While you should never just assume your wireless communication is secure, securing your WLAN doesn’t have to be a trial. However, it does help to be aware of — and understand — the complexities.

by Carla Schroder

 

Wireless security protocols have improved considerably, despite the lackadaisical attitude of most users towards their computer security. This is shocking I know, but remember these are the same people who never lock their doors, leave their keys in the car, and dump their kids on random strangers to babysit. But for those of us who care about security, the wireless world finally has some meaningful tools.

Road warriors must be especially careful. Public hotspots typically don’t bother with WPA [define], or WEP [define], or anything security-related at all. It’s trivial to sniff [define] an open wireless connection and perpetrate evil deeds like re-directing you to a fake WLAN [define] login page, and then capture all of your secret stuff with ease.

I won’t bore you with repeating why the obsolete WEP is as secure as your average sodden paper sack. Let’s leap right into the two important wireless security protocols, 802.1x and 802.11i. No wait, that will be our second leap. The first is a definition of the different relevant standards:

 

  • 802.1x-2004 Port Access Control for all LANs
  • 802.11i-2004 Security enhancements for all wireless LANs
  • 802.11a-1999 High-speed wireless 5 GHz
  • 802.11g-2003 High-speed wireless 2.4 GHz
  • 802.11b-1999 Wireless 2.4 GHz

802.11i is also known as WPA2 [define], or Wi-Fi Protected Access, just to keep it interesting. WPA2 is easier to say, so let’s stick with that.

WPA comes in two flavors: WPA and WPA2. WPA2 is the newest standard. Each one uses 128-bit encryption [define] algorithms, and algorithm geeks engage in endless ferocious debates over their respective merits. WPA uses TKIP (Temporal Key Integrity Protocol), and WPA2 uses AES (Advanced Encryption Standard) [define]. WPA2 is a complete implementation of the IEEE’s 802.1x standard for WLANs. (By now you’re probably banging your head and going “aieeee” over all this acronym overload.) WPA2 devices also support WPA, so if you’re buying new gear get WPA2. I wouldn’t worry about replacing WPA devices, with one exception that you can read about under “WPA Gotchas.”

Wireless Device Support
Wireless access points [define] and network interface cards [define] must support WPA/WPA2. Many WEP devices can be upgraded with new firmware or drivers, and WPA devices should be upgradeable to WPA2. Some can’t. You’re limited by the feeblest member of your WLAN, so if you have any old non-WPA/WPA2 compliant devices still floating around, they need to be upgraded or jettisoned. Most 802.11g devices should be fine, it’s the a and b devices that are the likeliest to need upgrading or replacing.

New wireless-G interfaces are inexpensive, but even so don’t be in a hurry to chuck those old 802.11a/b NICs, because many of them are upgradeable if you’re canny and can find the firmware and drivers. If your vendor does not provide upgrades, try the radio chip manufacturer, like Hermes, Proxim and Agere. Just run lspci to get this information, and remember you can query Windows PCs the same way with a Knoppix CD.

On March 16, 2006, the Wifi Alliance announced that all devices that want to carry the “Wi-Fi CERTIFIED” mark must support WPA2, so they will be easy to find. They also have an online database of supported products (see Resources, below).

Operating System Support
Linux support comes via device drivers and user-space applications such as wpa-supplicant. Mac OS X users merely need to have the latest AirPort or AirPort Extreme software. Windows users, as usual, have a more interesting time of it.

Windows XP users need Service Pack 2 and the “Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) Update” (see Resources.) Users of other Windows versions are on their own. Third-party supplicants are available, for a fee naturally. Meetinghouse Data Communications’ Aegis Client, and Funk Software’s Odyssey Client are the two that get a lot of mentions, and will cost $40-$50 per user. Or, you may get lucky and your hardware vendor will include one with your wireless widgets.

What is this “supplicant” stuff? “Supplicant” is the official word in the standard, and all it means is WPA client software. It runs in the background and controls your wireless connections. Supplicant is an interesting word choice, with all of its overtones of humility and abasement. I’d rather have my computers humbly abase themselves, instead of me having to suckup to log into my own WLAN.

Personal or Enterprise WPA
A nice feature of WPA is you can choose from two levels of security, Personal and Enterprise. Personal is simple to implement, but it requires that all users be trustworthy. Everyone on the WLAN uses a shared key, which is the password, so they all share the same password. The key is entered into the router and all clients, and that’s all it takes to set it up.

Enterprise mode requires a separate authentication server, like a RADIUS server [define]. Enterprise mode is very flexible and should adapt to just about any existing authentication scheme.

WPA Gotchas
The WPA2 standard is a good thing, as it provides strong encrypted authentication, access controls, and encrypted data traffic. But it does not provide end-to-end encryption, it only encrypts the traffic between your wireless NIC and whatever wireless access point you are connecting to. Anything upstream of that is not affected by WPA. So once you log into your LAN, traffic is sent in the clear. When you leap from there out to the Internet, don’t feel all comfy and secure, because that is sent in the clear as well. Except, of course, for the usual application-specific encryption, such as HTTPS [define], SSH [define] and TLS-SSL [define].

For ordinary Web-surfing and e-mail, this is probably not a big deal. But if you make a WAN connection to your remote company network, it likely is a big deal. So you’ll still need VPN [define] tunnels or some sort of separate security for those situations.

Some devices that support both WPA and WPA2 do so only in Personal mode.