Why Twitter is bigger than 140 characters
Are you a Photoshop expert? We need volunteers
Gaming Keyboard Roundup: Logitech, OCZ, and Razer

Quickest Guide to Wireless Security (Ever)

by Robert Hallock published Dec 12, 2006

Filed under: networking, security

As wireless signals proliferate, people are leaving their computers to the whim of someone with a little bit of gusto, a dash of know-how, and the right timing. Kaspersky Labs found that just under half of all of London's wifi networks were unprotected.

A practice that originated in the United States, wardriving, piggybacks on the lack of network security that wireless owners implement. Using PDAs or a laptop, individuals can scour large areas for open networks and then do anything they want with the open networks that they find. While most wardrivers are benign - simply looking for free wireless access in a pinch - the mere premise of wardriving can spell misfortune when the wifi-seeker is less pleasant.

So, what can you do to protect yourself from intruders? Quite a bit! Here are the ways you can set up your network to keep your computer safe.

Encryption

Wireless encryption is a broad phrase with many actual implementations indicating that the contents of a wireless signal are scrambled, and in theory, can only be decoded by computers explicitly configured to do so by the user. Amongst the common types of encryption available to end-users, there is WEP, WPA and WPA2. All of them operate on the basic principle of scrambling, but some are decidedly better than others.

WEP

Wired Equivalent Privacy, which was the first encryption standard devised for WiFi, is the most common type of protection; everything supports it. The downside, however, is that it can be easily broken. Put very simply, the encryption key generated when you configure a WEP key generates another key automatically that's transparent to the user. This key is called an initialization vector. The initialization vector is transmitted along a WiFi signal in an unencrypted format, to ensure that the method in which the network's data is being encrypted is never repeated.

Unfortunately, the initialization vector in WEP is too short, and every (Approximately) 5000 packets, thousands of which occur in just a few minutes, an access key can be gleaned, and entry to your network can be gained. In 2005, the FBI demonstrated the ability to break into a WEP-secured network in three minutes or less using tools anyone can acquire on the internet for free. WEP is a good choice only if you can't use another option. Some older network cards don't support WEP, some simple wireless electronics like XBoX and PS2 wireless adapters can't handle anything better and if this is the case, you've been warned, but try to avoid it if you can.

WEP can be configured in (generally) two ways, as a 64 bit key and a 128 bit key. Some routers will ask you to create your own key, in which case you should strictly choose a 128 bit key, and enter 26 characters using the letters A through F and the numbers 1 through 9. Some routers will generate a key for you by entering a passphrase of your choice, simply any word unique to you that you can easily remember. It is imperative that you keep this passphrase safe and to yourself, as it's a password to your network. Remember to have your passphrase generate a 128 bit key. We'll touch on how to actually use a key on your network later on.

WPA

WiFi Protected Access is the next step up, and a very fine step it is. In WPA, the initialization vector and the security code that it gets combined with are different for each packet of data, and this is known as TKIP (Temporal Key Integrity Protocol). The codes for TKIP are based off of a passphrase you enter into the router, and specify in the wireless device. WPA also employs multiple features to verify the authenticity of the packet being received to prevent, for example, people inserting harmful code into your wireless stream at their leisure. Virtually every piece of 802.11G networking equipment, atleast for computers and computer-like products (PDAs and smartphones), can support WPA.

For the home user, all wireless configuration clients will give you the option to use WPA in PSK, "Pre-Shared Key" mode. In WPA-PSK, a user provides a very complex passphrase (This is crucial) to the router and everyone looking to connect to the router, and this phrased is used to generate all the actual encryption keys. Because this key is literally the gatekeeper to your wireless network, anything less than a 20 character string of alpha-numeric characters (or something shorter if it's completely random) is asking for trouble. Making a WPA key that looks something like "hallock1234" is a disaster.

WPA2

Almost like WPA, WPA2 is the last step towards fully secure wireless networks. It is the standard that complies fully with the original intentions of the organization that certifies products to carry the "802.11x" or "WiFI" labels. Kicking the security up a notch, it combines TKIP with an extremely strong encryption mechanism called CCMP via AES. Long story short, this is the only encryption scheme the world over that governments feel comfortable using for a wireless network. Many devices don't support WPA2, but if the product was made after March 13, 2006, it must have WPA2 support to receive certification.

