Wi-Fi Security

by Parm Mann on 19 June 2008, 00:00

Tags: Wireless Router

Quick Link: HEXUS.net/qasnp

Add to My Vault: x

Wireless Security

WiFi is a wonderful thing. You can take your laptop anywhere in your house and access the Internet, or access your network from the garden. However, it does introduce the grim possibility of somebody else doing exactly the same, without you ever knowing. This guide seeks to make you aware of various security terms and ideas associated with wireless networking and what you should consider when setting up a wireless network.

Usage

The first thing you need to consider is what the WiFi setup will be used for. A wireless hot spot in a trendy café shouldn't be locked down like Fort Knox. Anybody should be able to find and access the wireless access point. However, any computer that connects to an open network like this should have some form of firewall enabled. Remember that other users of that access point will be able to access your computer if you leave it wide open!

That aside, if you're setting up a home or office WiFi network, you don't want any Tom, Dick or Harry using the connection. There are multiple things you can do to ensure this.

Password

Perhaps the golden rule of wireless security is: change the password to your access point. Lists of default passwords are easy to get hold of, and that last thing you want is to hand over the configuration of your wireless network to an unscrupulous character. Make the password hard to crack. Use numbers and letters; nothing of a personal nature that somebody might figure out.

SSID

SSID stands for Service Set IDentifier. It's a means of identifying which network a packet of data belongs to. Your wireless access point will have a SSID, which may also be referred to as a network name. By default, your wireless access point broadcasts its SSID so that client devices can find it. However, you can disable broadcasting of the SSID and change the name of it. That way, you can only connect if you know the name.

By no means should you consider this a security measure. It's still easy to locate a wireless network that doesn't broadcast its SSID, providing you have the right software. Turning off SSID broadcasting just makes your network less obvious and is less likely to give off a “hey, come and hack me” impression.

WEP

Wired Equivalent Privacy is a relatively weak form of protection, but its better than nothing. WiFi uses radio waves, so theoretically anyone can snoop in on data being transmitted using WiFi. WEP encrypts the data being transmitted. To use WEP, you must generate a key. There are generators of WEP keys, or you can create one based on your own pass phrase. The generated key must be input into the client machines to allow them to communicate with the access point.
To confuse matters further, there are different strengths of WEP encryption. The weakest type is 64-bit, or 40-bit after you take away the 24-bit initialisation vector (something we won't get into here.) Then there's the stronger 128-bit (or 104-bit) form of WEP. You need both client hardware and an access point that supports WEP to use it, and then you need to know what the strongest form of encryption that you can use is.

Unfortunately, a hacker can 'sniff' encrypted packets and once they've sniffed enough, with the right software, crack the encryption. WEP will put off casual snoopers, but only slow down somebody who really wants into your network.

WPA

WiFi Protected Access is the successor to WEP and is intended to be a much stronger WiFi encryption method. There are two versions of WPA and those versions can be broken down into personal and enterprise usage also. We will focus on the personal varieties of WPA.

With WPA-Personal, you define a pass phrase which must then be shared with anyone wanting to gain access to the Wi-Fi network. The longer you make the pass phrase, the better.

WPA is harder to crack than WEP, so if your access point and other hardware supports it, I'd encourage you to use it. If your hardware doesn't support it, check for a firmware update that might add it as a new feature.

WPA2 also exists, which is fully compliant with the 802.11i specification – a wireless spec geared towards security. Support for it remains varied. For example, while my firmware updated access point claimed support for WPA2, I was unable to get my Centrino laptop to work with it, even with the latest drivers and patches. Another option you might see when setting up WPA is the encryption type to use. Chances are if there's an choice, it'll be between TKIP and AES. AES seems to be considered preferable and also results in less of a performance hit in network throughput. However, I have also experienced difficulty with it when using certain combinations of WiFi equipment.

Final Thoughts

When thinking about what security to setup for your WiFi network, consider the purpose of the network and also hardware/software compatibility. If you're setting up a home network and want it to be as secure as possible, turn off SSID broadcasting, change the network name and admin password and start by trying to get WPA configured. If that doesn't work, you can fall back to WEP, but only if you have no choice.

Do remember, however, that while these methods will deter the casual snooper, if a hacker really wants access to your network, they will eventually find a way. Make sure you keep your machines' firewalls running and bear in mind that the ultimate in WiFi security is an access point that is turned off!


Sponsered by SCAN