| Welcome to part three of what was originally
meant to be a two part series on ‘An Introduction to Wireless Networking’.
We’ll take a closer look at the types of security that wireless networking
offers, I’ll give you some general tips and tricks and update you on some
of the latest news and statistics. |
If you missed the other articles in this series please go read:
Types of Security
In Part 1 of this series I mentioned WEP, SSID and MAC Address filtering as
three methods of wireless networking security. Here we will get to know a
little more about these and what other methods of security are available.
WEP (Wired Equivalent Privacy)
Developed in the late 1990s, WEP is a basic protocol that is sometimes
overlooked by wireless administrators because of its numerous vulnerabilities.
The original implementations of WEP used 64-bit encryption (40-bit + 24-bit
Initialization Vector). By means of a Brute Force attack, 64-bit WEP can be
broken in a matter of minutes, whereas the stronger 128-bit version will take
hours. It’s not the best line of defense against unauthorized intruders but
better than nothing and mainly used by the average home user. One of the
drawbacks of WEP is that since it uses a shared key, if someone leaves the
company then the key will have to be changed on the access point and all
client machines.
WEP2 (Wired Equivalent Privacy version 2)
In 2004, the IEEE proposed an updated version of WEP; WEP2 to address its
predecessor’s shortcomings. Like WEP it relies on the RC4 algorithm but
instead uses a 128-bit initialization vector making it stronger than the
original version of WEP, but may still be susceptible to the same kind of
attacks.
WPA (Wi-Fi Protected Access)
WPA provides encryption via the Temporary Key Integrity Protocol (TKIP)
using the RC4 algorithm. It is based on the 802.1X protocol and addresses the
weaknesses of WEP by providing enhancements such as Per-Packet key
construction and distribution, a message integrity code feature and a stronger
IV (Initialization Vector). The downside of WPA is that unless your current
hardware supports WPA by means of a firmware upgrade, you will most likely
have to purchase new hardware to enjoy the benefits of this security method.
The length of a WPA key is between 8 and 63 characters – the longer it is the
more secure it is.
WPA2 (Wi-Fi Protected Access version 2)
Based on the 802.11i standard, WPA2 was released in 2004 and uses a
stronger method of encryption – AES (Advanced Encryption Standard). AES
supports key sizes of 128 bits, 192 bits, and 256 bits. It is backward
compatible with WPA and uses a fresh set of keys for every session, so
essentially every packet that sent over the air is encrypted with a unique
key. As did WPA, WPA2 offers two versions – Personal and Enterprise. Personal
mode requires only an access point and uses a pre-shared key for
authentication and Enterprise mode requires a RADIUS authentication server and
uses EAP.
MAC Address Filtering
I covered this is Part 1 and talked about it briefly in the Troubleshooting
Wireless Networks Article, but it’s worth another mention for the benefit of
those who haven’t read my previous literature on the subject and also to
refresh one’s memory. MAC Address Filtering is a means of controlling which
network adapters have access to the access point. A list of MAC Addresses are
entered into the access point and anyone whose MAC address on the wireless
network adapter does not match an entry in the list will not be permitted
entry. This is a pretty good means of security when also used with a packet
encryption method. However, keep in mind that MAC addresses can be spoofed.
This type of security is usually used as a means of authentication, in
conjunction with something like WEP for encryption. Below is a basic image
demonstrating the MAC Address Filtering process:
A laptop, with MAC Address 00-0F-CA-AE-C6-A5 wants to
access the wireless network via the access point. The access point compares
this Address to its list and permits or denies access accordingly.
SSID (Service Set Identifier)
An SSID, or Network Name, is a “secret” name given to a wireless network. I
put secret in inverted commas because it can be sniffed pretty easily. By
default, the SSID is a part of every packet that travels over the WLAN. Unless
you know the SSID of a wireless network you cannot join it. Every network node
must be configured with the same SSID of the access point that it wishes to
connect, which becomes a bit of a headache for the network administrator.
VPN (Virtual Private Network) Link
Perhaps the most reliable form of security would be to setup a VPN
connection over the wireless network. VPNs have for long been a trusted method
of accessing the corporate network over the internet by forming a secure
tunnel from the client to the server. Setting up a VPN may affect performance
due to the amount of data encryption involved but your mind will be at rest
knowing your data is secure. The VPN option is preferred by many enterprise
administrators because VPNs offer the best commercially available encryption.
VPN software uses advanced encryption mechanisms (AES for example), which
makes decrypting the traffic a very hard, if not impossible, task.
For a clearer understanding of the VPN link method, see the image below.
