Wireless Security is the prevention of unauthorized access or damage to computers using wireless networks. The most common types of wireless security are Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA).

WEP is one of the least secure forms of security. A network that is secured with WEP has been cracked in 3 minutes by the FBI. WEP is an old IEEE 802.11 standard from 1999 which was outdated in 2003 by WPA or Wi-Fi Protected Access. WPA was a quick alternative to improve security over WEP.

The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device which encrypts the network with a 256 bit key; the longer key length improves security over WEP.

Wireless security is used to limit the scope of users that have access to services you install when implementing a wireless access point or wireless router device. These devices are used to provide convenient intranet and/or Internet access without having to run cable through buildings or other areas of coverage where return on investment is low. There are two methods used with wireless systems today to limit access:

1. Coverage Area
2. Authentication and Authorization Mechanisms

Coverage Area

You can limit coverage area with an access point by using the proper antenna for the coverage needs. This prevents our wireless signals from emitting beyond your coverage area. Unfortunately, with the proper antenna in place on the receiver side, this method is easily defeated. An individual or group who has enough interest and funding to buy better equipment is the limiting factor here.

Authentication and Authorization

You can also limit access to services by having proper authentication and authorization services in place that are required before wireless system access is permitted. This requires configuration of authentication services on your wireless devices which should include encryption in the transport.

Configure Wireless Security

Disabling SSID Broadcast

Some devices allow you to disable “SSID Broadcast”. Although this helps to limit who might see which networks are available to attack, knowledgeable attackers do not rely on SSID values to attack systems. SSID values can also be determined if an attacker is using a network sniffer with wireless capabilities. Disabling SSID broadcast also makes it more difficult for the intended users of the wireless network to configure and connect to the wireless network. This is considered to be a “security through obscurity” technique.

Picking an Encryption Technology

There are a few common encryption technologies used in wireless infrastructures today.

WEP or Wired Equivalent Privacy

WEP is usually found in 64bit, 128bit, and 256bit implementations. WEP has been found to be weak cryptographically, and should not be used for any wireless infrastructure you would like to have secured. Choosing a good passphrase or password does not increase the level of security offered by WEP.

WPA – Wifi Protected Access

WPA is based on WEP, but the WPA algorithm changes the effective key more often. WPA is still weak cryptographically, so choosing a passphrase or password of 20 characters or more is important to keep your wireless network secure. If you use a good passphrase with WPA is it believed that attacks are impractical?

WPA2 – the Second Generation of Wifi Protected Access

WPA2 uses new encryption technologies called AES or TKIP which are not based on WEP. WPA2 is the preferred encryption technology if it is available. As of March 13, 2006, all equipment using the WiFi trademark must be certified for WPA2.

Mixing WPA and WPA2 clients

Devices that support WPA2 mixed mode allow clients using both AES and WEP configurations to interoperate. This does not include broadcast and multicast traffic.

Encryption Keys

Encryption requires a key exchange for the algorithms to have a common starting point. Wireless devices usually provide two methods for key exchange, pre-shared keys (PSK or password), and enterprise (RADIUS). For individuals and small businesses it is better to use a pre-shared key mechanism. For environments it will have many different wireless access devices, enterprise is generally a better choice.

• Pre-shared keys – A pre-shared key is just a password or passphrase you configure on all of your wireless devices and clients so they can initiate communication. Selecting a good password is imperative in providing the proper level of security for your wireless network.

• Enterprise – Enterprise key exchange is usually provided by a RADIUS service. Both systems connect to the RADIUS system for the initial key exchange. This method makes it easier to manage more wireless devices and clients with less effort.

Authentication and Authorization can be provided by many means including:

1. MAC address filters
2. Login and Password credentials validation
3. Identity validation through public key encryption, soft-token, or certificates
4. Identity validation through hard-token or key FOB

MAC Address Filters

MAC address filtering prevents or allows clients to attach to your wireless network using a look-up table. If the wireless network card MAC address is on the list it can be permitted or allowed. Unfortunately, a knowledgeable attacker can use a wireless network sniffer to capture MAC address values of currently connected systems and change his MAC address value accordingly. It is a trivial matter to change your systems MAC address. Because of this, this security technique is considered “security through obscurity.”

Login and Passwords

Some systems will not pass traffic from connected systems until the user authenticates with the wireless device. The authentication details may be stored in a table locally on the wireless device, or they may be checked remotely from the device using the RADIUS protocol, TACACS, or some other remote authentication technology.

