Let’s take a look at the problems involved with wireless network security and how you can go about diagnosing and fixing them before they really become problems.
Does the software I run on a wireless network make a difference to my security?
The answer, unfortunately, is yes. Some operating systems and some programs are more prone to attack than other software. The Windows operating system and Microsoft Internet Explorer are popular targets because hackers can create more havoc and get more exposure by attacking them than they can by attacking Linux or the Macintosh.
Although you will get an argument from many people, Windows is probably as well written as either of those other operating systems, but is simply the object of more attention.
Other common targets of attack are Windows applications such as Internet Explorer, Internet Information Server (IIS), Microsoft Outlook, Exchange, and the Office programs—all for the same reason as Windows itself: they’re more popular.
Changing browsers to something like Netscape or Opera will lower your risk, but isn’t always possible for many people. Microsoft Office is particularly vulnerable because it allows scripts to run. You can disable the execution of scripts or require that a script ask for permission before it runs, which is prudent.
The reason that Microsoft went to the trouble to create Windows Update for users is to plug security holes quickly. Access to Windows Update is one of the best reasons to pay for a licensed copy of Windows, and you should always be up to date on the software offered for your system by that Web site.
The Office version of Windows Update, called Office Update, is also one that you should check frequently. In versions of Windows where you can enable automated notification and updating, it’s a good idea to do so. We recommend that you enable automated notification, but do not enable automated download and installation.
The reason that we make this recommendation is that if something goes wrong with your update, or your system changes in some way that you don’t like, knowing what was done to your computer will better help you revert your system back to the past state at the point just prior to the change.
We also recommend that you use anti-virus software and spyware-detection software. Many good anti-virus packages are available, with some clear market leaders. Anti-virus software is a relatively mature market and you can’t go wrong with Norton, McAfree, Trend Micro, Panda, and others.
On the spyware side the choices are less clear. Programs such as Spy Sweeper, SpyBot, and Adaware, along with others, seem to offer only partial solutions.
What’s the biggest mistake I can make when it comes to wireless network security?
There are two features that you need to attend to for any wireless network device that transmits and receives radio signals. The first is not changing the default password for the device in question, and the second is not enabling some form of encryption on your network.
Don’t kid yourself; anyone who is determined to gain access to your wireless network knows the default administrator’s account name and the default password (which is most often left blank by most vendors).
As soon as they know what the device is, they can often go to the manufacturer’s Web site and download the manual. The manual will have all the information they need.
It’s that initial entry that you want to prevent because that entry can provide a means for delivering a Trojan horse, worm, a backdoor program such as BackOrifice, or a custom program that dials out of your network and provides settings and access.
Someone has gained access to my wireless network. What can I do to stop a second access?
The short answer is change things. Start with the password that allows access to your network settings. If you have encryption enabled, change the key that encrypts the traffic. For small networks such as a home and small business, it isn’t that much extra trouble to rename the network’s SSID.
For larger networks, changing the SSID is going to be more trouble than it’s worth because you will have to visit all the individual access points, routers, repeaters, and other devices to reset the network name.
Is WEP secure?
Yes and no. WEP encryption uses what is called a shared key to encrypt traffic. When you turn WEP on, you can enable up to four of these shared keys. WEP keys are esoteric beasts; most are entered in hexadecimal (some are in ASCII).
It’s not unheard of for someone to write down the shared secret encryption password key on a Post-it note and stick the note on the wall. Keys need to be physically protected. WEP can and has been cracked, putting this security mechanism into the category of useful but not foolproof.
An intruder has to be knowledgeable to crack a WEP-encrypted wireless network, so for almost all users WEP will be enough to stop entry to almost all people.
The larger the WEP standard used (256-bit versus 56-bit) the harder it is to break a key. If you are using a larger key size, make sure that all of your wireless equipment supports this standard. That includes not only access points, repeaters, routers, and gateways, but NICs as well.
With a program like the Linux AirSnort or with WEPCrack, crackers can listen to network traffic and analyze it to guess the key. If you find that it takes less than an hour to crack your key, then your encryption is not secure. If you find that your key requires weeks to be decrypted and sequenced, then WEP is probably sufficient.
Actually it isn’t that easy to crack a WEP encryption scheme if the key is well designed and strong, and it requires a very concerted effort on the part of the cracker to overcome. In order to figure out the parts of a key and then put them together in sequence, the intruder would have to spend many days to get the needed information.
If your network traffic is light, then the amount of time required can be on the order of weeks. So for a small network and one that isn’t transmitting sensitive data, WEP can be sufficient.
How can I prevent cracker programs from defeating WEP?
On small networks the single best thing you can do to keep intruders from gaining access to a WEPenabled network is to change the encryption keys on a weekly basis. Because a strong password can require that a sniffer program see as many as 16.8 million frames of data to crack a key, changing the key frequently defeats this.
Just doing this one thing provides very strong protection for a small network. Key rotation isn’t easily done on larger networks with WEP because you have a lot of overhead when it comes to key distribution. However, key rotation is part of WPA. Every time you log on with WPA, a temporal or session key is generated.
What’s better than WEP?
The WPA or Wi-Fi Protected Access encryption is part of the new 802.11i security protocol. WPA also uses a shared secret key system, just like WEP, with one to four keys. Unlike WEP, WPA keys are plain-text passwords and are called preshared keys, or PSK, or sometimes preshared passwords.
What differentiates WPA is that the PSK isn’t actually used as the encryption key; an algorithm uses the PSK to create a second key that won’t allow network access. With the WEP security mechanism the password key itself is used to generate the encryption key.
So if someone cracks the encryption, he has your key. However, in WPA, if the intruder gets the PSK, then he still gets access to your wireless network but he can’t extract the PSK from network traffic.
What devices offer WPA?
Although WPA is attractive, only newer devices have this feature. If you have an old 802.11b access point you probably don’t have WPA on that device. Sometimes this feature is added through a firmware upgrade, so check with your vendor and look on its Web site to see if you have any additional options.
You’ll find WPA on almost all 802.11g devices made after 2003.
When anyone opens their notebook they can see my wireless network as an available network. How can I keep my network invisible?
A wireless network appears in the available wireless network list when you broadcast the SSID of the network.
So if you turn off the broadcast feature in your access point’s security screen, the name will no longer appear on the list. Some access points refer to a disabled broadcast as a “closed network”; whereas one that broadcasts its name is referred to as an “open network.”
Turning off broadcast doesn’t really improve security if people know what the network name is, but for anyone who doesn’t know the name, it’s one more obstacle that an outsider must surmount to gain access to your network.
You should also keep in mind that although a network name doesn’t get broadcast and you can’t see it in Windows operating system dialog boxes, there are plenty of software programs, some commercial and others shareware, that people can use to see the network name.
So turning off the broadcast won’t stop an advanced user from gaining access. Therefore you need to balance the value of hiding a network name from view against the inconvenience of not being able to automatically see the network name and use it without having to enter it.
I’ve turned on the MAC filtering feature in my access point. Does this prevent outside access to my wireless network?
MAC filtering is a feature where you specify the MAC addresses of the NICs for computers that you trust. It would seem to be a foolproof method for limiting access because the MAC address of every NIC in the world is unique.
However, anyone who can listen to your network traffic, especially if the traffic is unencrypted, will be able to see the MAC addresses of the computers on your wireless network, and can use the information to spoof a MAC address and gain access to your wireless network.
The situation with MAC addresses is even less secure than you might imagine. Many routers and access points allow you to change their network adapter’s apparent MAC address in order to allow that device to connect to an ISP where a particular network adapter MAC is required for a connection.
As with suppressing SSID broadcasting, filtering MAC addresses is only going to make it impossible for the average computer user to gain access. Hackers working with easily available software can get past this security feature.
How can I limit people outside my building or floor accessing my wireless network?
One way to limit access is to make sure that your wireless signal doesn’t extend out beyond the physical limits of the space you are trying to cover. In other words, define your coverage area. The best way to determine your coverage is to test it with a Wi-Fi detector and with a wireless notebook.
Be sure that you are using a sensitive wireless NIC, one that has very good reception when it’s in range. You don’t want someone to come along with a better NIC and detect a signal that you couldn’t. Numerous ways exist to limit the amount of area that an access point, router, repeater, or gateway covers.
You can use directional antennas to aim the signal, as well as barriers to stop the signal. It’s not foolproof, but it does offer some level of protection. However, limiting the signal range does not preclude the need to encrypt traffic, to suppress SSID broadcasts, and to do MAC filtering (in that order).
Don’t forget to turn off wireless access to your network after hours. The incidents of mischief being done are higher on nights and weekends when there are few if any people around to monitor activity.
When I’m in my office, I can see many available networks of other businesses in my building. What should I do?
Consider a situation in which your small business is in an incubator building with many other businesses. Each business has a wireless network, and none are far enough away from one another to limit the signal reception.
When you or your coworkers open the available wireless networks dialog box, several other networks are listed. If you log onto another network, you might not notice that you’re not connected to your own network because you have browser access to the Internet.
You’ll notice that your e-mail doesn’t work, and that network services aren’t available, but an average user might not know why. Then there’s also the consideration of that computer being a possible security breach if it hasn’t been protected well enough.
You can do a few things in a situation like this. First, make sure that your network comes up first in the list of names and set up client access so that it logs onto the first name in the dialog box.
Better yet, pay a visit to other network owners in the building and explain to them the situation. Get those other networks to suppress their SSID broadcasts. The other security mechanism such as encryption and MAC filtering on their networks doesn’t affect you.
If one or more of the networks are set up as hotspots, such as the coffee shop on the ground floor, you may not be able to get them to suppress their SSID.
For commercial hotspots there are probably some user validation methods in place that limit entry; but for free hotspots there won’t be any validation and you will just have to live with the problem.