Ready to 
Quickest Guide to Wireless Security (Ever)
As wireless signals proliferate, people
are leaving their computers to the whim of someone with a little bit of gusto,
a dash of know-how, and the right timing. Kaspersky Labs found
that just under half of all of London’s wifi networks were unprotected.
A
practice that originated in the United States, wardriving,
piggybacks on the lack of network security that wireless owners implement.
Using PDAs or a laptop, individuals can scour large
areas for open networks and then do anything they want with the open networks
that they find. While most wardrivers are benign - simply looking for free
wireless access in a pinch - the mere premise of wardriving can spell misfortune
when the wifi-seeker is less pleasant.
So, what can you do to protect yourself from
intruders? Quite a bit! Here are the ways you can set up your network to keep
your computer safe.
Encryption
Wireless encryption is a broad phrase with many actual implementations
indicating that the contents of a wireless signal are scrambled, and in theory,
can only be decoded by computers explicitly configured to do so by the user.
Amongst the common types of encryption available to end-users, there is WEP,
WPA and WPA2. All of them operate on the basic principle of scrambling, but
some are decidedly better than others.
WEP
Wired Equivalent Privacy, which was the first encryption standard devised
for WiFi, is the most common type of protection; everything supports it. The
downside, however, is that it can be easily broken. Put very simply, the encryption
key generated when you configure a WEP key generates another key
automatically that’s transparent to the user. This key is called an initialization
vector. The initialization vector is transmitted along a WiFi signal
in an unencrypted format, to ensure that the method in which the network’s
data is being encrypted is never repeated.
Unfortunately, the initialization
vector in WEP is too short, and every (Approximately) 5000 packets, thousands
of which occur in just a few minutes, an access key can be gleaned, and entry
to your network can be gained. In 2005, the FBI demonstrated
the ability to break into a WEP-secured network in three minutes or less using
tools anyone can acquire on the internet for free. WEP is a good choice only
if you can’t use another option. Some older network cards don’t support
WEP, some simple wireless electronics like XBoX and PS2 wireless adapters
can’t handle anything better and if this is the case, you’ve been warned,
but try to avoid it if you can.
WEP can be configured in (generally) two ways, as a 64 bit key and a 128 bit
key. Some routers will ask you to create your own key, in which case you should
strictly choose a 128 bit key, and enter 26 characters using the letters A
through F and the numbers 1 through 9. Some routers will generate a key for
you by entering a passphrase of your choice, simply any word unique to you
that you can easily remember. It is imperative that you keep this passphrase
safe and to yourself, as it’s a password to your network. Remember to have
your passphrase generate a 128 bit key. We’ll touch on how to actually use
a key on your network later on.
WPA
WiFi Protected Access is the next step up, and a very fine
step it is. In WPA, the initialization vector and the security
code that it gets combined with are different for each packet of data, and
this is known as TKIP (Temporal Key Integrity Protocol). The codes for TKIP
are based off of a passphrase you enter into the router, and specify in the
wireless device. WPA also employs multiple features to verify the authenticity
of the packet being received to prevent, for example, people inserting harmful
code into your wireless stream at their leisure. Virtually every piece of
802.11G networking equipment, atleast for computers and computer-like products
(PDAs and smartphones), can support WPA.
For the home user, all wireless configuration clients will give
you the option to use WPA in PSK, “Pre-Shared Key” mode. In WPA-PSK,
a user provides a very complex passphrase (This is crucial) to the router
and everyone looking to connect to the router, and this phrased is used to
generate all the actual encryption keys. Because this key is literally
the gatekeeper to your wireless network, anything less than a 20 character
string of alpha-numeric characters (or something shorter if it’s completely random)
is asking for trouble. Making a WPA key that looks something like “hallock1234″
is a disaster.
WPA2
Almost like WPA, WPA2 is the last step towards fully secure
wireless networks. It is the standard that complies fully with the original
intentions of the organization that certifies products to carry the “802.11x”
or “WiFI” labels. Kicking the security up a notch, it combines TKIP
with an extremely strong encryption mechanism called CCMP via AES.
