If you read the news — well, at least if you read the same networking news sources that we do — you’ve probably seen and heard a thing or two (or a hundred) about wireless local area network (LAN) security. In fact, you really don’t need to read specialized industry news to hear about this topic. Many major newspapers and media outlets — The New York Times, the San Jose Mercury News, and USA Today, among others — have run feature articles documenting the insecurity of wireless LANs. Most of these stories have focused on wardrivers, folks who park in the lots in front of office buildings, pull out their laptops, and easily get onto corporate networks.
In this topic, we talk a bit about these security threats and how they may affect you and your wireless home network. We also (helpful types that we are) give you some advice on how you can make your wireless home network more secure. We talk about a system called Wi-Fi Protected Access (WPA), which can make your network secure to most attacks, and also an older system called Wired Equivalent Privacy (WEP), which doesn’t do such a good job but may be the best you can do in many cases.
The advice we give in this topic applies to any 802.11 wireless network, whether it uses a, b, g, or n, because the steps you take to batten down the hatches on your network are virtually identical, regardless of which version of 802.11 you choose.
No network security system is absolutely secure and foolproof. And, as we discuss in this topic, Wi-Fi networks have some inherent flaws in their security systems, which means that even if you fully implement the security system in Wi-Fi (WPA or especially WEP), a determined individual could still get into your network. We’re not trying to scare you off here. In a typical residential setting, chances are good that your network won’t be subjected to some sort of determined attacker like this. Follow our tips, and you should be just fine.
Assessing the Risks
The biggest advantage of wireless networks — the fact that you can connect to the network just about anywhere within range of the base station (up to 300 feet, or even longer with the new 802.11n technology) — is also the biggest potential liability. Because the signal is carried over the air via radio waves, anyone else within range can pick up your network’s signals, too. It’s sort of like putting an extra RJ-45 jack for a wired LAN out on the sidewalk in front of your house: You’re no longer in control of who can access it.
One thing to keep in mind is that the bad guys who are trying to get into your network probably have bigger antennas than you do. Although you may not pick up a usable signal beyond a few hundred feet with that PC Card with a built-in antenna in your laptop PC, someone with a big directional antenna that has much more gain than your PC’s antenna (gain is a measure of a circuit’s ability to increase the power of a signal) may be able to pick up your signals — you would never know it was happening.
General Internet security
Before we get into the security of your wireless LAN, we need to talk for a moment about Internet security in general. Regardless of what type of LAN you have — wireless or wired or using powerlines or phone lines or even none — when you connect a computer to the Internet, some security risks are involved. Malicious crackers (the bad guys of the hacker community) can use all sorts of tools and techniques to get into your computers and wreak havoc.
For example, someone with malicious intent could get into your computer and steal personal files (such as your bank statements you’ve downloaded by using Quicken) or mess with your computer’s settings — or even erase your hard drive. Your computer can even be hijacked (without your knowing it) as a jumping off point for other people’s nefarious deeds; as a source of an attack on another computer (the bad guys can launch these attacks remotely using your computer, which makes them that much harder to track down); or even as source for spam e-mailing.
What we’re getting at here is that you need to take a few steps to secure any computer attached to the Internet. If you have a broadband (DSL, satellite, fiber-optic, or cable modem) connection, you really need to secure your computers. The high-speed, always-on connections that these services offer make it easier for a cracker to get into your computer. We recommend that you take three steps to secure your computers from Internet-based security risks:
Use and maintain antivirus software. Many attacks on computers don’t come from someone sitting in a dark room, in front of a computer screen, actively cracking into your computer. They come from viruses (often scripts embedded in e-mails or other downloaded files) that take over parts of your computer’s operating system and do things you don’t want your computer doing (such as sending a copy of the virus to everyone in your e-mail address book and then deleting your hard drive). Choose your favorite antivirus program and use it. Keep the virus definition files (the data files that tell your antivirus software what’s a virus and what’s not) up to date. And for heaven’s sake, use your antivirus program!
Use a personal firewall on each computer. Personal firewalls are programs that basically look at every Internet connection entering or exiting your computer and check it against a set of rules to see whether the connection should be allowed. After you’ve installed a personal firewall program, wait about a day and then look at the log. You may be shocked and amazed at the sheer number of attempted connections to your computer that have been blocked. Most of these attempts are relatively innocuous, but not all are. If you have broadband, your firewall may block hundreds of these attempts every day.
We like ZoneAlarm (www.zonealarm.com) for Windows computers as well as the firewall built into Windows XP Service Pack 2 and Windows Vista, and we use the built-in firewall on our Mac OS X computers.
Turn on the firewall functionality in your router. Whether you use a separate router or one integrated into your wireless access point, it will have at least some level of firewall functionality built in. Turn this function on when you set up your router or access point. (It’s an obvious option in the configuration program and may well be turned on by default.) We like to have both the router firewall and the personal firewall software running on our PCs. It’s the belt-and-suspenders approach, but it makes our networks more secure.
Some routers use a technology called stateful packet inspection (SPI) firewalls, which examine each packet (or individual chunk) of data coming into the router to make sure that it was truly something requested by a computer on the network. If your router has this function, we recommend that you try using it because it’s a more thorough way of performing firewall functions. Others simply use Network Address Translation to perform firewall functions. This strategy isn’t quite as effective as stateful packet inspection, but it works quite well.
Airlink security
The area we focus on in this topic is the aspect of network security that’s unique to wireless networks: the airlink security. These security concerns have to do with the radio frequencies beamed around your wireless home network and the data carried by those radio waves.
Traditionally, computer networks use wires that go from point to point in your home (or in an office). When you have a wired network, you have physical control over these wires. You install them, and you know where they go. The physical connections to a wired LAN are inside your house. You can lock the doors and windows and keep someone else from gaining access to the network. Of course, you have to keep people from accessing the network over the Internet, as we mention in the preceding section, but locally it would take an act of breaking and entering by a bad guy to get on your network. (It’s sort of like it was on Alias, where they always seem to have to go deep into the enemy’s facility to tap into anything.)
Wireless LANs turn this premise on its head because you have absolutely no way of physically securing your network. Of course, you can do things like go outside with a laptop computer and have someone move the access point around to reduce the amount of signal leaving the house. But that’s really not 100 percent effective, and it can reduce your coverage within the house. Or you could join the tinfoil hat brigade ("The NSA is reading my mind!") and surround your entire house with a Faraday cage. (Remember those from physics class? We don’t either, but they have something to do with attenuating electromagnetic fields.)
Some access points have controls that let you limit the amount of power used to send radio waves over the air. This solution isn’t perfect (and it can dramatically reduce your reception in distant parts of the house), but if you live in a small apartment and are worried about beaming your Wi-Fi signals to the apartment next door, you may try this. It doesn’t keep a determined cracker with a supersize antenna from grabbing your signal, but it may keep honest folks from accidentally picking up your signal and associating with your access point.
Basically, what we’re saying here is that the radio waves sent by your wireless LAN gear will leave your house, and there’s not a darned thing you can do about it. Nothing. What you can do, however, is make it difficult for other people to tune into those radio signals, thus (and more importantly) making it difficult for those who can tune into them to decode them and use them to get onto your network (without your authorization) or to scrutinize your e-mail, Web surfing habits, and so on.
You can take several steps to make your wireless network more secure and to provide some airlink security on your network. We talk about these topics in the following sections, where we discuss both easy and more complex methods of securing your network.
Getting into Encryption and Authentication
Two primary (and related) security functions enable you to secure your network: encryption and authentication.
Encryption: Uses a cryptographic cipher to scramble your data before transmitting it across the network. Only users with the appropriate key can unscramble (or decipher) this data.
Authentication: Simply the act of verifying that a person connecting to your wireless LAN is indeed someone you want to have on your network. With authentication in place, only authorized users can connect with your APs and gain access to your network and to your Internet connection.
No security!
The vast majority of wireless LAN gear (access points and network cards, for example) is shipped to customers with all the security features turned off. That’s right: zip, nada, zilch, no security. A wide-open access point sits there waiting for anybody who passes by (with a Wi-Fi equipped computer, at least) to associate with the access point and get on your network.
This isn’t a bad thing in and of itself; initially configuring your network with security features turned off and then enabling the security features after things are up and running is easier than doing it the other way ’round. Unfortunately, many people never take that extra step and activate their security settings. So a huge number of access points out there are completely open to the public (when they’re within range, at least).
We should add that some people purposely leave their access point security turned off to provide free access to their neighborhoods.But we find that many people don’t intend to do so.
With most wireless network systems, you take care of both functions with a single step — the assignment of a network key or passphrase (we explain later in this topic, in the section "Enabling encryption," where each of these is used). This key or passphrase is a secret set of characters (or a word) that only you and those you share it with know.
The key or passphrase is often known as a shared secret — you keep it secret but share it with that select group of friends and family whom you want to allow access to your network. With a shared secret (key or passphrase), you perform both of these security functions:
You authenticate users because only those who have been given your supersecret shared secret have the right code word to get into the network. Unauthenticated users (those who don’t have the shared secret) cannot connect to your wireless network.
Your shared secret provides the mechanism to encrypt (or scramble) all data being sent over your network so that anyone who picks up your radio transmissions sees nonsensical gibberish, not data that they can easily read.
The two primary methods of providing this authentication and encryption are
Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA)
Note that there are two versions of WPA, WPA and WPA2, but we refer to them jointly as WPA except when discussing their differences.
We talk about the WEP and WPA security systems in more detail in the remaining parts of this topic. WEP, an older system, provides only a limited amount of security because certain flaws in its encryption system make it easy for crackers to figure out your shared secret (the WEP key) and therefore gain access to your network and your data.
WPA is the current, up-to-date, security system for Wi-Fi networks (there are several variants, which we discuss later in this topic), and it provides you with much greater security than does WEP. If you have the choice, always use WPA on your network rather than WEP.
The shared secret method of securing a network is by far the most common and the easiest method. But it doesn’t really provide truly bulletproof user authentication, simply because having to share the same secret passphrase or key with multiple people makes it a bit more likely that somehow that secret will get into the wrong hands. (In fact, some experts would probably hesitate to even call it an authentication system.)
For most home users, this isn’t a problem (we don’t think that you have to worry about giving Nana the passphrase for your network when she’s in town visiting her grandkids), but in a busy network (such as in an office), where people come and go (employees, clients, customers, and partners, for example), you can end up in a situation where just too many people have your shared secret.
When this happens, you’re stuck with the onerous task of changing the shared secret and then making sure that everyone who needs to be on the network has been updated. It’s a real pain.
These kinds of busy networks have authentication systems that control the encryption keys for your network and authorize users on an individual basis (so that you can allow or disallow anyone without having to start from scratch for everyone, like you do with a shared secret).
If you have this kind of busy network, you may want to consider securing your network with a system called WPA Enterprise and 802.1x. See the sidebar "802.1x: The corporate solution" later in this topic, for more information on this topic.
Introducing Wired Equivalent Privacy (WEP)
The original system for securing a wireless Wi-Fi network is known as WEP, or Wired Equivalent Privacy. The name comes from the admirable (but, as we discuss, not reached) goal of making a wireless network as secure as a wired one.
In a WEP security system, you enter a key in the Wi-Fi client software on each device connecting to your network. This key must match the key you establish when you do the initial setup of your access point or wireless router.
WEP uses an encryption protocol called RC4 to secure your data. Although this protocol (or cipher) isn’t inherently bad, the way that it’s implemented in WEP makes it relatively easy for a person to snoop around on your network and figure out your key. And after the bad guys have your key, they can access your network (getting into PCs and other devices attached to the network or using your Internet connection for their own purposes) or stealthily intercept everything sent across the wireless portion of your network and decode it without your ever knowing!
It doesn’t take superhacker skills to do this either — anyone with a Windows or Linux or Mac PC with wireless capabilities can download free and readily available software from the Web and, in a short time, figure out your key.
How about a bit more about WEP?
WEP encrypts your data so that no one can read it unless they have the key. That’s the theory behind WEP, anyway. WEP has been a part of Wi-Fi networks from the beginning. (The developers of Wi-Fi were initially focused on the business market, where data security has always been a big priority.) The name itself belies the intentions of the system’s developers; they wanted to make wireless networks as secure as wired networks.
To make WEP work, you must activate it on all the Wi-Fi devices on your network via the client software or configuration program that came with the hardware. And every device on your network must use the same WEP key to gain access to the network. (We talk a bit more about how to turn on WEP in the later section, "Clamping Down on Your Wireless Home Network’s Security.")
For the most part, WEP is WEP is WEP. In other words, it doesn’t matter which vendor made your access point or which vendor made your laptop’s PC Card network adapter — the implementation of WEP is standardized across vendors. Keep this one difference in mind, however: WEP key length. Encryption keys are categorized by the number of bits (1s or 0s) used to create the key. Most Wi-Fi equipment these days uses 128-bit WEP keys, but some early gear (such as the first generation of Apple AirPort equipment) supported only a 64-bit WEP key.
