1、1WLAN Security Networking with ConfidenceIntroductionSo youve just installed a new wireless local area network(WLAN) in your small business or home. The access pointis on and connected, the client PCs are connected to theaccess point, allowing you to connect to others and theInternet without worryin
2、g about wires.But unlike a wired network, you cant tell if an unauthorised person has accessed your WLAN. With WLANs you areusing radio frequencies that in clear air have a range of up to300 metres, so could somebody else be connecting into yoursystem from the next street? With many WLANs the defaul
3、t settings make you vulnerableto eavesdropping. But dont worry: by taking a few simplesteps, your wireless network can be as secure as a normal,wired LAN. In fact, some security experts even argue thatWLANs can be more secure.2Note that a WLAN makes you no morevulnerable to attacks from worms, virus
4、esand other such attacks, since they can berebuffed by the network edges defences,usually a firewall.Online shopping is safe too. When conducting financial transactions over theairwaves, check for a padlock symbol onyour browsers status bar. When active, the padlock means there is an encryptiontunne
5、l using SSL that scrambles all databetween your browser and the remote server.This means that, even if your WLAN is not secure, while SSL is active any datatransmitted between you and the remoteserver remains unreadable by others.That said, there are steps you can take to reduce the likelihood of yo
6、ur WLANallowing eavesdropping, and thats what the rest of this white paper is all about.Why secure the WLAN?If you only surf the Web and send occasionalemails, the risk of being hacked appears low.However, its not as simple as that. Firstly, if someone manages to hack into yourWLAN and piggybacks on
7、to your Internetconnection, even if its only a slow modemlink, they are stealing your bandwidth. Ifthey only download the odd email and Webpage you might not notice, but if you starta big download and it takes an hour insteadof a few minutes, it costs you time and money. Worse, anyone on your WLAN w
8、ill beusing the same Internet protocol (IP)address as you. To others on the Internetthey appear to be you the intruder hashijacked your identity. This means that they could send spam, fill in forms on Webpages and generally be a nuisance at best or,at worst, conduct criminal acts. And whenthe author
9、ities trace the IP address, they see yours, potentially rendering you liablefor prosecution.Theres a honeypot effect too. A relativelynew phenomenon known as warchalkingalso means that hackers can tell otherswhere theres an accessible Internet connectionby chalking marks on the pavement. A “free”Int
10、ernet connection could entice others tocome and piggyback your connection. Mostof them do it not to steal data, but simplybecause they can.So locking up your WLAN looks like abright idea, and should help you sleep more soundly.How much security is enough?Security involves the application of commonse
11、nse, bearing in mind the whole risk. The key is to reduce the risk to a level youre comfortable with.For example, when deciding how much tospend on home security, you calculate howmuch security you need given the risks involved and balance that against the cost and any inconvenience it might entail.