Long story short, this is the only encryption scheme the world over that governments
feel comfortable using for a wireless network. Many devices don’t support
WPA2, but if the product was made after March 13, 2006, it must have WPA2
support to receive certification.
To implement WPA2, again, the user must use PSK mode and enter
an exceedingly complex passphrase in both the router and all computers/devices
looking to connect to the router.
Other Forms of Security
While WPA and WPA2 are strong options,
it’s always good to establish other barriers to entry as well. Techniques
called ‘Disabled SSID Broadcasting’ and ‘MAC Filtering’ can amp up your security
even more, making your wireless network invisible to most, and letting you
set precisely which PCs can and can’t connect to your network by
the network card that computer has installed. Cool!
MAC Filtering
Every computer has a MAC address, and that is a string of
characters that has this format: XX-XX-XX-XX-XX-XX. The MAC address makes
each network card as individual as a snowflake, as no two network cards or
internet-capable devices share the same one, anywhere in the word, ever. It’s
advisable to make a list of the MAC addresses the computers in your home use,
because you’ll need them very soon. To do so, simply go to start ->
run and type cmd then hit enter. Type IPCONFIG /ALL
at the prompt, and you’ll get something like this:
Squared off in red is the section where the MAC address is listed.
Simply do this for each PC, write down the values exactly as you see it, and
keep it on hand. Because you can only allow MAC addresses on your network
that you specify, you can effectively block anyone that isn’t coming from
a computer you own. They’re your numbers, no one else’s!
Disabled SSID Broadcasting
While it sounds like a big phrase, it really isn’t. One of
the features of WiFi connections is that they advertise themselves with a
radio beacon that says “Hey! I’m a WiFi network! Would you like to connect
to me?” This beacon is the name of the wireless network, such as “Starbucks.” However, since you’re at home, and don’t want people seeing if your wireless
network is there or not, setting up your router should include disabling the
SSID, and giving your network an SSID name your can remember, but isn’t easy
to guess. Again, an SSID of hallock1234 is a bad idea; 12!h4ll0ck!34 is a
bit better.
How to Implement All of It
This is the most confusing part of every setup, because every
router and network card is different. Every router has a different interface,
and every network card comes with a different WiFi connectivity utility which
again is different from Windows XP’s integrated utility. The safest bet is
to keep your router and network cards within the same brand, that way the
interface of the utility for your network card and the interface for your
router match, but with laptops this is nigh on impossible. Using my own router
here at home, a Linksys WRT54g, the various sections for setting up WiFi access
can be seen:
A router configured with WPA-PSK, using a very hard-to-guess pass key. This pass key would be used for client computers looking to connect. |
In this window, you can enter the MAC addresses of up to 128 unique computers, limiting access just to them. |
Here an 802.11G network has no “I’m here!” beacon. Anyone looking to connect to my network must know it’s named “802.11G-Hallock.WiFi” |
Fortunately, the terminology used between network devices is
fairly similar. All a user needs to do to implement solid security is follow
these steps:
- Collect the MAC addresses of all the computers on the network.
- Consult the manual of the router to find out how one logs into it, and
then log into it!- Pick a complex SSID name
- Disable SSID broadcasting.
- Add the MACs of all the PCs to the filter.
- Switch the router to WPA-PSK or WPA2
- Enter a very complex WPA(2)-PSK passphrase
- Save all the settings in the router
- Go to each computer and configure the wireless card to find your SSID,
and to connect using your passphrase you provided.
It is with a great regret that a breakdown of the client each wireless client
uses is outside the scope of this article. We hope you can understand that,
with hundreds of cards from dozens of wireless vendors, it would be hard to
walk you through the process of setting up each one. Just remember that the
terminology for virtually every vendor is the same, and that an SSID number
or a WPA key are the most important things to take with you to each PC. Once
you have all the security set up, however, there’s virtually nothing a mortal
person can do to eavesdrop on you and your network. It’s your network! Take control,
be secure, be safe.
RSS