Wireless networks have become a reality for companies of all sizes. In small and midsized businesses (SMBs), wireless networks' low cost and ease of deployment can make them preferable to wired networks. Larger enterprises view wireless networks as facilitating employees meeting in rooms, lounges, and even cafeterias with their laptops to maintain network connectivity.
Along with the benefits of wireless networks comes a need to keep them secure. Wireless networks that aren't secured allow hackers and others who perhaps only want a free Internet connection virtually unrestricted access to your intranet. Unauthorized wireless networks aren't uncommon in large enterprises—workgroups or end users sometimes ignore corporate policy and install Access Points (APs) to meet a perceived need—but they can introduce a huge risk to the organization. Consider this: Sophisticated spammers and phishers are now leveraging unsecured wireless networks to send out bulk email messages. They drive around large metropolitan areas and business parks looking for vulnerable wireless networks and, when they find one, they configure their mobile systems to connect to that network; obtain a DHCP lease with valid IP address, DNS, and default gateway information; then send out their messages. If you've ever used a tool such as NetStumbler or the built-in wireless management tools available on most laptops and PDAs, you've probably come across unsecured wireless networks in the neighborhood where you live, in the area surrounding your business, or possibly within your own enterprise.
Owners of unsecured networks risk lost bandwidth on their Internet connection, virus and worm infection, and potentially even criminal or civil liability if their unsecured wireless networks are used to launch attacks against others. Let's look at some practical steps you can take to secure your wireless networks, methods to automate configuration-setting deployment, and tools you can use to probe for unsecured and unauthorized wireless networks.
Wireless Network Fundamentals
Before you can secure a wireless network, you need to understand some wireless networking basics. Wireless networks typically comprise APs and clients that have wireless NICs. APs and wireless NICs have transceivers or radios that they use to communicate with each other. Each AP and wireless NIC has a 48-bit media access control (MAC) address, which is functionally equivalent to an Ethernet address. APs bridge the wireless and wired networks, giving wireless clients access to wired networks. It's possible for wireless clients to communicate without an AP in ad hoc networks, but these aren't commonly found in enterprise environments. Every wireless network is identified by an administrator-defined Service Set Identifier (SSID). For wireless clients to communicate with an AP, they must be set to recognize the AP's SSID. If you have multiple APs in your wireless network and they share the same SSID (and the same authentication and encryption settings), your mobile wireless clients can roam among them.
The predominant wireless standard is 802.11 and its amendments. 802.11 defines a network that can operate at speeds up to 2Mbps. Amendments to the standard define faster data rates. The first, 802.11b, is the predominant profile but is fast being replaced by 802.11g. 802.11b wireless networks operate in the 2.4GHz range and offer speeds up to 11Mbps. The second amendment, 802.11a, was actually ratified before 802.11b but took longer to come to market. It operates in the 5.8GHz range and offers standard speeds of 54Mbps, with some vendors offering higher speeds up to 108Mbps in turbo mode. The third amendment, 802.11g, operates in the 2.4GHz range like 802.11b and offers standard speeds of 54Mbps and higher speeds up to 108Mbps in turbo mode. Most 802.11g wireless networks can be used by 802.11b wireless clients due to the backward compatibility that's built into the 802.11g standard, but actual compatibility varies depending on vendors' implementations. Much of the wireless equipment available today supports two or more of the 802.11 amendments. A new wireless standard, 802.16—called WiMAX, is evolving to address a particular need for wireless access to businesses and homes from towers, much like cellular towers, and won't be considered here.
An AP's practical range, or coverage, depends on many factors including the 802.11 amendment and the frequency at which the equipment operates, the manufacturer, power settings, antennae, internal and external walls and fixtures, and topographical features. However, a wireless NIC attached to a high-gain directional antenna might provide access to your AP and wireless network from some considerable distance, perhaps up to a mile or so away depending on conditions.
The very public nature of the radio spectrum presents unique security challenges not present in wired networks. For example, to eavesdrop on communication over a wired network, you need physical access to a network component such as a LAN drop, switch, router, firewall, or host. For a wireless network, you need only a receiver, such as a common scanner.
Because of this openness, wireless standard developers created Wired Equivalent Privacy (WEP), although they made its use optional. WEP relies on a shared secret, or key, known by wireless clients and the APs they communicate with. The key can be used for both authentication and encryption. The encryption algorithm used by WEP is RC4. The length of the key is 64 bits, consisting of 40 user-definable bits and a 24-bit initialization vector. In an attempt to make wireless networks more secure, some wireless equipment manufacturers have developed extensions that support 128-bit and longer WEP keys consisting of 104-bit or longer user-defined keys and the initialization vector. WEP is available on 802.11a-, 802.11b-, and 802.11g-compatible equipment. However, despite the longer key lengths, WEP's flaws (including poor authentication mechanisms and encryption keys that can be broken through cryptanalysis) have been well documented, and WEP is no longer considered secure.