To implement WPA2, again, the user must use PSK mode and enter an exceedingly complex passphrase in both the router and all computers/devices looking to connect to the router.

Other Forms of Security

While WPA and WPA2 are strong options, it's always good to establish other barriers to entry as well. Techniques called 'Disabled SSID Broadcasting' and 'MAC Filtering' can amp up your security even more, making your wireless network invisible to most, and letting you set precisely which PCs can and can't connect to your network by the network card that computer has installed. Cool!

MAC Filtering

Every computer has a MAC address, and that is a string of characters that has this format: XX-XX-XX-XX-XX-XX. The MAC address makes each network card as individual as a snowflake, as no two network cards or internet-capable devices share the same one, anywhere in the word, ever. It's advisable to make a list of the MAC addresses the computers in your home use, because you'll need them very soon. To do so, simply go to start -> run and type cmd then hit enter. Type IPCONFIG /ALL at the prompt, and you'll get something like this:

MAC

click to enlarge

Squared off in red is the section where the MAC address is listed. Simply do this for each PC, write down the values exactly as you see it, and keep it on hand. Because you can only allow MAC addresses on your network that you specify, you can effectively block anyone that isn't coming from a computer you own. They're your numbers, no one else's!

Disabled SSID Broadcasting

While it sounds like a big phrase, it really isn't. One of the features of WiFi connections is that they advertise themselves with a radio beacon that says "Hey! I'm a WiFi network! Would you like to connect to me?" This beacon is the name of the wireless network, such as "Starbucks." However, since you're at home, and don't want people seeing if your wireless network is there or not, setting up your router should include disabling the SSID, and giving your network an SSID name your can remember, but isn't easy to guess. Again, an SSID of hallock1234 is a bad idea; 12!h4ll0ck!34 is a bit better.

How to Implement All of It

This is the most confusing part of every setup, because every router and network card is different. Every router has a different interface, and every network card comes with a different WiFi connectivity utility which again is different from Windows XP's integrated utility. The safest bet is to keep your router and network cards within the same brand, that way the interface of the utility for your network card and the interface for your router match, but with laptops this is nigh on impossible. Using my own router here at home, a Linksys WRT54g, the various sections for setting up WiFi access can be seen:

Screenshot of router config

A router configured with WPA-PSK, using a very hard-to-guess pass key. This pass key would be used for client computers looking to connect.


MAC filter

In this window, you can enter the MAC addresses of up to 128 unique computers, limiting access just to them.


SSID setup

Here an 802.11G network has no "I'm here!" beacon. Anyone looking to connect to my network must know it's named "802.11G-Hallock.WiFi"

Fortunately, the terminology used between network devices is fairly similar. All a user needs to do to implement solid security is follow these steps:

  1. Collect the MAC addresses of all the computers on the network.
  2. Consult the manual of the router to find out how one logs into it, and then log into it!
    1. Pick a complex SSID name
    2. Disable SSID broadcasting.
    3. Add the MACs of all the PCs to the filter.
    4. Switch the router to WPA-PSK or WPA2
    5. Enter a very complex WPA(2)-PSK passphrase
    6. Save all the settings in the router
  3. Go to each computer and configure the wireless card to find your SSID, and to connect using your passphrase you provided.

It is with a great regret that a breakdown of the client each wireless client uses is outside the scope of this article. We hope you can understand that, with hundreds of cards from dozens of wireless vendors, it would be hard to walk you through the process of setting up each one. Just remember that the terminology for virtually every vendor is the same, and that an SSID number or a WPA key are the most important things to take with you to each PC. Once you have all the security set up, however, there's virtually nothing a mortal person can do to eavesdrop on you and your network. It's your network! Take control, be secure, be safe.

Digg this guide

About the author

Robert Hallock

Robert Hallock is a Technical Analyst for Icrontic and an aspiring contributor to a computing publication. Pleased that the internet has blurred the line between fun and work, he spends the majority of his time on Twitter or scouring the web for the latest scoop to write about.