Troubleshooting Q&A - June 29, 2005
WEP, WPA and Wireless Security
Wireless networking is relatively easy to setup, but it's also easy to forget the importance of protecting yourself. We dissect WEP and WPA and also offer some commonsense advice.
By Ron Pacchiano
Q. I've often heard that wireless networks aren't very secure and as a result have resisted the temptation of implementing one for myself. However, between the wife and kids constantly taking over my office to use the Internet and the cost associated with having Ethernet cable run throughout the house, I decided that it was time to give Wi-Fi a chance.
While researching wireless routers I kept coming upon the terms WPA and WEP. From what I read, I understand that these are related to wireless security and that WPA is supposedly the successor to WEP, due to its inadequate security capabilities. Unfortunately, I didn't really understand a lot of what I read. So I was hoping you might me able to explain it to me in a way that might be a bit easier to understand. Also I was wondering what additional steps I could take to better secure my wireless network once it's up and running. Thanks in advance for all of your help.
A. Well, I don't think I would describe WEP as being completely inadequate. Despite its flaws, WEP does provide some margin of security, particularly when compared to no security at all, and it remains a useful deterrent for the casual malcontent. However, WEP does suffer from a number of shortcomings that really are in need of fixing. To better understand why that is, let's first take a closer look at what WEP was originally designed to do and what its vulnerabilities are. Then I'll introduce you to its more secure replacement WPA, otherwise known as WiFi Protected Access.
The current security standard, as you know, is the Wired Equivalent Privacy, better known as WEP, is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. It accomplishes this by encrypting data transmitted over the WLAN between clients and access points only. For more sophisticated security, WEP relies heavily on other types of LAN security mechanisms to ensure privacy. This includes such things as password protection, end-to-end encryption, Virtual Private Networks (VPNs), and user authentication.
In the last few years, however, a number of respected research groups have published reports citing major security flaws in WEP that left WLANs using the protocol vulnerable to attack. During their examination researchers were able to intercept and modify transmissions and gain access to restricted networks that were supposedly being protected by WEP. The official response to this from The Wireless Ethernet Compatibility Alliance (WECA) says that WEP was never intended to be the sole security mechanism for a WLAN, and that, in conjunction with traditional security practices, it is very effective.
Now for large or even mid-size companies with a qualified IT staff, this isn't as much of a concern simply because these companies routinely make use of those other security mechanisms specified by WECA. This isn't to say that they aren't affected by this problem also. They're just better equipped to deal with it.
For home and Small Office/Home Office (SOHO) users, though, where wireless implementations are really propagating, it's definitely more of a concern. The majority of home users do barely anything more then take these products out of the box and plug them in. They work under the premise of "if it works, don't touch it." Many of them just don't realize the risk their systems are at because of this. This clearly illustrated the need for something better.
So it was with this in mind that the WiFi Alliance in conjunction with the IEEE has driven an effort to bring strongly enhanced, interoperable WiFi security to market. The result of this effort is the WiFi Protected Access (WPA) security protocol.
WPA is a specification of security enhancements that increase the level of data protection and access control for existing WiFi networks. WPA has been designed to be forward-compatible with the upcoming IEEE 802.11i specification and uses the enhanced data encryption Temporal Key Integrity Protocol (TKIP), the Extensible Authentication Protocol (EAP) and user authentication.
WPA was designed to operate in two different modes, enterprise and home mode. In enterprise mode, a network server and sophisticated authentication mechanisms are used to automatically distribute special encryption keys, called Master Keys.
In a home environment, where there are no network servers, WPA runs in a special mode that allows the user to manually enter keys or passwords. This mode, also called Pre-Shared Key (PSK), is designed to be easy for the home user to setup. All you need to do is enter the PSK into all of the devices on the wireless network. Once the PSK has been entered into each device, WPA automatically takes over. First, it keeps out eavesdroppers and other unauthorized users by requiring all devices to have the matching PSK. Second, the password kicks off the encryption process, which in WPA is called Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements including a per-packet key mixing function, a message integrity check (MIC), an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. Through these enhancements, TKIP addresses all of WEP's known vulnerabilities.
This is where the mechanics of WPA are substantially different from WEP. In WEP, the same static encryption key is used over and over again. TKIP, however, uses the original master key only as a starting point. TKIP derives its encryption keys mathematically from this master key and then regularly changes and rotates the encryption keys so that the same encryption key is never used twice. This all happens in the background automatically, invisible to the user. Together, these features make WPA a far stronger security solution than WEP. While no security mechanism can be considered "absolutely secure," the protection given by WPA is strong enough to prevent most attacks even sophisticated ones.
As such, WPA offers a pragmatic, economical security mechanism for most home and enterprise users. It is a strong, interoperable, security replacement for WEP and, in most cases, it can be retrofitted via software to your existing WiFi certified products; protecting many companies current WiFi investment.
Security Begins at Home
One of the simplest and easiest things you can do (which most people fail to do) is to simply change your router's default configuration settings. I can't tell you how many people I've come across who are still using the default password on their routers admin account. Since access to this account controls every aspect of your WLAN, I think that changing its default information is of paramount importance. Additionally, almost every vendor from NetGear to D-Link has its default router configuration information posted on its Web sites, so even the kid next door would be capable of gaining full access to your network. Bottom line: THIS SHOULD BE CHANGED IMMEDIATELY!
You also might want to try broadcasting your wireless signal on a channel other than the one it defaults to. Wireless channels range from 1-11. This would also help to minimize interference from other wireless networks within your vicinity.
If your router supports it, I would also enable MAC filtering. MAC filtering is a process where you record the MAC addresses of every network adapter in use on your network on your router's Access Control List (ACL). By doing this you are basically instructing your router to not let any adapter gain access to this network if it has not previously been given authorization.
Another small precaution you can take is to not broadcast you SSID name. Even though a site survey program would be able to pick up the presence of a wireless network, they wouldn't be able to identify the name of the network; making it harder for intruders to gain access to your files.
Additionally, encryption levels vary among different router manufacturers. Most WEP-enabled routers support encryption levels of 40 - 128-bit. Some, like D-link for example, even support 256-bit encryption. For maximum protection, you should always be using the highest encryption level that your router supports. When setting a Passphrase or security key, make sure that you do not use any proper names like "John" or "Fluffy." The reason for this is that they are too easy for would-be hackers to correctly guess. The majority of people will use something like their child's name or pet's name. The most effective passwords to use are those that are good and long and are composed of alphanumeric characters (both letters and numbers). Some routers are even case sensitive. So a capital "P" or lowercase "p" would make a difference in the Passpharse being recognized. Since most people type in lowercase by default, having a Passpharse with a couple of capital letters within it could only help. Remember, the higher the encryption level and the more complex the Passpharse or Key is the longer it is going to take for a hacker to crack it.
While none of this is going to be able to completely protect you, it should prove to be more then sufficient in holding most attackers at bay. I hope this helped to demystify some of these things for you and alleviates at least a few of your concerns regarding wireless networks.
Use our feedback form to submit your questions on home or SOHO networking issues. Please be as specific as possible. We cannot guarantee to answer every question we get, but we’ll consider them all.
|Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums|