Wireless Home Networking, Part III - Wi-Fi Security

By Joseph Moran

November 06, 2002

How do you protect your home WLAN from prying eyes? We'll explain to you just what WEP, why it isn't secure, and why you need to use it anyway. Plus other security you can use and what WEP's replacement will do at home.

Security is an important concern on any network, but it's especially so for a wireless one where information travels back and forth through the air and is open to eavesdrop and intercept by anyone within range. As a result issues surrounding security come up in almost any discussion of implementing a WLAN.

New security techniques and standards are constantly under development, and a comprehensive discussion of security is beyond the scope of this tutorial, but we'll outline some of the security features you can take advantage of to help safeguard your data and protect against unauthorized access to your network.

The method by which WLANs protect wireless data streams today is called Wireless Equivalent Privacy, or WEP. Despite the implication of its name, WEP doesn't really provide privacy equivalent to that of a wired network. As mentioned earlier, a wireless network is inherently less secure than a wired one because it eliminates many of the physical barriers to network access.

The way WEP attempts to overcome this is by encrypting the data transferred between two wireless devices. This could be for example a computer and an access point, two access points, or two computers. A data stream encrypted with WEP can still be intercepted or eavesdropped upon, but the encryption makes the data unintelligible to the interloper, at least in theory. The principle behind WEP is similar to that used by SSL (Secure Sockets Layer) which encrypts data sent between a computer and a Web server, say, when you order something from an online store.

There are different levels of WEP available, depending on the type of hardware you are using. The strength of WEP is measured by the length of the key used to encrypt the data. The longer the key, the harder it is to crack (in terms of the time and computing power required).

The earliest 802.11b implementations provided 40-bit WEP, which was generally regarded as too weak to afford any real protection. Later 802.11b products (like the ones on the market today) strengthened WEP to use 64-bit (which is actually the same as 40-bit) or 128-bit keys.

802.11a products offer those same WEP levels but add a yet higher level--152-bit, while the some of the latest 802.11b+ products often feature 256-bit WEP.

To maximize your security, you should always utilize the highest level of WEP that your hardware supports. Sometimes, if you use hardware from several different vendors, you may find that they support varying levels of WEP. In these cases, you should use the highest level common to both devices. Although generally WLAN products from different vendors communicate with each other just fine, enabling WEP is often a way to expose interoperability problems. If security is your paramount concern, consider getting all of your hardware from a single vendor.

Although the calculations required to encrypt data with WEP can impact the performance of your wireless network, it's generally seen only when running benchmarks, and not large enough to be noticeable in the course of normal network usage. The performance penalty on enabling WEP will generally be a little higher when using a router that incorporates a built-in WLAN access point, because of the added load of WEP encryption on a CPU that is already handing routing and switching functions for Internet sharing. When using a stand-alone access point, the performance penalty is usually imperceptible.

Enabling WEP on your WLAN equipment is not very difficult. Any WEP-enabled router, access point, or NIC will have a WEP configuration section that lets you specify the type of key you want to use as well as the key itself. Most devices let you specify your key using either ASCII (alphanumeric characters) or hex numerals (0-9 and A-F). If you'd rather let the computer do the work for you, you can usually input a plain-text passphrase (like "monkeyboy") which the device will use to automatically generate the WEP key.

Whichever level of WEP you decide to use, it's crucial to use identical settings--the key length, and the key itself, obviously-- on all devices. Only devices with common WEP settings will be able to communicate. Similarly, if one device has WEP enabled and another doesn't, they won't be able to talk to each other.

Filtering

When considering security on a WLAN, WEP is not the whole story. WEP may obscure the true nature of your data to eavesdroppers, but it doesn't prevent unauthorized computers from getting on your network via your access point. (In fact, WEP encrypts only the data portion of a TCP/IP packet, not the headers, which means that source and destination address of every packet is clearly identifiable.) The job of a WLAN access point is to always broadcast its presence. By default, it grants access to any computer that requests it.

