OK – the last couple of entries got into some heavy lifting and some real learning on your part. Learning about what software needs to run, what services are running, updating them to keep current on security patches. We even talked about securing services listening for outside connections and limiting them to what is absolutely necessary. Now we’ll take a deep breath and get into another area… Wireless network security.
Wireless network information travels on radio signals and anyone with a wireless card and laptop can be on an “in the clear” network before they realize it. These days operating systems do a very good job of “automagically” configuring a wireless card for access when they’re in range. This can be a good thing and a bad thing. Easy access to the internet might be good, but that also may mean easy access to your network.
Fortunately the range of wireless networks is typically limited 200-500 feet at the most unless you’re really trying to extend the range. A good walkaround with a wireless card/laptop will give an idea of where your network is accessible from. Are your internal network shares password protected? Or are you defending more against intrusion from the internet. If you have wide open wireless access, you need to start thinking about what services are visible on the INTERNAL network as well.
OK – so you say, we only use the network for internet access, I don’t care if someone else uses it. What if that someone else uses your connection to send out a scam email? A virus? When the dots are being connected they will likely lead back to your internet connection. It might be worth securing it. How?
There are a number of ways to do this and I’ll just get into generic ideas. The simplest way to secure a wireless network is MAC address filtering. MAC addresses are unique addresses given to each piece of network hardware EVER made. Every network device has a unique MAC. It might look like this… 00:12:17:51:E3:7D and should show up in an ifconfig command under linux (ipconfig under windows) or may be written on the network device. MAC address filtering works this way, the wireless access point is told “I want to allow these trusted devices on the network”. Foolproof right? Wrong… Since the data is transfered in the clear it can be very easy for an attacker to collect enough information to guess why they can’t get on the network and ascertain which MAC addresses are legit. Further it’s possible to “spoof” or pretend to have a different MAC address and gain access.
Next up is WEP encryption. This comes in 64-bit and 128-bit varieties. 128-bit is all I’ll suggest. Unfortunately WEP can also be broken fairly quickly. The idea is that a WEP key is generated. The accesspoint has the WEP key and the clients use the same key (you’ll usually only have to enter it once.) The key is hexadecimal (0-9 and a-f are allowed), most programs will take a passphrase and then generate a key from that. Again, an attacker can listen and with current software WEP can be broken in about 5 minutes. It is at least some protection though. (Better than nothing). Combined with MAC address filtering it might prove fairly effective. At least we would hope that someone would move to “lower hanging fruit”.
The best option currently is WPA encryption. Currently I don’t know of WPA being broken. If you’re dealing with older hardware trying to connect wirelessly this may be a problem as some older devices may not support WPA. If everything you need to use can handle WPA, this would be THE best, most secure (currently) choice. The concept with WPA is similar to WEP, the communications are encrypted between the machines and the access point, the key is constantly changing though which prevents outsiders from gathering enough infromation to break the key.
Related PostsRelated Posts
- Firewall musings... Yesterday I had a bit of a realization. I had just been looking at a wireless router/firewall setup and was thinking about the firewalling rules (which seemed to be geared at the WIRELESS lan... i.e. blocking that activity on the Wireless segment.) You know, traditionally firewalls have had the attitude......
- Good wireless security post I found this one at The sunbelt blog, very good article referencing a talk on wireless network security by Xavier Ashe. He highlights these trends: * Wireless threats are increasing exponentially * Tools are becoming increasingly available and easier to useâ¦. For both good and bad * Wireless risks and......
- Network Security - how should an open wireless access point be run beside a safe network? So, let's say we want to have an open wireless access point for some reason. (Maybe offering it to guests if you're a business?) There are certainly a lot of BAD ways to give open wireless access. As we've seen in this series so far, it could be quite easy......
- Cutting-Edge Social Media Strategies - The Only Way Forward in Internet Marketing Internet Marketers all around the world, especially the ones selling traffic generation "courses" have been sneakily outsourcing the development of powerful software programs that allow them to market their products to insanely large, highly targeted communities of people on Twitter and Facebook. And when I say large.. I mean......
- Free Wireless Access Can Be a Security Problem Free wireless hotspots is a huge security and privacy threat since hackers have the tools to really make life difficult. Check out the video below. Connecting to a random WiFi hotspot is much like strolling into a bar in a strange part of town. Most likely you'll have a good......
- How to Use Blog Networks to Promote Your Corporate Blog One of the biggest problems facing corporate bloggers is finding an audience. If you’re using your blog as a way to promote your company’s products, it is vital to quickly build up a strong readership. This is not an easy task, and even though paid promotion can be helpful, there......
- Network Security – how should an open wireless access point be run beside a safe network?
- Network security – what does arp spoofing mean for wireless?
- Free Nationwide Wireless?
- The D-Link DWL-800AP+ as a wireless repeater to extend wireless range – Part 3
- The D-Link DWL-800AP+ as a wireless repeater to extend wireless range – Part 4