Many access points and network adapters on the market support even longer keys — for example, many vendors support a 256-bit key. The longest standard key, however, is 128 bits. Most equipment enables you to decide how long to make your WEP key; you can often choose between 64 and 128 bits. Generally, for security purposes, you should choose the longest key available. If, however, you have some older gear that can’t support longer WEP key lengths, you can use a shorter key. If you have one network adapter that can handle only 64-bit keys but have an access point that can handle 128-bit keys, you need to set up the access point to use the shorter, 64-bit key length.
Should you use WEP?
WEP sounds like a pretty good deal, doesn’t it? It keeps your data safe while it’s floating through the ether by encrypting it, and it keeps others off your access point by not authenticating them. But, as we mention earlier in this topic, WEP isn’t all that secure because flaws in the protocol’s design make it not all that hard for someone to crack your WEP code and gain access to your network and your data. For a typical home network, a bad guy with the right tools could capture enough data flowing across your network to crack WEP in a matter of hours.
Almost all APs, wireless routers or gateways, and network adapters now being sold support the newer (and much more secure) WPA protocol. And, almost any computer with Windows XP or Macintosh OS X will also have built-in support for WPA. So there are many good reasons to skip WEP entirely and just go with WPA.
But (there’s often a but in these situations) at times you may need to consider using WEP encryption. You run into this situation with certain pieces of Wi-Fi gear because you can’t have "mixed" encryption methods on the same network. In other words, you can’t have laptop A connected to the Wi-Fi AP using WPA and laptop B connected using WEP. It’s one security system or the other.
We say earlier in this topic that almost all PCs support WPA, but the dirty little secret of the Wi-Fi business is that not all Wi-Fi peripheral devices — such as wireless print servers, media adapters, and other non-PC devices — support WPA yet. Before you buy any of these devices, check the product specs and make sure you see WPA (or even better, WPA2) listed on that long list of acronyms of supported protocols and features.
If any device on your network doesn’t support WPA, you need to use WEP on that network. Similarly, if you have a device that doesn’t even support WEP (an exceedingly rare situation that we’ve only rarely run across), you can’t even use WEP on that network. We think that having WPA encryption on your network is darned important, so if you run into this situation, we highly recommend that you try to find devices that support WPA rather than weaken your overall network security.
A better Way: WPA
If you can use WPA — meaning if your access point or wireless gateway and all the wireless clients on your network support it — you should enable and use WPA as the airlink security system on your network. WPA is significantly more secure than WEP and keeps the bad guys off your network much more effectively than any implementation of WEP.
Two variants of WPA are available: WPA and WPA2. The major difference between these two is the cipher, or encryption, system used to encode the data sent across the wireless network. WPA2 — which is the latest and most powerful wireless security system — uses a system called Advanced Encryption Standard (AES), which is pretty much uncrackable by mere mortals. But even the original WPA version (that’s just WPA to you and us), with its Temporal Key Integrity Protocol (TKIP), is much more secure than WEP.
WPA2 is also known as 802.11i. 802.11i is simply the IEEE (the folks who make the standards for wireless LANs) standard for advanced Wi-Fi security. WPA was a step toward 802.11i set by the Wi-Fi Alliance. WPA2 incorporates all the security measures included in 802.11i.
What’s better about WPA?
More random encryption techniques: WPA has basically been designed as an answer for all the current weaknesses of WEP, with significantly increased encryption techniques. One of WEP’s fatal flaws is that because its encryption isn’t sufficiently random, an observer can more easily find patterns and break the encryption. WPA’s encryption techniques are more random — and thus harder to break.
Automatic key changes: WPA also has a huge security advantage in the fact that it automatically changes the key (although you, as a user, get to keep using the same password to access the system). So, by the time a bad guy has figured out your key, your system has already moved on to a new one.
It’s possible to use an 802.1x system, as described in the sidebar "802.1x: The corporate solution," later in this topic, to provide automatic key changes for WEP systems. This is not something you would find in anyone’s home network, but some businesses use it, and it does indeed minimize the effect of WEP’s fixed keys.
More user friendly: WPA is easier for consumers to use because there’s no hexadecimal stuff to deal with — just a plain text password. The idea is to make WPA much easier to deal with than WEP, which takes a bit of effort to get up and running (depending on how good your access point’s configuration software is).
The type of WPA (and WPA2) we’re talking about here is often called WPA Personal or WPA PSK (preshared key). The more complex (and not suitable for the home) version of WPA/WPA2 that is often used by businesses is WPA Enterprise. We talk about WPA Enterprise in the sidebar titled "802.1x: The corporate solution."