Soft-tokens and Certificates

Soft-tokens is a software package installed on client systems that interact with the authentication and authorization software on the wireless device to validate users. Certificates are special files installed on the client machine that must properly match up with certificate information on the wireless device to validate a wireless network client.

Hard-tokens and Fobs

Hard-tokens are small computing devices that use a challenge-response mechanism with the wireless device to validate a user or wireless network client. A Fob is a piece of hardware you can attach and detach from a client system that provides credentials to the wireless device for client validation.

Preventing of Wireless Security

1. Change Default Administrator Passwords (and Usernames)

At the core of most Wi-Fi home networks is an access point or router. To set up these pieces of equipment, manufacturers provide Web pages that allow owners to enter their network address and account information. These Web tools are protected with a login screen (username and password) so that only the rightful owner can do this. However, for any given piece of equipment, the logins provided are simple and very well-known to hackers on the Internet. Change these settings immediately.

2. Turn on (Compatible) WPA / WEP Encryption

All Wi-Fi equipment supports some form of encryption. Encryption technology scrambles messages sent over wireless networks so that they cannot be easily read by humans. Several encryption technologies exist for Wi-Fi today. Naturally you will want to pick the strongest form of encryption that works with your wireless network. However, the way these technologies work, all Wi-Fi devices on your network must share the identical encryption settings. Therefore you may need to find a "lowest common demoninator" setting.

3. Change the Default SSID

Access points and routers all use a network name called the SSID. Manufacturers normally ship their products with the same SSID set. For example, the SSID for Linksys devices is normally "linksys." True, knowing the SSID does not by itself allow your neighbors to break into your network, but it is a start. More importantly, when someone finds a default SSID, they see it is a poorly configured network and are much more likely to attack it. Change the default SSID immediately when configuring wireless security on your network.

4. Enable MAC Address Filtering

Each piece of Wi-Fi gear possesses a unique identifier called the physical address or MAC address. Access points and routers keep track of the MAC addresses of all devices that connect to them. Many such products offer the owner an option to key in the MAC addresses of their home equipment, that restricts the network to only allow connections from those devices. Do this, but also know that the feature is not so powerful as it may seem. Hackers and their software programs can fake MAC addresses easily.

5. Disable SSID Broadcast

In Wi-Fi networking, the wireless access point or router typically broadcasts the network name (SSID) over the air at regular intervals. This feature was designed for businesses and mobile hotspots where Wi-Fi clients may roam in and out of range. In the home, this roaming feature is unnecessary, and it increases the likelihood someone will try to log in to your home network. Fortunately, most Wi-Fi access points allow the SSID broadcast feature to be disabled by the network administrator.

6. Do Not Auto-Connect to Open Wi-Fi Networks

Connecting to an open Wi-Fi network such as a free wireless hotspot or your neighbor's router exposes your computer to security risks. Although not normally enabled, most computers have a setting available allowing these connections to happen automatically without notifying you (the user). This setting should not be enabled except in temporary situations.

7. Assign Static IP Addresses to Devices

Most home networkers gravitate toward using dynamic IP addresses. DHCP technology is indeed easy to set up. Unfortunately, this convenience also works to the advantage of network attackers, who can easily obtain valid IP addresses from your network's DHCP pool. Turn off DHCP on the router or access point, set a fixed IP address range instead, then configure each connected device to match. Use a private IP address range (like 10.0.0.x) to prevent computers from being directly reached from the Internet.

8. Enable Firewalls On Each Computer and the Router

Modern network routers contain built-in firewall capability, but the option also exists to disable them. Ensure that your router's firewall is turned on. For extra protection, consider installing and running personal firewall software on each computer connected to the router.

9. Position the Router or Access Point Safely

Wi-Fi signals normally reach to the exterior of a home. A small amount of signal leakage outdoors is not a problem, but the further this signal reaches, the easier it is for others to detect and exploit. Wi-Fi signals often reach through neighboring homes and into streets, for example. When installing a wireless home network, the position of the access point or router determines its reach. Try to position these devices near the center of the home rather than near windows to minimize leakage.

10. Turn Off the Network During Extended Periods of Non-Use

The ultimate in wireless security measures, shutting down your network will most certainly prevent outside hackers from breaking in! While impractical to turn off and on the devices frequently, at least consider doing so during travel or extended periods offline. Computer disk drives have been known to suffer from power cycle wear-and-tear, but this is a secondary concern for broadband modems and routers.