OK – the last couple of entries got into some heavy lifting and some real learning on your part. Learning about what software needs to run, what services are running, updating them to keep current on security patches. We even talked about securing services listening for outside connections and limiting them to what is absolutely necessary. Now we’ll take a deep breath and get into another area… Wireless network security.
Wireless network information travels on radio signals and anyone with a wireless card and laptop can be on an “in the clear” network before they realize it. These days operating systems do a very good job of “automagically” configuring a wireless card for access when they’re in range. This can be a good thing and a bad thing. Easy access to the internet might be good, but that also may mean easy access to your network.
Fortunately the range of wireless networks is typically limited 200-500 feet at the most unless you’re really trying to extend the range. A good walkaround with a wireless card/laptop will give an idea of where your network is accessible from. Are your internal network shares password protected? Or are you defending more against intrusion from the internet. If you have wide open wireless access, you need to start thinking about what services are visible on the INTERNAL network as well.
OK – so you say, we only use the network for internet access, I don’t care if someone else uses it. What if that someone else uses your connection to send out a scam email? A virus? When the dots are being connected they will likely lead back to your internet connection. It might be worth securing it. How?
There are a number of ways to do this and I’ll just get into generic ideas. The simplest way to secure a wireless network is MAC address filtering. MAC addresses are unique addresses given to each piece of network hardware EVER made. Every network device has a unique MAC. It might look like this… 00:12:17:51:E3:7D and should show up in an ifconfig command under linux (ipconfig under windows) or may be written on the network device. MAC address filtering works this way, the wireless access point is told “I want to allow these trusted devices on the network”. Foolproof right? Wrong… Since the data is transfered in the clear it can be very easy for an attacker to collect enough information to guess why they can’t get on the network and ascertain which MAC addresses are legit. Further it’s possible to “spoof” or pretend to have a different MAC address and gain access.
Next up is WEP encryption. This comes in 64-bit and 128-bit varieties. 128-bit is all I’ll suggest. Unfortunately WEP can also be broken fairly quickly. The idea is that a WEP key is generated. The accesspoint has the WEP key and the clients use the same key (you’ll usually only have to enter it once.) The key is hexadecimal (0-9 and a-f are allowed), most programs will take a passphrase and then generate a key from that. Again, an attacker can listen and with current software WEP can be broken in about 5 minutes. It is at least some protection though. (Better than nothing). Combined with MAC address filtering it might prove fairly effective. At least we would hope that someone would move to “lower hanging fruit”.
The best option currently is WPA encryption. Currently I don’t know of WPA being broken. If you’re dealing with older hardware trying to connect wirelessly this may be a problem as some older devices may not support WPA. If everything you need to use can handle WPA, this would be THE best, most secure (currently) choice. The concept with WPA is similar to WEP, the communications are encrypted between the machines and the access point, the key is constantly changing though which prevents outsiders from gathering enough infromation to break the key.
Related PostsRelated Posts
- Network Security - how should an open wireless access point be run beside a safe network? So, let's say we want to have an open wireless access point for some reason. (Maybe offering it to guests if you're a business?) There are certainly a lot of BAD ways to give open wireless access. As we've seen in this series so far, it could be quite easy......
- Network security - what does arp spoofing mean for wireless? So, if you haven't already had enough cause to tighten your wireless security.... we've been talking about arp poisoning (spoofing) and the basic conclusion is that IF an attacking machine is on the same subnet as your machine (same IP address range), they can "own" all traffic from you machine......
- Network Security guide for the home or small business network - Part 6 - Secure your services This one is going to be tougher. Of what we've looked at so far this will probably take more work and learning than any of the others. The good news is, depending on your situation you may need to do less here. IF you have decided that your pc (or......
- How to Use Blog Networks to Promote Your Corporate Blog One of the biggest problems facing corporate bloggers is finding an audience. If you’re using your blog as a way to promote your company’s products, it is vital to quickly build up a strong readership. This is not an easy task, and even though paid promotion can be helpful, there......
- D-Link Announced 2 new 2-Bay Network Storage Devices Two new Network Storage Devices from D-Link D-Link today announced that its ShareCenter® 2-Bay Network Storage devices, the DNS-320 and DNS-325, are now available. Building off of the successful DNS-321 and DNS-323, the new DNS-320 and DNS-325 provide centralized storage, enabling consumers to easily share documents, files and digital media......
- Save Time, Money and Space in Over 80 Ways If you're looking for handy gadgets, tools and various items that can save you time, money or space (or all three!) this list of more than 80 top products is just what you need. Everyone's got saving money on their minds these days- whether your at the grocery store, or......
- Network Security – how should an open wireless access point be run beside a safe network?
- Network security – what does arp spoofing mean for wireless?
- Free Nationwide Wireless?
- The D-Link DWL-800AP+ as a wireless repeater to extend wireless range – Part 3
- The D-Link DWL-800AP+ as a wireless repeater to extend wireless range – Part 4