Wi-Fi

Use WEP to improve security on your wireless network

Configure WEP correctly the first time by reading this Daily Drill Down from Laura Taylor. She covers the process from access point installation to adapter card configuration using the Cisco Aironet 350 wireless system as her model.

Wired Equivalent Privacy (WEP) is an optional IEEE 802.11 feature used to provide data confidentiality. In short, WEP is used to encrypt and decrypt data signals transmitted between Wireless LAN (WLAN) devices. WEP works by encrypting the wireless radio frequency between the access point and client device and is the minimum amount of security you should have enabled on your WLAN. Without implementing WEP, hackers can obtain information about your wireless network through a sniffer trace and can then join it without your knowledge. Since your wireless Service Set-Identifier (SSID) is sent over the air in cleartext, you need to use WEP to encrypt your data to protect it from hackers. WEP itself is not the strongest type of security you can implement on your wireless network, but it is one of the easiest ways to strengthen your wireless security network.

This Drill Down provides methods for using and configuring WEP on Cisco Aironet 350 Series Wireless LAN components. The Aironet 350 Series Wireless LAN product line is a set of wireless access devices that include access points and client adapters that can pass packets at speeds up to 11 Mbps. Before you can use and configure WEP, you'll need to install and configure the devices that use WEP.

Note
Though the Aironet 350 Series offers several wireless adapters, I'm going to use the PCMCIA adapter for the purpose of this lesson, since most of the time, when you use a wireless network, you'll be using it on a laptop.

The Aironet 350 wireless LAN adapter has a list price of $169 (PCMCIA version) for a single card, which includes all drivers for all platforms. This means that you can use the same card for Linux, Windows, Mac OS, or even MS-DOS. The Windows platforms that it runs on include Windows9x, Windows CE, Windows Me, Windows NT, Windows 2000, and Windows XP. All of the Windows platforms have slightly different installation and configuration procedures. I'll tell you how to set it up for Windows 98.

Your task list
Here is a summary of the steps you'll need to follow to get your WEP-enabled adapter and access point up and running:
  1. Install the wireless access point.
  2. Configure the WEP security features of the access point.
  3. Install the Cisco Aironet PC350 wireless LAN adapter device driver.
  4. Configure and enable WEP for the adapter card on your laptop.

Install the access point
Your access point operates in the 2.4-GHz band, similar to how a cordless phone works. Like a cordless phone, your access point has an antenna on one side and a wired connection on the other. Your WEP-enabled client adapter talks to the antenna, which then sends the data through the wire to wherever it's headed. If it sounds simple, that's because it is.

First, you'll want to connect an RJ-45 Ethernet connector to the Ethernet port on the back of the access point. The Aironet PC350 should probably come bundled with an RJ-45 connector, but it doesn't, so you'll have to purchase one separately if you don't already have one. Connect the other end of the Ethernet connector to your 10/100 Ethernet LAN.

A power adapter comes with the access point, and after you plug it in to your electrical outlet, plug the connecting wire into the back of the access point. When you see the LEDs blink amber, red, and then green, you're juiced with power and ready to configure WEP.

Configure the WEP security features of the access point
Your access point comes with a default IP address of 10.0.0.1. You have to make your access point IP network and the network octet (or octets) in your laptop's IP address match. To do this, I recommend changing the IP address on your laptop to match a unique host address that is on the same network as your access point.

The access point comes with a Web-enabled installation Wizard that guides you through the configuration process. Put the IP address of the access point in your Web browser like this:
http://<ipaddress/

Don't forget to put the trailing slash on the end. Your browser will then map to a Web page on the access point that will bring up the Summary Status page (see Figure A).

Figure A


Once you are on the Summary Status page, you'll see various menu options on a row of buttons at the top. From the Summary Status page, click on the Setup button. Once you are on the Setup page, click on Hardware to see the AP Radio Hardware page.

