Securing a Home/Small Office WLAN

Securing a WLAN for Home/Small Office

Security is an important concern on any network, but it's especially so for a wireless one. A wireless network is inherently less secure than a wired one because it eliminates many of the physical barriers to network access. Information travels back and forth through the air and is open to eavesdropping and intercept ion. As a result issues surrounding security come up in almost any discussion of implementing a WLAN.

Despite the implication of its name, WEP doesn't really provide privacy equivalent to that of a wired network. There are different levels of WEP available, depending on the type of hardware you are using. The strength of WEP is measured by the length of the key used to encrypt the data. The longer the key, the harder it is to crack (in terms of the time and computing power required). The encryption key used by WEP, regardless of its length, is static and never changes unless it is periodically and manually changed by the administrator on all devices, a nearly impossible task in a large environment. This means that an intruder eavesdropping on wireless transmissions could monitor network traffic over time and gather enough information to decipher the key and decrypt the data. The heavier the network traffic and the more computing power the intruder had at his or her disposal, the less time it takes.

The second major weakness of WEP is that it does nothing to authenticate users on the network, which is why MAC address filtering was developed. However, MAC address is a property of a network device, not a user or even a computer. If an intruder stole a wireless NIC whose MAC address was in the allow list of an access by an access point they would be granted network access. Plus MAC addresses can be spoofed.

VPN is a secure network within the Internet. It uses Internet as its WAN infrastructure. The main advantage of VPN is that it saves provides a secure path to access a network remotely. It uses tunnels to hide the underlying information on the network being used. When the client establishes a connection with the server the client authenticates with the server using normal authentication mechanisms such as a password. The client and server negotiate tunnel encapsulation, and encryption mechanisms to create a security association. The client signs, encrypts and encapsulates, and transmits the data whereas the server de-encapsulates, decrypts and authenticates the client and data.

Choosing the Appropriate Wireless Security Strategies

A wireless router is actually wired to your Internet connection, either to a LAN or broadband modem that provides a connection to the Internet, but then communicates wirelessly with the other computers on your network. One can move around the home, school or business enviromnents with a portable computing computing device (i.e., laptop, PDA) while staying connected. But because wireless LANs (WLAN) broadcast messages using radio waves, their communications are vulnerable to eavesdropping. Many people have taken to the streets to discover wireless LANs (WLAN) in neighborhoods, business areas, and schools using their laptops or PDAs to gain access to resources located on the associated network.

WLAN security is very important, especially for applications hosting valuable information, e.g. transmitting credit card numbers. Without basic security procedures in place they make your information vulnerable to outsiders, some of which who purposefully do not wish you well. A WLAN should therefore provide a range of different data encryption and station authorization access options so that each user can be given the appropriate level of security for their particular applications.

Data Encryption Protocols—Wired Equivalent Privacy (WEP)

WEP aims to provide security by encrypting data over radio waves so that it is protected as it is transmitted from one end point to another. Every WEP packet is encrypted separately with an RC4 cipher stream generated by an encryption key. That key is made up of a 24-bit initialization vector (IV) and either a 40-bit or 104-bit WEP key that's usually set by your wireless device. Combined, they have a total length of 64 or 128-bits, hence the popular names of 64 and 128-bit WEP keys (some vendors used to call the 64-bit key a 40-bit key, but they simply weren't including the 24-bit IV -- so 64 and 40-bit WEP are the same thing). This transmitted packet is generated by a mathematical operation called 'bitwise exclusive OR' (XOR) using the packet sent to your network interface card (NIC) by your computer and the RC4 encryption key.

The first problem with WEP is that every packet you send also includes the IV in plaintext; any would-be snooper can immediately see part of the key. The second problem with WEP is that the IV is only 24-bits long, you can only get 16,777,216 different RC4 encryption streams for every key, regardless of how long the rest of the key is. The plaintext IV is constantly reused and it takes many packets to send even a quick "Hi, how are you?" instant message. In a high use environment, e.g. a college campus, these streams can be used up within an hour. So it doesn't take long for an intruder to gather up enough packets to start cracking your messages.