There are various levels of VPN technology, some of
which are expensive and include both hardware and software. Microsoft does
however provide us with a basic VPN technology – commonly used in small to
medium enterprise networks - Windows 2000 Advanced Server and Windows Server
2003. These are more than capable of handling your wireless VPN
requirements.
802.1X
With 802.1X the authentication stage is done via a RADIUS server (IAS on
Windows Server 2003) where the user credentials are checked against the
server. When a user first attempts to connect to the network they are asked to
enter their username and password. These are checked with the RADIUS server
and access is granted accordingly. Every user has a unique key that is changed
regularly to allow for better security. Hackers can crack codes but it does
take time, and with a new code being generated automatically every few
minutes, by the time the hacker cracks the code it would have expired. 802.1X
is essentially a simplified standard for passing EAP (Extensible
Authentication Protocol) over a wireless (or wired) network.
Below is an image showing the 802.1X process.
The wireless client (laptop) is known as the
Supplicant. The Access Point is known as the Authenticator and the RADIUS
server is known as the Authentication server.
General Tips and Tricks
- When purchasing a wireless NIC card, try and get one that can take an
external antenna. This will allow you to change it for a stronger one if
ever required.
- When you are out and about with your Wi-Fi enabled laptop, disable
Microsoft File and Printer sharing (which enables other computers to access
resources on your computer) so as not to leave your computer vulnerable to
hackers.
- If you are concerned about the interference from other Wireless Access
Points or wireless devices in the area, set the AP and wireless clients to
use a non-overlapping channel such as 1, 6 or 11.
- Change the configuration interface password of the access point before
you enable it. This is more common sense than a tip but most people overlook
this part of setting up a wireless network.
- Only buy an access point that has upgradeable firmware. This will allow
you to take advantage of security enhancements or interface updates.
- On the same note as above, keep the access point firmware up to date.
Upgrade your firmware whenever a new one is available. It will probably
consist of a new or improved feature.
- When you are not using Wi-Fi on your Wi-Fi enabled laptop, turn it off.
As well as protecting yourself from hackers you will be saving battery
power.
- From time to time, scan the area for rogue access points. If an employee
went out and bought a cheap AP and NIC card, and plugged it into the
corporate network behind the firewall then all your hard work securing the
network will go out the window. This is commonly seen on university campuses
where students purchase hardware and setup a rogue access point in their
dorm rooms.
News and Statistics
Even though the approval of 802.11n isn’t expected until the end of 2006,
hardware manufacturers such as Belkin have already started to offer Pre-N
routers and wireless network adapters. These offer improved network speed and
range which would benefit users who wish to transfer larger files and stream
audio/video. With Pre-N, an Access Point and Wireless NIC Card 10 feet away
from each other have an average throughput of about 40mbps.
Hardware vendors, such as Linksys and D-Link have also announced the use of
MIMO (Multiple- In-Multiple-Out) in their products. MIMO allows the signal to
be bounced off several antennas and paths so that data delivery is guaranteed.
Basically, many unique data streams are passed in the same frequency channel.
It is a technology that allows for the boosting of wireless bandwidth and
range, effectively providing better performance for wireless multimedia and
entertainment systems.
In Part 2 (May 2004), I mentioned that there were about 30,000 hotspots
worldwide and that that number should grow to over 210,000 in the next five
years. The latest forecast indicates that by 2006 the number of worldwide
hotspots is predicted to rise to over 110,000.
The Wi-Fi market is booming with over 95% of all laptops shipped in 2005
being Wi-Fi enabled.
In the last quarter of last year, Wi-Fi hardware revenues grew by 17% over
the previous year.
Guest access looks set to be a key requirement for enterprises. The ability
to send and receive mail and access information on the enterprise servers
while attending a meeting at another company is a major plus for mobile
workers.
Wireless data revenues are set to grow to 130 billion US Dollars within the
next few years.
50% of hotels in the tourism industry deploy WI-FI themselves, without
using a service provider. They usually bill it to the room or offer it free as
an amenity to guests.
In a recent Poll, forty per cent of people said they would buy a cell phone
with Wi-Fi and only twelve per cent said they would want to get TV on their
cell phone. The possibility of using voWLAN (Voice Over Wireless Local Area
Network) is appealing to many business users. This would allow someone to use
GSM while out and about and switch to voWLAN as soon as they step back into
the office.
Conclusion
That concludes Part 3, and brings my Introduction to Wireless Networking
series to a close. I hope that they have made for an interesting read, and
given you a general insight into the world of wireless networking. There is no
doubt that wireless is a big thing of the future - the near future.
Convenience and mobility are just two of the benefits that attract
enterprise and home users alike. Will the world of networking ever be
‘completely’ wire free? I guess we’ll have to wait and see!
If you missed the other articles in this series please go read:
