Easy 802.11g Security

We all love the convenience wireless LANs (WLANs) bring to our lives. They keep us connected beyond our cubicle or office. We can access the Internet as easily from a coffee shop or our couches at home as we can sitting at our desks. An entry-level wireless Access Point (AP) costs less than $75, a price that makes these devices one of the best-selling computer peripherals since the iPod. And heck, you can literally plug one of these boxes into an electrical outlet and into your network, and wham!— your Wi-Fi-enabled laptops can connect to your network without any wires. But is this necessarily a good thing? This convenience brings with it a huge risk to your network and data, because when you accept the configuration defaults of many of these inexpensive wireless APs, you run the risk of others connecting to your network or snooping on your data just as easily. Fortunately, most wireless APs include easy-to-configure steps that dramatically improve their security. In six basic steps, you can secure a small WLAN that uses inexpensive 802.11g equipment.

Although 802.11g is an IEEE standard, most vendors offer a myriad bolt-on features to their wireless AP products. However, the security features typically remain consistent, although different vendors might name similar features differently. In the sample configuration process presented here, I use a Linksys WRT54G as the 802.11g AP. The WRT54G is inexpensive and popular for small offices, home offices, and even labs in larger companies. This and similar APs don't offer the same level of features as enterprise-class products such as the Proxim ORiNOCO or Cisco Systems Aironet product lines; this article is focused on securing basic, entry-level APs.

Out of the Box Unsecure
A problem with many of these inexpensive wireless APs is that they emphasize ease of setup at the expense of security. For example, unpack some of these devices and plug them into your network. Then, when you enable a wireless network adapter on a computer running Windows XP Service Pack 2 (SP2)—which these days can be as easy as plugging in the network card and turning on the computer—Windows will announce that it has found a new wireless AP and will ask if you want to connect to it. Click yes, and you're instantly connected to that network.

Vendors are getting better—the most recent version (version 5) of the popular Linksys WRT54G AP includes a SecureEasySetup wizard that combines hardware and software steps to securely configure your AP. The manual has an appendix devoted to wireless security that answers even advanced questions that you might have. However, if you use an older Linksys AP, be sure to check its setup because earlier models shipped with many of the security options described in this article disabled.

This unsecure configuration was by design; early versions of the Linksys manual stated several times that "the router is designed to function properly after connecting the router to your network." Once connected, the computer can connect to any other computer on the network or even piggyback on your Internet connection. XP's wireless configuration features make connecting to an unsecured wireless AP a snap. Unfortunately, the features that make it easy for you to connect to your network also make it trivial for anyone else with a Wi-Fi device within a few hundred feet to connect to your network.

In the next few sections, I walk through locking down a basic wireless AP. The setting changes are simple—anyone with a wireless network can and should perform them. My sample configuration uses a slightly older version of the Linksys WRT54G and assumes that you know how to access an AP's configuration screens. I've chosen the older version for two reasons: first, because many of these devices are deployed in an unsecure manner out in the world, and second, because the wizard in the new Linksys WRT54G is proprietary to Linksys, whereas the configuration screens of the older version are more representative of what vendors typically provide and thus my instructions for working with them can easily be adapted to other products. Even if you're using the newest version of any AP, it's wise to check your configuration against these easy-to-perform steps.

STEP 1: Protect the AP Administration Page
The first step is to change the default password on the Administration tab of the Linksys AP's Web interface. If your wireless AP also functions as a broadband router, you need to make sure that you can administer the device only from the internal interface and not directly from the Internet. You don't want someone to be able to make a Web connection to your public Internet address on the external interface of your wireless AP and reconfigure that interface to take it over.

STEP 2: Change the SSID, and Disable SSID Broadcasting
Changing or disabling a wireless AP's SSID makes it more difficult for the casual Wi-Fi snoop to find your network but doesn't deter even a novice attacker. Anyone running a wireless sniffing tool such as NetStumbler (http://www.netstumbler .com) will still be able to detect the AP and its nondefault SSID. And once an attacker knows an AP's SSID, he or she can take additional steps to connect to the AP. Nonetheless, changing the SSID from the default is better than broadcasting to everyone that you have a particular brand of wireless AP.

To change the SSID, navigate to the Basic Wireless Settings area on the Linksys AP firmware's Wireless tab and change the Wireless Network Name (SSID), as Figure 1 shows. Change the name to something discreet; for example, don't use your company name or something enticing, such as Finance. These names might draw attackers looking for something of value.

On the same Linksys firmware page, select Disable to disable wireless SSID broadcasting, as Figure 1 shows. When you change the SSID name and disable SSID beaconing, you must also manually configure wireless clients with the SSID name to connect to the AP. (I explain the client steps later.)

STEP 3: Use WPA If You Can, but Use WEP Rather Than Nothing
Wired Equivalent Privacy (WEP), Wi-Fi Protected Access, and WPA's follow-on, WPA2, each provide a cross-vendor framework for access control and for securing and encrypting data sent between a wireless AP and a wireless client. You should enable WEP or WPA for every wireless AP deployment. When you have a choice between the three technologies, choose WPA2 over WPA over WEP. WEP has serious flaws in its design and implementation, and numerous tools can crack the WEP encryption key and defeat its security.

WEP's replacement, WPA, is based on a subset of the IEEE 802.11i standard, and WPA2 is based on the final IEEE 802.11i standard. WPA offers a number of techniques and options, such as Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES), that improve key management and encryption methodologies. Most current wireless APs support WPA, and some older models let you upgrade the firmware to add WPA support, so be sure to check with your vendor. However, keep in mind that you can choose WPA only if both your AP and every client that you want to connect to it support WPA.

WEP and WPA encrypt the data sent between your AP and remote clients. In simple terms, a key (i.e., a string of characters) that's known by both the wireless AP and the client is used to encrypt and decrypt the data sent between the devices. An attacker who gets a hold of this key can decipher data communications between the wireless AP and a client or possibly connect to the wireless AP.

A major shortcoming of WEP is that you must manually enter the actual key used for encryption on both the wireless AP and the client. This is a laborious process and most people enter a key once and never change it. Because of other flaws in WEP, determined attackers can crack this key, then use it to access the wireless AP or decrypt data sent between the wireless AP and legitimate clients. Because the key doesn't change automatically, the attacker could access data for long periods of time until someone manually changes the key.

WPA corrects this deficiency by adding features for key management. Like WEP, a key is used to encrypt the data. However, you enter a key once, and WPA subsequently uses this key to generate the actual key that encrypts the data. And WPA automatically regenerates the key periodically. This means that even if an attacker gets lucky and cracks an encryption key, the key is useful only until the wireless AP and client change the key automatically. By default, the Linksys wireless AP changes the encryption key once an hour.

By default, older versions of the Linksys AP set Wireless Security to Disable. To enable security, click Wireless Security on the Linksys firmware's Wireless tab. In the Security Mode drop-down box, select your desired wireless security configuration. The older versions of the Linksys AP support security modes named WPA Pre-Shared Key, WPA RADIUS, RADIUS, and WEP. In the newest version, WPA Pre-Shared Key and WPA RADIUS are renamed WPA Personal and WPA Enterprise, respectively, and WPA2 has been added. Most other vendors support the same technologies, but they might have slightly different names.

The best setting for small office/home office (SOHO) users is WPA Pre-Shared Key (WPA-PSK), or WPA Personal, because it offers the strong security of WPA and easy configuration. Midsized and large businesses will be better served by Linksys's WPA RADIUS (WPA Enterprise) option, which requires a Remote Authentication Dial-In User Service (RADIUS) server—although these users might want an enterprise-class AP instead of an entry-level model like the one described in this article. For more information about WPA RADIUS, see the "Advanced Authentication" sidebar. Linksys's RADIUS option, like the WEP option, is mostly for legacy deployments, meaning that you should choose it only if you have wireless clients that don't support WPA.

To configure the Linksys for WPA-PSK, select the WPA Pre-Shared Key option, as Figure 2 shows. The Linksys AP supports two WPA algorithms: TKIP and AES. TKIP is a stopgap measure that was designed to solve many of WEP's problems until the next generation of WPA (WPA2) was widely released. Although TKIP uses the same encryption algorithm as WEP, it addresses many of WEP's weaknesses by dynamically changing the key used to encrypt the data, encrypting configuration data that's clear text in WEP, and including a message integrity check. AES is a newer encryption algorithm that's exceptionally strong and supported in the WPA2 802.11i standard implementation but might not yet be supported on all hardware or software. Select AES if you can.

