How to beef up wireless security

Many organizations haven't implemented wireless networks because of security concerns. This article explains some of the security weaknesses of wireless networks and provides methods you can use to overcome them.

Wireless connectivity is the panacea for many of today’s network woes. It eliminates expensive cable runs and provides workers with more freedom: no more struggling with the short tether of a network cable. However, this freedom leaves many organizations worried about security. In this Daily Drill Down, I'll review some security methods you can use to protect your wireless network. I will also discuss the weaknesses of these security solutions and provide some mechanisms to overcome these weaknesses.

Unauthorized access to your network
If you have no security established on your wireless network, it's easy for someone to set up a system and break in. If you have DHCP set up, someone can even get IP address information automatically. Without DHCP, the hacker can simply use a wireless packet sniffer to determine the IP addresses of the stations already on the network and pick one that’s available.

One issue most organizations face is the false sense of security given by the corporate firewall. No matter how tight, big, or expensive the firewall is, it can’t prevent wireless signals from getting into the hands of hackers. Firewalls are put in place to prevent intruders from gaining access to the internal systems. However, when someone drives up and logs on to the wireless network, there's typically no barrier between them and those sensitive internal systems.

Security options
To secure your wireless LAN, consider the following options:
  • Service set identifier (SSID)
  • Wired equivalent privacy (WEP) protocol
  • VPN
  • MAC restrictions

Service set identifier
The SSID is designed to allow two wireless LANs to operate in close proximity. The SSID is used on the client and the access point to bind their communications together.

If the SSIDs don't match between an access point and the network card, there is no communication between the two. Because of this, some administrators believe they can just change the SSID and no one will be able to access their wireless network. Since there’s no SSID match, there’s no risk of unauthorized users gaining access. Although changing the SSID is an important step in securing the wireless network, it alone does not guarantee the network's security.

To set the SSID on a Windows 2000 machine, open the Properties window of the network adapter. Click the Configure button and then select the Advanced tab. From the Advanced tab, select SSID from the Properties listing and enter the correct SSID in the Values field. Click OK and the SSID will be set.

Is your SSID really set?
If you want to make sure your SSID is set, there are a variety of programs that allow you to search for and find wireless LANs. (NetStumbler is one such program.) These programs can interrogate the access points in the area to determine the SSID. Also, since the SSID is routinely transmitted on the wireless network, it can be observed with a wireless packet sniffer (such as Sniffer Wireless).

Although there is no real weakness to overcome with the SSID, the point is simply to make sure that you keep these IDs private. Don't release them into the hands of anyone unless that person has a need for that knowledge (such as a member of the IT staff). If someone has the SSID of your access point, he or she is one step closer to breaking and entering.

Wired equivalent privacy protocol
The solution to prevent eavesdropping is encryption. Since security is so important for a wireless LAN, the adopted standard has been defined as an encryption mechanism supported by both access points and network cards. The WEP protocol supports two different key lengths: 40-bit and 128-bit. As with other encryption mechanisms, the longer the key the more secure the communication.

WEP will eliminate the ability for someone to walk up and listen to packets crossing your wireless network and will prevent such people from joining the network. Unfortunately, WEP isn't flawless; it can be cracked with the right tools. One such tool is AirSnort for Linux. AirSnort captures and simultaneously tries to crack the WEP key being used on a wireless network. According to statistical models, nearly 5 million packets must be transmitted across a network for tools like AirSnort to be able to crack WEP. The number of packets that will be on your wireless network in a given day varies substantially, but a busy wireless network could transmit more than 5 million packets a day. So in some cases, a hacker could use AirSnort to crack your WEP key and break into your wireless network.

The biggest problem with this type of attack is that it can’t be detected. The machine running AirSnort can be set up to not broadcast a single packet, so it’s impossible to know that someone is listening to the network trying to determine the WEP key. Once the hacker has the WEP key, he or she can listen to all data transferred on the network and eventually join the network.

Another challenge of using WEP is that there’s no common method of updating WEP keys all at once. Since WEP keys are required for every device, a change in the WEP key means that you must update every device. Because this is such a tedious, time-consuming process, it's rarely done, which means once WEP is cracked or if someone who knows the WEP key leaves the organization, that person will likely have access to the network forever. My advice? No matter how much time it takes, if you know your WEP key has been compromised, change it.

Virtual private networking
A better approach to securing traffic on your wireless network is to have wireless users connect to a VPN server behind the wireless network. The VPN server is also connected to the local network and can route traffic from authenticated users on the wireless LAN to the local network.

The setup for a VPN server is more difficult than utilizing WEP; however, IPSec and PPTP don’t have the vulnerabilities that WEP does. IPSec and PPTP have both been used for quite some time, and no one has been able to break their encryption mechanisms, which makes the encryption provided by IPSec and PPTP secure, even in a wireless environment.

Additionally, a VPN server provides user-level authentication. This means you can control access to the network from each individual computer and on a user-by-user basis. For example, someone could steal a network card with a MAC address approved for use with the wireless network, but the person still couldn't access the network without a valid user name and password.

Learn more about setting up VPNs
For more information on VPNs, check out these TechProGuild articles:

VPNs are more complex to set up than the standard wireless network, add expenses to the network, and require processing time on the client workstations. Where WEP is implemented in the hardware of the network card, establishing a VPN requires your computer to perform the encryption manually.

In terms of complexity, a separate VPN server must be installed for use on the wireless network and all access points must remain on their own network. In most corporate environments, this would mean setting up virtual LANs (VLANs) on the existing switches. However, there are organizations that don’t have switches deployed across the organization that support VLANs, so setting up the wireless network could require a new set of cable runs.

Set up VLANs on a Cisco network
For more information on VLANs, check out Robert McIntire’s article on implementing VLANS in a Cisco switched environment.

MAC restrictions
Another method of security for your wireless network is to restrict the access points so that they only talk to specific MAC addresses. While WEP and VPN technologies encrypt all the data packets traveling across the network, MAC restrictions are focused on allowing only certain trusted network cards to communicate to access points.

MAC addresses
Media Access Control (MAC) addresses are physical addresses assigned to each card. These addresses are unique to each card. On enterprise class access points, you can establish a list of trusted MAC addresses. Then, each access point will only communicate with cards that have a MAC address in their list.

This additional layer of security is useful, but it has three primary limitations. First, the access points must have the capability to turn on MAC restrictions. Second, you must have control of the cards that can access the network. Third, the list of wireless cards accessing the network must be small enough to fit within the limitations of the access point to store the addresses, or the access points must be capable of fetching the approved MAC addresses from a central database.

In most cases, MAC restrictions are used in conjunction with WEP or a VPN to provide a secondary layer of protection. MAC restrictions wouldn’t be a good choice for an overall security solution.

A word of warning
In preparation for this article, I used the Mini Stumbler program on my Compaq IPaq Pocket PC. I found dozens of networks that were broadcasting their availability to the world. Just for clarity, I didn’t drive out of my way to find these either. Most of them were sniffable from the local interstate. Approximately 80 percent of these networks didn’t even use WEP to encrypt their data. If your company is serious about setting up a wireless network, consider using a VPN setup or purchasing a proprietary solution that can provide user-level security and an encryption mechanism that can’t be easily cracked.

Editor's Picks