The feature that deals with the issue of unauthorized access is MAC filtering. Every piece of network hardware ever made has a MAC (Media Access Control) address . MAC addresses have the benefit of being both unique (no two network devices have the same MAC address) and permanent (they're "burned" into the hardware, and cannot be changed). A MAC address is an attribute of the NIC, not the computer it's in. Therefore, an access point will grant access to any computer that is using a NIC whose MAC address is on its "allow" list. The only time a MAC address can be absolutely tied to a computer is when, say, a notebook has a built-in WLAN adapter, as some do nowadays.

Wi-Fi routers and access points that support MAC filtering let you specify a list of MAC addresses that may connect to the access point, and thus dictate what devices are authorized to access the wireless network. When a device is using MAC filtering, any address not explicitly defined will be denied access.

You can almost always find a device's MAC address on a label physically affixed to it. If not, go to the computer you need a MAC address from, get a DOS command prompt up by going to the Start Button, selecting Run, then typing "command'. At the prompt type "ipconfig /all" (without the quotes).

In Windows 95/98/ME, you can type "winipcfg" in the Run dialog box to get a list the MAC address of each network card in the system.

Some products take MAC filtering a step further and let you grant or deny access to either the LAN or the WAN (or both). This added flexibility comes in handy if you're trying to control internal computers-- for example, to allow a particular computer access to your internal network but not to the Internet, such as your kid's computer.

Unfortunately, not all WLAN routers and access points provide MAC filtering capabilities, so be sure to check before buying. Some devices let you filter access by IP address, but because IP addresses are not always unique, can be changed, and are easily spoofed, they're not a good basis to control network access.

Security -- Why Bother?

Like the WLAN standards themselves, the security features within them are new and far from foolproof. That doesn't mean, however, that they're worthless and should not be implemented.

Think of it in the following terms-- do you typically leave your car unlocked with the keys in the ignition? Probably not; more likely, you take the keys, lock the doors, and maybe even use a supplemental security feature like an alarm or steering wheel lock. This doesn't guarantee that your car won't be stolen, but it does greatly reduce the chances that it will.

You should approach security on your WLAN the same way. The security features currently available will probably not stop a determined hacker who wants to access your network, but they likely will thwart just about everyone else.

The worst thing you can do is set up your wireless network, leave all the default settings in place, and leave security features turned off. Even in business environments where the wireless networks were set up by supposedly knowledgeable IT people, you'd be surprised how often people do exactly that. Don't be one of them.

Wi-Fi Protected Access

Although it is far, far better than nothing, WEP has been roundly criticized for providing both insufficient and incomplete security. For example, the encryption key used by WEP, regardless of its length, is static and never changes unless it is periodically and manually changed by the administrator on all devicesa daunting task one even a small network, to say the least.

This means that an intruder eavesdropping on wireless transmissions could theoretically monitor network traffic over time and possibly gather enough information to decipher the key and decrypt the data. The heavier the network traffic and the more computing power the intruder had at his or her disposal, the less time it would take.

The second major weakness of WEP is that it does nothing to authenticate users on the network, which is why schemes like MAC address filtering were developed. Remember though, that the MAC address is a property of a network device, not a user or even a computer. Therefore, if an intruder stole a wireless NIC whose MAC address was in the allow list of an access by an access point they would be granted network access.

In response to these criticisms, the Wi-Fi Alliance recently announced a new wireless security protocol that will be available in early 2003. Its called Wi-Fi Protected Access (WPA), and is designed to take the place of WEP and address many of its shortcomings.

For starters, WPA requires the user to provide a master key, but this does not become a static encryption key. Instead, the master key is simply a password used as a starting point through which WPA derives the key it will use to encrypt network traffic. Moreover, the key is regularly and automatically changed (and never reused), reducing the likelihood that it will be compromised. The master key also serves as a password by which users can be authenticated and granted network access.

WPA was designed to be a software upgrade to WEP, so most existing wireless devices should be upgradeable to WPA via a firmware update. In order to take advantage of WPA, all network devices like access points and clients must be upgraded.

The first WPA-enabled products are expected in the early Spring of 2003, and upgrades for existing products should be available at around the same time or shortly thereafter.

Coming in Part IV: Placing your Equipment

802.11 Planet Conference Need more security info? Join us at the 802.11 Planet Conference & Expo, Dec. 3-5 in Santa Clara, CA. One of our workshops will be a WLAN Security Tutorial.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.