One can make the most of WEP by frequently updating the encryption key. This is not an easy task as WEP does not provide network key management. With almost all WLAN NICs and access points (AP), you have to manually reset WEP to the new IV on each and every device. That may only be annoying to do for a home or small office WLAN, but it is difficult and time consuming for network administrators with dozens or even hundreds of wireless-enabled devices. Not to mention that if you enter the IV wrong on a PC, its user will find that it can't get on the network. If you get it wrong on an AP, the entire area of the network that the AP serves will be out of action.

In a low utilization environment, such as a home or small business network, WEP does a good job of keeping casual intruders out. Small offices and home environments with security concerns should update their WEP at least once a week, while companies with ten or more wireless PCs with sensitive information should change the WEP daily.

Client Authorization Access—MAC Filtering

Every piece of network hardware ever made has a MAC (Media Access Control) address. APs that support MAC filtering let you specify a list of MAC addresses that may connect to it, and thus will grant access to the WLAN to any computer that is using a NIC whose MAC address is on its "allow" list. Any MAC address not explicitly defined will be denied access.

Originally, MAC addresses had the benefit of being both unique (no two network devices have the same MAC address) and permanent (they're "burned" into the hardware, and cannot be changed). At that time a MAC address was an attribute of the NIC, not the computer it's in; and the only time MAC address could be tied to a computing device was when it had a built-in WLAN adapter, as many laptops do these days. Today this has changed. Today the MAC address can be changed, in some cases via software. For example, WLAN cards can be loaded with firmware that does not use the built-in MAC address, but uses a randomly chosen (ad hoc mode), or is deliberately assigned a spoofed address. And most cable/DSL routers support "MAC address cloning" a simple way to change the MAC address.

In many cases MAC addresses have to be entered manually in an AP making it a difficult and time consuming task for network administrators with dozens or even hundreds of wireless-enabled devices in a large WLAN. (Newer APs provide MAC listings, you simply choose) And in a large environment each AP needs to have access to this list. Plus, MAC filtering is not foolproof; an AP cannot account for intruders who use WLAN cards with spoofed MAC addresses. Using this spoofed addresses, an intruder can spoof legitimate users.

In a low utilization environment, such as a home, MAC filtering is a simple system of defense for any home user. It must always be used along with something else as soon as you handle anything such as credit card information. MAC addressing, as it has been implied, does not encrypt the packets in any form. Anybody can see all the information you are sending; it does not matter if they can connect or not to the AP.

Virtual Private Network (VPN)

In a VPN, two computers communicate through a VPN tunnel. Tunneling is the process of encapsulating packets within other packets to protect their integrity and privacy during transit. A tunnel performs such tasks as encryption, authentication, packet forwarding, and masking of IP private addresses. Think of a tunnel as a private link between the two computers; whatever one sends to the other is only visible to the other, even though it is sent through a public network like the Internet.

There are three protocols you need to know about -- PPTP, L2TP, and IPSec.

Point-to-Point Tunneling Protocol (PPTP)
This was designed by Microsoft (and other companies) to create a secure tunnel between two computers. PPTP provides authentication and encryption services and encapsulates PPP packets within IP packets. It supports multiple Microsoft networking protocols such as LAN-to-LAN and dialup connections. However, it is proprietary and the encryption is weak.
Layer 2 Tunneling Protocol (L2TP).
This works like PPTP, except that it does not include encryption. L2TP was proposed by Cisco Systems and like PPTP, L2TP supports multiple networking protocols.
IPSec
This protocol addresses the shortcomings of L2TP by providing encryption and authentication of IP packets. As such, L2TP is often used together with IPSec to provide a secure connection.
PPTP and L2TP are among the most likely proposals as the basis for a new Internet Engineering Task Force (IETF) standard.