Wireless LAN Security Basics


This article was published by ComputorEdge, issue #2539, 2007-09-28, as a feature article, in both their print edition (on pages 18 and 20) and their website.

Having a wireless local area network (LAN) in your home or office (or your combination of the two) can be a convenient way to access the Internet from any room, without having to run Ethernet cable from that room to your broadband modem or router. But an unsecure wireless LAN can be used by anyone else within range of your wireless access point. That person might be a friendly neighbor in a nearby apartment, who considerately minimizes their bandwidth usage, and never uses your Internet connection for illegal activity.

But it is just as possible, and perhaps more likely, that the person leeching your connection is using as much bandwidth as they want — perhaps even more than you do, and thus significantly slowing the rate at which your computer is able to download Web pages, as well as audio and video files. In addition, it will usually take longer for your Web page submissions to be uploaded, thereby increasing the number of timeouts and other problems encountered, such as when filling out order forms on e-commerce websites.

Even worse, Mr. or Mrs. Leech might be engaged in sharing files containing copyrighted content, such as music and movies. If they are uploading files through almost any of the peer-to-peer file sharing networks, or participating in unsecure torrents, then your broadband modem's IP address will be logged with those files. Consequently, you could end up receiving an extremely costly lawsuit from the RIAA, MPAA, or other organization that likely won't believe your assurances that your Internet usage was strictly legal.

There are a number of methods designed to secure the typical wireless network, and prevent unauthorized piggybacking on your connection; they have varying degrees of effectiveness and complexity. Just as the fabled three little pigs discovered, your network's safety depends primarily upon the building materials that you choose.

A House of Straw?

If your wireless network was set up with little or no thought to protecting it from unwanted intruders, then more than likely it is completely unsecure, and wide open to anyone who wants to use it, for whatever purposes.

If you are running Windows on your PC, then you can hover your mouse pointer over the Wi-Fi icon in the Windows system tray (which is on the far right end of your Windows taskbar, which is usually at the very bottom of the screen). The "tool tip" that appears should show the name of your wireless network. If it has the word "Unsecured" anywhere in it, then your network is exactly that — unsecure. (Linux and Mac systems have their own way of displaying the network security status.)

You definitely should have a firewall as part of your wireless or wired network setup. It can be either a hardware firewall, such as one built into your router, or a software firewall, running on your computer. But in either case, it is not going to prevent big bad computer wolves from hogging your Internet bandwidth. That is because the firewall filters out traffic not requested from within your network, but network traffic from an eavesdropper is considered legitimate by any firewall.

A House of Sticks?

Naturally, hardware manufacturers implemented some initial security measures against wireless LAN leeching, but with mixed results.

Wired Equivalent Privacy or Wireless Encryption Protocol (WEP) is a security method that uses either 128 or 256 bits to encrypt the network traffic that is broadcasted by WEP-enabled devices. Sadly, 128-bit encryption can be quickly cracked by freely available software, and 256-bit traffic is not much more secure, should the cracker be able to intercept and analyze more traffic, which can be induced. However, WEP is generally sufficient against unsophisticated eavesdroppers who lack the knowledge or intent to crack your system.

Other flawed security approaches include disabling Dynamic Host Configuration Protocol (DHCP), using Cisco's LEAP or EAP-FAST authentication, filtering Media Access Control (MAC) addresses, and suppressing the wireless signal via antenna placement or radio shielding paint. None of these methods are completely effective.

On the other hand, securing your home network is like securing the home itself: it's a numbers game. The more difficult that you make it for intruders to break in, the more likely they will go huff and puff against someone else's door — virtual or otherwise. With each layer of protection that you add, you may not be achieving 100 percent impermeability, but you will get closer with each step.

Some of these steps are easy to implement, and should not be neglected. For instance, log into your wireless router, and change the administration username and password from the factory settings. Router manufacturers tend to use a very limited set of usernames and passwords, and they are published online — making it easy for potential intruders to see if those default keys will fit your network door. As with any passwords, do not use any words that could be found in a dictionary, or any proper names; rather, use lengthy strings of random letters, numbers, and other characters.

A House of Bricks!

If you are serious about protecting your home or corporate wireless LAN from unauthorized usage, then it is worth your time, money, and effort to utilize the best solution available at this time, to maximize your system's security: Wi-Fi Protected Access (WPA and WPA2) was developed to shore up the weaknesses in WEP.

Under WPA, network traffic is encrypted using an RC4 stream cipher, which combines a 128-bit key and a 48-bit initialization vector. But it also utilizes the Temporal Key Integrity Protocol (TKIP), which dynamically changes keys, thereby avoiding the key recovery vulnerabilities of WEP.

Unfortunately, if a Wi-Fi device offers both WEP and the superior WPA, the former is often the default option, and thus chosen by most consumers setting up their home networks. So be sure to choose WPA, and set the security passphrase to be as long and random as possible.

Wireless networking may involve more expense, difficulty, and risk than its wired counterpart, but you can significantly mitigate the security vulnerabilities by following the principles outlined above. Only by doing so will you ensure that the only people piggybacking on you, are your kids, when you take a break from computing.

Copyright © 2007 Michael J. Ross. All rights reserved.