12、WLAN Security Networking with Confidence3Its the same when determining the rightlevel of WLAN security. Questions toanswer are: How valuable is the information you are guarding? How much inconvenience are you prepared to tolerate? How much are you willing to pay? Lets examine the risks using a simpl
13、e example.For a home-based WLAN, the odds are lowthat anyone will want to steal informationsince its value to anyone else is likely to beminimal. However, they might want to stealyour bandwidth.This means you need to stop intruders connecting to the AP by using hardware filtering to disallow them fr
14、om registering aclient PC at the AP see below for details.This is the minimum level of security youshould apply. It also makes sense to preventpotential eavesdroppers from spying onyour data stream, so a combination of filtering and encryption will provide all thesecurity you need. Best of all, they
15、 requireno intervention once youve configured theAP and clients, and theyre free.So theres no right or wrong answer to the question of how much security is enough only you can determine the answer basedon your individual circumstances. Thatsaid, it makes sense to use whatever securitymeasures that c
16、ome free with the system ifonly for your peace of mind.What security can you get now?Help is at hand, and its built into every standard WLAN for free. Theres a numberof steps you can take to minimise the risk ofa WLAN break-in, the first being to changethe default settings. Thats because hackerscan
17、detect your APs type and will knowwhat the default settings are.ESSIDChief among these is the ESSID (ExtendedService Set ID), or name of the WLAN. Bydefault its often “101” but it can be anystring of up to 256 characters. Dont beobvious and pick the house or road name.Instead, think of it as a passw
18、ord and use along name with both letters and numbers,making it harder to hack. Then configurethe AP so that it does not broadcast theESSID. In this way, only authorised clientscan connect to your AP. MAC address filtersHackers dont have to be particularly determined to find out what WLANs areoperati
19、onal in their immediate vicinity andcan often determine the ESSID. So theres a second layer of security you can adopt, the MAC (Media Access Control) addressfilter. A MAC address is a unique identityburned into every network adapter duringmanufacture, with no way of changing it. Using this filter, t
20、he AP maintains a list ofMAC addresses and only permits those onthe list to connect. No connection meansno access to the rest of the network, such as the data on servers and client PCs. The main drawback to MAC address filteringis the need to discover the MAC address ofevery clients adapter and ente
21、r it into theAPs settings fields. As a one-off task, itmight take you half an hour from start tofinish for say, half a dozen client machines.However, if a PC Card gets lost, you buynew ones, or you add or upgrade an AP, itcan make for a lot of extra tedious typing.That said, for a small WLAN where s
22、uchchanges are infrequent, this might be almost all the security you need.EncryptionEven if hackers cant get past your AP, they may still be able to access data thatstraversing your WLAN. The way to protectdata in transit is encryption, the WLANencryption standard being WEP (WiredEquivalence Privacy
23、). WEP works by encrypting traffic scrambling it as it leaves the AP or client PC and decrypting it on arrival. Any encryption method, whether used by theancient Greeks, the Nazis with their Enigmamachine, or todays WLANs, needs a common key at both ends of the link or theresult is gobbledegook. The
24、 longer the key,the lower the likelihood of someone breakingit through guesswork or, with the hugecomputing power available today, by bruteforce by running through all the possibilities.What this means in practice is that a WEPkey must be at least 128 bits long to have achance of defeating a potenti
25、al interceptor,with 256 bits being many times more4What do I do?Linking the households two laptops to the broadband connec-tion and the office Ethernet network,I use an access point in the officeand another on the ground floor,which allows me to work in front ofthe TV or in the garden when weath-er
26、permits. Clients are set up so thatonly connections to an AP are per-mitted, not directly to other clients,so rogue clients cannot connectwithout going through the AP.I live on a fairly busy street but I can see all round my house soanyone trying to hack into theWLAN by brute force will have tomake
27、themselves visible. Thatdoesnt mean its not worth takingbasic precautions though,so theESSID is changed to a long stringof characters connected by numbersand symbols, ESSID broadcast isdisabled, and WEP is enabled atfull 256-bit strength. Enabling802.1X would be pointless for ahome network so its sw
28、itched off.Other than that, the system is assecure as it both can and needs to be and I always turn off the APwhen leaving the house for a dayor more, minimising the chancesof an e-burglar gaining accesswithout anyone noticing. Followingthese simple precautions will keepyour WLAN safe and secure too
29、.WLAN Security Networking with Confidence5secure. Just as an example of how addingbits to encryption keys makes a real difference, consider this. Under WEP, all encrypted packets use thefirst 24 bits for initialisation, the rest for data.This means that 64-bit encryption actually40 bits of which are
