a user first attempts to connect to the network they are asked to enter their username and password. These are checked with the RADIUS server and access is granted accordingly. Every user has a unique key that is changed regularly to allow for better security. Hackers can crack codes but it does take time, and with a new code being generated automatically every few minutes, by the time the hacker cracks the code it would have expired. 802.1X is essentially a simplified standard for passing EAP (Extensible Authentication Protocol) over a wireless (or wired) network. Below is an image showing the 802.1X process. The wireless client (laptop) is known as the Supplicant. The Access Point is known as the Authenticator and the RADIUS server is known as the Authentication server. General Tips and Tricks When purchasing a wireless NIC card, try and get one that can take an external antenna. This will allow you to change it for a stronger one if ever required. When you are out and about with your Wi-Fi enabled laptop, disable Microsoft File and Printer sharing (which enables other computers to access resources on your computer) so as not to leave your computer vulnerable to hackers. If you are concerned about the interference from other Wireless Access Points or wireless devices in the area, set the AP and wireless clients to use a nonoverlapping channel such as 1, 6 or 11. Change the configuration interface password of the access point before you enable it. This is more common sense than a tip but most people overlook this part of setting up a wireless network. Only buy an access point that has upgradeable firmware. This will allow you to take advantage of security enhancements or interface updates. On the same note as above, keep the access point firmware up to date. Upgrade your firmware whenever a new one is available. It will probably consist of a new or improved feature. When you are not using Wi-Fi on your Wi-Fi enabled laptop, turn it off. As well as protecting yourself from hackers you will be saving battery power. From time to time, scan the area for rogue access points. If an employee went out and bought a cheap AP and NIC card, and plugged it into the corporate network behind the firewall then all your hard work securing the network will go out the window. This is commonly seen on university campuses where students purchase hardware and setup a rogue access point in their dorm rooms. News and Statistics Even though the approval of 802.11n isn’t expected until the end of 2006, hardware manufacturers such as Belkin have already started to offer Pre-N routers and wireless network adapters. These offer improved network speed and range which would benefit users who wish to transfer larger files and stream audio/video. With Pre-N, an Access Point and Wireless NIC Card 10 feet away from each other have an average throughput of about 40mbps. Hardware vendors, such as Linksys and D-Link have also announced the use of MIMO (Multiple- In-Multiple-Out) in their products. MIMO allows the signal to be bounced off several antennas and paths so that data delivery is guaranteed. Basically, many unique data streams are passed in the same frequency channel. It is a technology that allows for the boosting of wireless bandwidth and range, effectively providing better performance for wireless multimedia and entertainment systems. In Part 2 (May 2004), I mentioned that there were about 30,000 hotspots worldwide and that that number should grow to over 210,000 in the next five years. The latest forecast indicates that by 2006 the number of worldwide hotspots is predicted to rise to over 110,000. The Wi-Fi market is booming with over 95% of all laptops shipped in 2005 being Wi-Fi enabled. In the last quarter of last year, Wi-Fi hardware revenues grew by 17% over the previous year. Guest access looks set to be a key requirement for enterprises. The ability to send and receive mail and access information on the enterprise servers while attending a meeting at another company is a major plus for mobile workers. Wireless data revenues are set to grow to 130 billion US Dollars within the next few years. 50% of hotels in the tourism industry deploy WI-FI themselves, without using a service provider. They usually bill it to the room or offer it free as an amenity to guests. In a recent Poll, forty per cent of people said they would buy a cell phone with Wi-Fi and only twelve per cent said they would want to get TV on their cell phone. The possibility of using voWLAN (Voice Over Wireless Local Area Network) is appealing to many business users. This would allow someone to use GSM while out and about and switch to voWLAN as soon as they step back into the office.