The most important thing on the AP Radio Hardware page to fill in is a unique SSID. The SSID is a unique name you give to your access point. For the rest of the information on this page, you can just accept the defaults. On the bottom of the AP Radio Hardware page, click the link that says Radio Data Encryption.

Figure B


The AP Radio Data Encryption page (see Figure B) is where you enter your WEP keys and select the key sizes. You can choose between 40- and 128-bit encryption for each key. How you set up WEP on your access point needs to match how you set up WEP on your adapter. You need to select one key for the transmit key (as a matter of best practice standards, select WEP Key 1 for the transmit key). Select 128-bit encryption because it is more secure and it is very unlikely that you will notice any performance delays due to the higher encryption.

WEP on the access point for enterprise networks
If you're in an enterprise corporate environment, I suggest you enable broadcast key rotation for added security. Enabling broadcast key rotation eliminates the need to enter any keys in the boxes where it says Encryption Key because the keys will be automatically generated. However, broadcast key rotation is only available if you use a RADIUS authentication server with Dynamic WEP keys. When you enable broadcast key rotation, the keys constantly rotate, making them much harder for hackers to sniff with a protocol analyzer. To enable broadcast rotation, go back to the Setup page and then click on Advanced, which will take you to the AP Radio Advanced page (see Figure C).

Figure C


If you go about halfway down the AP Radio Advanced page, you will see a dialog box where you enter a value for Broadcast WEP Key Rotation Interval in seconds. A zero value means the keys will not rotate. Keep in mind that the faster the keys rotate, the more potential there is for transmission latency while the key resets. I recommend starting with a small value, and if you encounter performance problems, increase it until the performance problems stop. A value of 300 would cause your keys to change every 5 minutes. Changing your key every 4 hours (14,400 seconds) is a good value to start with.

WEP on the access point for SOHO networks
If you are setting up WEP on a small office network, you should stick to static WEP keys. This means that you will not want to enable broadcast key rotation. However, you can change the keys manually, and you should change them at least once a week to decrease their accessibility to hackers.

There is a feature called Temporal Key Integrity Protocol (TKIP) that will add in extra security to compensate for not using broadcast key rotation. TKIP is a group of proprietary Cisco enhancements that include three methods of ensuring that your WEP keys cannot be cracked. One of the three TKIP features is Broadcast Key Rotation, which I mentioned earlier. The other two are Message Integrity Check (MIC) and Initialization Vector (IV) Hashing. SOHO users can turn on TKIP and MIC on the AP Radio Advanced page.

MIC prevents bit-flip attacks that occur when hackers intercept encrypted data and alter the bits slightly for the purpose of retransmitting them to destroy the integrity of the packet. IV Hashing modifies the headers of encrypted packets so that recurring patterns cannot be discovered or predicted by hackers. Along with regular WEP key rotation, these TKIP enhancements make WEP the most secure solution in wireless LANs today. Keep in mind that these are Cisco features that are above and beyond the 802.11b specification, so you will need a Cisco client card as well as a Cisco Access Point to enable these features.

Install the Cisco Aironet PC350 device driver adapter
After you insert the PCMCIA adapter into your laptop, Windows will automatically detect it, open the New Hardware Found window, and collect information about it to build the driver information database. When you see the dialog box that says Windows Is Searching For New Drivers, click Next, and you will see a list of driver types. From that list, pick Network Adapters and click Next. Your wireless card is just another kind of network adapter. The next dialog box will ask you for the location of the driver, and you should select Have Disk. Insert the CD-ROM that came with your card, and Browse to the Win98 path on the CD-ROM drive. Now click OK. On the next screen, you should see the Cisco Wireless LAN Adapter already selected where it says Select Device, but in case it's not, select it and click OK. The Wizard will find the installation files and display the name of the client adapter.