30、 data provides just over one trillion combinations which, giventodays computing power, would not take toolong to crack. However, double the size of theencryption key and the number of combina-tions jumps exponentially to over 20 milliontrillion combinations. Double it again to 256and the number is a
31、stronomical 1.E+69 inscientific notation, a 69-digit number. If you have a spreadsheet handy, enter the number 2256 thats two to the power of 256 and thats roughly the number of combinations a hacker would need to check to be sure of breaking the encryption.The chances of anyone doing so are remotes
32、ince theyd need to capture lots of data overa long period of time. Given WLANs rela-tively short range, they would be highly vis-ible for days if not weeks.An extremely determined individual mightfeel it was worth the effort though, at whichpoint, the WLANs security is compromisedand a change of key
33、 is required. This meanstediously typing new keys into every clientand AP. Far better to ensure things dont getthat far by changing the key frequently,preferably for every packet thats sent overthe WLAN. This is where future standardsare headed and is the area well be exploringin the next section.Lo
34、cking downThe next step is to lock down the AP. Youllnotice that you can change the APs settingsover the WLAN. This is not a good idea. Ifa hacker gets into your network, they canalso access your AP, altering the settings tosuit them, not you. If theyre clever, youmight not even notice, even though
35、someoneelse is accessing your connection. If theyrenot, your WLAN might even stop working. Either way, make sure you only configure the AP over a wired connection. If youvegot Ethernet use that or, better still, use theserial port connection if its got one. Dontforget to change the default password
36、where possible.AuthenticationThe final layer of protection is individualauthentication. The standard method ofWLAN authentication uses the 802.1X protocol. If the protocol is enabled, unauthenticated users cannot get past the AP to access the rest of the network. Itsbuilt into Windows XP already and
37、 isembedded in the next-generation WLANsecurity standard theres more on this in the Future Standards section below. Future security standardsIf the security technology weve got inWLANs isnt broken, why fix it? Basically,there are two main problems with the current standard. Firstly, with a powerfule
38、nough computer and enough traffic toanalyse, a hacker can determine what yourWEP key is and break it, rendering yourwireless data stream vulnerable. Secondly,while MAC address filtering is not a badway of rejecting unwanted intruders, itidentifies the computers WLAN adapterrather than the individual
39、 what happens if someone steals your computer?So the next generation of security standards,known as the WPA (Wi-Fi Protected Access),improves on what weve got now. Unliketodays static encryption keys, it uses a masterpassword from which the system generateskeys that change continuously using a proto
40、colknown as TKIP. Keys are never re-used, cutting the risk that a hacker will discoverthem. WPA also includes 802.1X, discussedearlier, which allows the system to checkwhos logging in against a central databaseof known users.The good news is that you may be able toupgrade to WPA today, as its design
41、ed tobe a firmware upgrade. Upload the softwareinto all your AP and client WLAN cards,reboot the AP and youre done!Further into the future, a new standardknown as 802.11i will be finalised, whichwill strengthen the encryption using a technique known as AES (AdvancedEncryption Standard). WLAN hardwar
42、ewill need to be more powerful to run thiscomplex encryption technique so you mayneed to replace your existing wireless network when AES arrives.6At a glance checklist1. Change the default ESSID2. Use WEP, with at least 128-bit encryption, 256-bit encryption is many times better 3. Add MAC address f
43、ilters4. Turn off ESSID broadcast5. Lock down the accesspoints configuration interface6. Dont worry!WLAN Security Networking with Confidence7ConclusionKeeping your WLAN safe from intrudersisnt complicated and can be as safe as youneed it to be with a few simple precautions.The main thing to remember
44、 is that the riskyou are willing to tolerate depends on howvaluable the data is, balanced against thecost of implementing security measures,cost thats measured in both cash and extratime and inconvenience that security measures may add.In practice, ensure that you change thedefaults. Do just this an
45、d youre ahead of ahuge number of very highly paid, networksecurity professionals and that alone shouldmake you feel good about your WLAN.By Manek Dubash Manek Dubash is a leading IT journalist, network specialist, former editor-in-chief of PCMagazine and a regular speaker at networkingforums and eve
46、nts. With over twenty years indus-try experience, he is now a director of WebsterBuchanan Research, a global media and market intelligence company.Copyright 2003 U.S. Robotics Corporation. All rights reserved. U.S. Robotics and the U.S. Robotics logo are registered trademarks of U.S. Robotics Corporation. Other product names are for identification purposes only and may be trademarks of their respective companies. Product specifications subject to change without
