OK – the last couple of entries got into some heavy lifting and some real learning on your part. Learning about what software needs to run, what services are running, updating them to keep current on security patches. We even talked about securing services listening for outside connections and limiting them to what is absolutely necessary. Now we’ll take a deep breath and get into another area… Wireless network security.
Wireless network information travels on radio signals and anyone with a wireless card and laptop can be on an “in the clear” network before they realize it. These days operating systems do a very good job of “automagically” configuring a wireless card for access when they’re in range. This can be a good thing and a bad thing. Easy access to the internet might be good, but that also may mean easy access to your network.
Fortunately the range of wireless networks is typically limited 200-500 feet at the most unless you’re really trying to extend the range. A good walkaround with a wireless card/laptop will give an idea of where your network is accessible from. Are your internal network shares password protected? Or are you defending more against intrusion from the internet. If you have wide open wireless access, you need to start thinking about what services are visible on the INTERNAL network as well.
OK – so you say, we only use the network for internet access, I don’t care if someone else uses it. What if that someone else uses your connection to send out a scam email? A virus? When the dots are being connected they will likely lead back to your internet connection. It might be worth securing it. How?
There are a number of ways to do this and I’ll just get into generic ideas. The simplest way to secure a wireless network is MAC address filtering. MAC addresses are unique addresses given to each piece of network hardware EVER made. Every network device has a unique MAC. It might look like this… 00:12:17:51:E3:7D and should show up in an ifconfig command under linux (ipconfig under windows) or may be written on the network device. MAC address filtering works this way, the wireless access point is told “I want to allow these trusted devices on the network”. Foolproof right? Wrong… Since the data is transfered in the clear it can be very easy for an attacker to collect enough information to guess why they can’t get on the network and ascertain which MAC addresses are legit. Further it’s possible to “spoof” or pretend to have a different MAC address and gain access.
Next up is WEP encryption. This comes in 64-bit and 128-bit varieties. 128-bit is all I’ll suggest. Unfortunately WEP can also be broken fairly quickly. The idea is that a WEP key is generated. The accesspoint has the WEP key and the clients use the same key (you’ll usually only have to enter it once.) The key is hexadecimal (0-9 and a-f are allowed), most programs will take a passphrase and then generate a key from that. Again, an attacker can listen and with current software WEP can be broken in about 5 minutes. It is at least some protection though. (Better than nothing). Combined with MAC address filtering it might prove fairly effective. At least we would hope that someone would move to “lower hanging fruit”.
The best option currently is WPA encryption. Currently I don’t know of WPA being broken. If you’re dealing with older hardware trying to connect wirelessly this may be a problem as some older devices may not support WPA. If everything you need to use can handle WPA, this would be THE best, most secure (currently) choice. The concept with WPA is similar to WEP, the communications are encrypted between the machines and the access point, the key is constantly changing though which prevents outsiders from gathering enough infromation to break the key.
Related PostsRelated Posts
- Network security - what does arp spoofing mean for wireless? So, if you haven't already had enough cause to tighten your wireless security.... we've been talking about arp poisoning (spoofing) and the basic conclusion is that IF an attacking machine is on the same subnet as your machine (same IP address range), they can "own" all traffic from you machine......
- Network security - how safe is your network? Looking at ARP A while back I did a network security series and one of the points that I mentioned was that it's important to know what is normal for your network. In other words, what machines are NORMALLY connected, what services are normally running, etc. Well, I'm about to start a serious......
- More on Wireless networking security Sunbeltblog has a flurry of posts today. This one muses on wireless networking (in)security. One of the points that they make is that there are "acceptable" levels of security depending on your circumstance. In other words, if you're miles from nowhere and feel comfortable with WEP (which is breakable) fine.......
- How to Use Blog Networks to Promote Your Corporate Blog One of the biggest problems facing corporate bloggers is finding an audience. If you’re using your blog as a way to promote your company’s products, it is vital to quickly build up a strong readership. This is not an easy task, and even though paid promotion can be helpful, there......
- Save Time, Money and Space in Over 80 Ways If you're looking for handy gadgets, tools and various items that can save you time, money or space (or all three!) this list of more than 80 top products is just what you need. Everyone's got saving money on their minds these days- whether your at the grocery store, or......
- Cutting-Edge Social Media Strategies - The Only Way Forward in Internet Marketing Internet Marketers all around the world, especially the ones selling traffic generation "courses" have been sneakily outsourcing the development of powerful software programs that allow them to market their products to insanely large, highly targeted communities of people on Twitter and Facebook. And when I say large.. I mean......
- Network Security – how should an open wireless access point be run beside a safe network?
- Network security – what does arp spoofing mean for wireless?
- Free Nationwide Wireless?
- The D-Link DWL-800AP+ as a wireless repeater to extend wireless range – Part 3
- The D-Link DWL-800AP+ as a wireless repeater to extend wireless range – Part 4