Next, enter a WPA Shared Key. You'll need to enter the same key on any clients you want to connect to the Linksys AP. Choose a long, hard-to-guess key. Linksys supports as many as 63 characters, and I recommend a key at least 20 characters long.

The Group Key Renewal field specifies how often (in seconds) the automatically generated key is changed. As I mentioned, the Linksys AP's default Group Key Renewal value is set to 1 hour, which is sufficient for most SOHO networks.

If your clients don't support WPA, definitely choose to configure WEP over nothing at all. To configure WEP on the Linksys WRT54G, select the Security Mode as WEP and choose a key to use as your default transmit key (i.e., choose a key numbered from 1 through 4) and the WEP encryption type, which is typically 64 bits or 128 bits (the longer the better) and hex or ASCII. In the Key field that corresponds to the default transmit key that you selected, enter the key. (For example, if you chose a 64-bit hex key, you could enter a 10-digit hex key such as af592de129.) Remember that you'll need to match this WEP key configuration on all your clients, so choose something that will work on all your devices.

For details about configuring WEP, see "Configuring Basic 802.11b Security," October 2002, InstantDoc ID 26355. WEP configuration varies across different vendors' products more than WPA configuration does, so you might find it a little more difficult to adapt my WEP instructions to your situation.

STEP 4: For Very Small Installations, Consider MAC Address Filtering
To provide some extra protection in very small deployments, you can use media access control (MAC) address filtering, which most wireless APs support. All wireless network adapters have a unique MAC address. You can see the MAC address of a client's adapter card by typing the following command at the client's command prompt:

ipconfig /all 

Type the MAC addresses of all the clients that you want to be able to access the wireless AP into the Linksys MAC Address filter, which Figure 3 shows. (Access this page from the Linksys AP firmware's Wireless tab.) Only the specified adapters will be able to connect to the AP.

MAC addresses can be spoofed by certain programs, and users sometimes swap their Wi-Fi network adapters, so although MAC address filtering stops the casual snoop, it isn't as secure as stronger authentication mechanisms such as WPA RADIUS using 802.1x. Keeping an upto-date MAC address list is also difficult to do for all but the smallest networks. However, MAC address filtering can help guard against someone obtaining the WPA shared key from an employee who has it, although a determined hacker can circumvent MAC filtering, too.

STEP 5: Isolate the Wireless AP
You'll also want to be conscious of where you connect your wireless AP to your network. The Linksys AP includes a firewall, and most users will use this device as their Internet gateway in addition to it being their wireless AP. If you don't trust your wireless network as much as your wired network or for more sensitive deployments, I recommend connecting your wireless AP between a firewall on your wired network and the Internet. By installing your wireless AP on a perimeter network, you can further restrict which computers on the internal network your wireless clients can access.

STEP 6: Configure the Clients
Setting up security on a wireless AP is only one side of the equation. You must also configure security settings on your wireless clients. For the latest features, you should upgrade your clients to XP SP2 and install the most recent wireless network adapter drivers. If possible, choose wireless cards that support WPA or WPA2. Current models of the Linksys wireless adapter with the latest firmware and drivers support WPA and WPA2 and both the TKIP and AES encryption algorithms.

To configure a wireless client with the same encryption settings as on your wireless AP, click Start, Connect To, Wireless Network Connection, View Available Wireless Networks, Change Advanced Settings. Go to the Wireless Networks tab, then click Add under Preferred networks to open the wireless network's properties dialog box. (Alternatively, right-click your wireless network adapter and click Properties.) Go to the Association tab, which Figure 4 shows.

To configure the client to connect to a wireless AP with a nondefault SSID, enter the network name (i.e., the SSID) of the wireless AP, in this case, private. If your wireless AP and other wireless clients support WPA-PSK and AES, choose those values for the Network Authentication field and Data encryption field, respectively. Then enter the shared key you entered at your wireless AP. That's all you need to configure on this dialog box. If you must use WEP, you'll need to change Network Authentication to open or shared, change the encryption type to WEP, and enter the key index and key that exactly match the key configuration on your AP. After your client settings match your wireless AP settings, the client should automatically connect and securely communicate with your wireless AP.

Guard Your Privacy
Wireless networks continue to proliferate, which is easy to see for yourself by simply taking a walk in any city with your Wi-Fi enabled laptop or PDA and witnessing all the open wireless APs inviting you to connect. Keep your network private by taking the simple steps outlined here to secure it.