In response to WEP's deficiencies, the Wi-Fi Alliance, an industry body with more than 200 members including Apple Computer, Cisco Systems, Dell, IBM, and Microsoft, developed Wi-Fi Protected Access (WPA). WPA improves WEP by adding the Temporal Key Integrity Protocol (TKIP) and strong authentication that uses 802.1x and the Extensible Authentication Protocol (EAP). WPA was intended to be a working standard that could be submitted for acceptance by the IEEE as an amendment to the 802.11 standards. The amendment, 802.11i, was ratified almost a year ago, and WPA was updated to WPA2 to support use of the Advanced Encryption Standard (AES) instead of WEP with TKIP. WPA2 is backward compatible and will interoperate with WPA. WPA was designed for use in enterprise networks with a supporting Remote Authentication Dial-In User Service (RADIUS) authentication infrastructure, but a version of WPA called WPA Pre-Shared Key (WPA-PSK) is supported by some manufacturers and is designed to be used in smaller environments. Like WEP, WPA-PSK relies on a shared secret, but WPA-PSK is more secure than WEP.
802.1x is often misunderstood. It's used to control access to ports on switches in wired networks and to APs in wireless networks. 802.1x doesn't mandate which authentication technique to use (you can use X.509 version 3 certificates or Kerberos, for example) and doesn't feature encryption or mandate its use.
3 Steps to Security
To secure a wireless network, you can use three mechanisms: Set the client and AP to know and use the same nondefault SSID, set the AP to permit communication only with clients whose MAC addresses are known to the AP, and force the client to authenticate to the AP and encrypt traffic. Most APs are configured with a default SSID, support for maintaining a list of MAC addresses for legitimate clients disabled, and a known shared secret for authentication and encryption purposes (or with no authentication or encryption whatsoever). These settings are usually documented in the online Help available from the manufacturer's Web site. These settings make it easy for an inexperienced user to get a wireless network up and running, but they also make it easy for a hacker to compromise the network. To make matters worse, most APs are configured to broadcast their SSID. Thus, an attacker can browse for default SSIDs to find vulnerable wireless networks.
Your first step in securing your wireless network is to change the SSID from your AP's default setting. You'll also need to change the setting on your clients to ensure connectivity with the AP. Consider setting the SSID to something that's recognizable to you and your users but that doesn't immediately identify your wireless network among other SSIDs that might be detectable to outsiders.
The next step is to consider disabling the AP's announcement of the SSID, if you can. This action makes it harder, but not impossible, for an attacker to discover the presence of your wireless network and the SSID. Some APs won't let you disable SSID broadcasting. In such cases, make the broadcast interval as long as possible. In addition, be aware that some clients can communicate only with APs that broadcast SSIDs. Thus, you might need to experiment with this setting to see what works in your situation.
Next, consider configuring your APs to allow access only to wireless clients with known MAC addresses. This step probably isn't feasible in a large organization, but for small businesses with only a handful of wireless clients, it's an excellent additional layer of defense. Attackers will then need to discover which MAC addresses are permitted to connect to APs in your enterprise and will need to change the MAC of their wireless NIC to a permitted address (note that some wireless NICs allow the MAC address to be overridden).
Choosing authentication and encryption settings can be the most challenging step in securing your wireless network. Before settling on the settings, you'll need to inventory your APs and wireless NICs to find out what security protocols they support, especially if you already have a wireless network in place or have a variety of equipment from different manufacturers. Some equipment, especially older APs and wireless NICs, might not support WPA, WPA2, or longer WEP key lengths.
Another situation to be aware of is that some early equipment requires users to enter a hexadecimal number representing a key, whereas other older APs and wireless NICs ask for a passphrase that's converted into the key, making it difficult to ensure that the same key can be used on all equipment. If you have such equipment, you can use resources such as the WEP Key Generator at http://www.andrewscompanies.com/tools/wep.asp to generate random WEP keys and convert passphrases to hex numbers.
In general, you should use WEP only when absolutely necessary. If you must use WEP, use keys that are as long as possible and consider running your wireless network in Open mode rather than Shared mode. When a network runs in Open mode, no authentication of clients is performed and anyone can connect to your APs. These preliminary connections consume some wireless bandwidth, but attackers who connect to the AP won't be able to communicate further with it because they don't know the WEP encryption key. And you can prevent even the preliminary connections by configuring your AP to accept connections only from known good MAC addresses. In contrast, an AP on a network running in Shared mode uses the WEP encryption key to authenticate wireless clients in a challenge-response exchange, and an attacker can cryptanalyze the authentication sequence to determine the WEP encryption key.
When WPA is an option, you'll need to determine whether to use WPA, WPA2, or WPA-PSK. The determining factor in whether you'll use WPA or WPA2 on the one hand or WPA-PSK on the other is whether you have or can deploy the infrastructure that WPA and WPA2 require to authenticate users. WPA and WPA2 require you to deploy RADIUS servers and possibly a Public Key Infrastructure (PKI). WPA-PSK, like WEP, relies on a shared secret that's known to the wireless client and AP. You can safely use a WPA-PSK shared secret for authentication and encryption because it doesn't suffer from the WEP vulnerability that allows the encryption key to be uncovered through cryptanalysis of the authentication exchange.
As you would expect, APs from different vendors have their own distinctive UIs and configuration methods, so I can't provide one set of detailed instructions that will work for all of them. But the above information should help guide you through configuring your own APs.
Prev. page
[1]
2
next page 