At this point, you may be prompted to enter the path to the Windows 98 operating system files. If the Windows 98 operating system files are already installed on your computer, put in this path name:
C:\Windows\Options\Cabs

If you are prompted for the Windows 98 operating system CD, insert the CD and Browse to the proper CD-ROM drive letter and pathname, which in most cases will be D:\Win98. Now click OK. The required files will start copying to the proper location, and after this is complete, a dialog box will appear that says the Add New Hardware Wizard installation is complete. Click on Finish and reboot the computer to complete the process.

When the computer comes back up, select the Cisco Systems Wireless LAN Adapter and click Properties. Click on the Advanced tab, and select Client Name. Type in your computer's name and then select SSID to type in your radio frequency (RF) network's SSID. Click OK to close the dialog box.

If you are using a static IP address, double-click My Computer | Control Panel | Network | TCP/IP Cisco Systems Wireless LAN Adapter. Click the Properties button, select Specify An IP Address, and enter the IP address, subnet mask, and default gateway address of the computer. Click OK. Then, in the Network window, click OK again and you'll be prompted to restart your computer. When your system comes back up, your driver will be properly installed.

Configure and enable WEP for the adapter card
To configure WEP for the adapter card, you first need to get to the Series Properties screen by double-clicking the Aironet Client Utility (ACU) icon on the desktop. At the Series Properties screen, click on Edit, which brings you to the System Parameters screen (see Figure D).

Figure D


In the client name field, enter your hostname and in the SSID1 field, enter the same SSID you entered when you configured the access point. Leave everything else on this screen as is, and click on the Network Security tab (see Figure E).

Tip
Do not leave the default SSID that comes with your adapter card in place. Having the correct SSID allows you to associate to the access point.

Figure E


Network Security screen setup
Your first task is to decide if you want to allow communication with both WEP and non-WEP devices. Typically, in both enterprise and SOHO environments, you don't want to allow associations to Mixed Cells (the check box at the bottom of the screen), which means that you won't be letting wireless laptops communicate with non-WEP devices.

You'll also want to choose between Open or Shared authentication located in the Access Point Authentication pane. Open authentication means that users with the correct SSID will be able to associate to your access point; however, without the right WEP keys, their packets will be dropped. In Shared mode, both an encrypted and clear-text version of their data will be transmitted. Typically Shared mode is preferable to Open since a user won’t associate to the access point without the right WEP key anyway.

Lastly, you need to decide whether you want to use static WEP keys or not. Static WEP keys don't change. Dynamic WEP keys are automatically generated and assigned to the adapter similar to how DHCP automatically generates and assigns IP addresses.

If you are on an enterprise network and have thousands of wireless clients, assigning WEP keys can be quite a task. Enterprise users should have selected broadcast key rotation on the access point, which means that the access point will use dynamic WEP keys. You want the adapter card and access card to work together, so select the radio button that says Dynamic WEP Keys in the WEP pane. Always select the first key as your transmit key (just as you did on the access point), and use the same level of encryption that you used on the access point.

If you are on a SOHO network you want to use static WEP keys. SOHO users should select the radio button that says Use Static WEP Keys and put in the same WEP Keys that were used for the access point.

Number generator tips
Static WEP keys can be generated in either Hexadecimal or ASCII. For 40-bit keys, Hex keys must be 10 characters long and ASCII keys must be five characters long. For 128-bit keys, Hex keys must be 32 characters long and ASCII keys must be 16 characters long. Whatever value you put in for Key 1 on your access point has to match Key 1 on your Adapter Card. There is a very nice Hexadecimal Conversion Chart at the Nickel Business Services Home Search Tools Web site.

Note
Basically, each WEP key Hex value is 4 bits and each WEP key ASCII value is 8 bits. If you take the size of the WEP key and divide by 4 for Hex, you get either 10 or 32 character values. If you divide by 8 for ASCII characters, then you get 5 or 16 characters for the key. What you use for a key doesn’t matter, as long as the Hex values range from 0-9 and a-f. With ASCII keys you can use any characters. One final tip: There is an easy-to-use 128-bit Hex key generator at Leemon Baird's Web site.


0 comments