Eight Steps Toward Securing A Wireless Network

Many of your customers may have resisted deploying wireless networking solutions because of security concerns. They know that an improperly configured wireless local area network (WLAN) can open their network to intrusion or attacks. If you can demonstrate that wireless networks can be secure, then you can also show them that the benefits of wireless,including employee mobility and the ability to meet their own customers' needs,greatly exceed the security risks.

In fact, there are eight steps you should take to ensure the security of your customers' WiFi networks:

1. Do a site survey.

2. Strike a balance between convenience and security.

3. Control transmission range.

4. Turn off SSID Broadcasts.

5. Change default passwords.

6. Employ WEP/WPA encryption.

7. Use MAC address filters.

8. Consider a wireless-VPN solution.

Let's look at each of these eight steps in detail.

Step 1: Conduct A Site Survey

The first step toward a secure WLAN deployment is to conduct a site survey. Several tools exist on the market that can help you perform a site survey. These include both freeware tools such as Network Stumber and commercial wireless packet sniffers such as AiroPeek from Wildpackets.

Why is a site survey so important element to WLAN security? Because it's where you can locate rogue access points or other unauthorized wireless devices that may already exist on the network. After all, a network's security is determined by its weakest link, and any open access point will be that weak link. A site survey also can help you to determine whether existing access points have been secured. Finally, a site survey can be a valuable tool for re-evaluating WLANs to maintain security. You can use Network Stumbler, for example, to determine key factors about access points in a WLAN.

As the following screenshot illustrates, Network Stumbler shows such data as MAC address (the unique serial number burned into network adapters to identify a network card), encryption level, SSID (Service Set Identifier) name, channels in use, and signal strength. This information can be used to map out a WLAN, validate that only authorized access points are installed, and ensure that those access points meet minimum company policies. To view the Network Stumbler screenshot, click here.

Step 2: Strike A Balance

Securing a WLAN involves striking a balance between convenience and security. So the next step is to determine exactly how the WLAN will be used.

The network's required level of security is determined by several factors. One of the first to consider is location and signal strength. For businesses that share office space or are located in an office building, reducing the range can prevent eavesdropping from external sources. It's accomplished by using directional antennas or by positioning access points away from windows and external walls. Some access points have adjustable transmission power, and this can also be used to reduce range.

In some environments, access points are configured for hot-spot use, giving any customer to have either paid or free access to the Internet. This convenience is found in a growing number of locations, including cafes and fast-food restaurants. Those hot-spot implementations typically use far lower levels of security than should be used in a business network. They choose these lower levels of security because the wireless infrastructure bypasses the internal business network and is connected directly to the Internet, thus providing the same level of protection from intruders that the business has already put in place.

Step 3: Turn Off SSID Broadcasts

One of the first items a wireless hacker looks for is a Service Set Identifier, or SSID. Each access point transmits a SSID, so client systems locate wireless networks and associate with the closest access point. One of the simplest ways to bring a little security to a WLAN is to turn off these SSID broadcasts. It helps delay unauthorized users from associating with the WLAN. The downside is that it may slightly complicate setting up client systems. The client systems will need to have the SSID manually inputted to connect to the WLAN.

The following screenshot shows how DLink's Routers support the ability to turn off SSID Broadcasting. To view the image, click here.

Step 4: Change Default Passwords

Most access points come pre-configured with a default password. For wireless hackers, those passwords and logon routines are common knowledge. So, regardless of the intended use of a WLAN, you should change its default passwords immediately. Fail to change those passwords, and you risk giving strangers full administrative access to a wireless device. That's something no business would want!

Also, many wireless routers provide DHCP (Dynamic Host Configuration Protocol) server functionality, which automatically assigns IP addresses and other information out to client systems. Disabling that functionality can significantly slow down eavesdroppers, too. But remember, once DHCP is turned off, all client systems will need to have that information assigned manually.

Step 5: Use WEP Encryption

When it comes to encryption, more is always better, and some is better than none. Most commercially available access points support WEP (Wired Equivalency Protocol) encryption. Despite its relative limitations, WEP can be a valuable ally in protecting your customers' WLANs.

Using WEP has two main advantages. First, it discourages the random hacker. Second, it announces that the WLAN is indeed a private, closed network.

WEP uses a shared key and either a 64-bit or 128-bit level of encryption. The shared key is a static item and will be the same for all clients on a network associating with a given access point. This is where the weakness lies.

On a network using WEP, a determined hacker can figure out what the shared key is by either gathering enough wireless packets or using a readily available cracking tool. Once the hacker has the shared key, he or she can access the WLAN. Fortunately, this is a rare occurrence for most businesses. A hacker must be quite determined to invest the time and effort needed to break into a WEP encrypted system, and most networks are clearly not worth the effort and risk involved. But if your customer really worries about hackers, changing the customer's WEP key frequently will keep the hackers guessing.

Activating WEP takes little more than turning it on in an access point, then assigning a shared key to both the access point and client PCs. For improved security, go with the 128-bit key.

The following screenshot shows the DLink DI-624 supporting both WEP and WPA (WiFi Protected Access) security encryption schemes (WPA is discussed in the next step of this article). Note that encryption can be set at 128-bit, and up to four shared keys can be assigned. To view the image, click here.

Step 6: Use WPA Encryption

After the weaknesses of WEP were discovered and understood, the industry proposed new wireless security schemes. Earlier this year, one of them was approved by the IEEE. It's called WPA (for WiFi Protected Access) and is now the heir apparent to WEP.

WPA differs from WEP in several significant areas. Mainly, WPA uses a temporal (or time shifting) key. This ensures that the shared-key is automatically changed frequently, and this, in turn, makes it more difficult for hackers to intercept and decrypt the shared key. Initial association starts with a pass phrase assigned to both the access point and the client systems. To maintain security, keep the pass phrase a secret. It should be known only by the access point and authorized client systems.

The next screenshot shows the use of a Passphrase when set up in WPA-PSK mode. To view the image, click here.

Optionally, WPA offers an increased level of security by combining authentication with encryption. For sites that have access to a RADIUS (Remote Authentication Dial-In User Service) server, a WPA-enabled access point can use the server to securely authenticate a client system using a login name and password stored on the network. A shared secret is used to drive the temporal key and keep the session encrypted while the RADIUS server asks the user to input a user name and password before allowing access to the network.

The next screenshot shows that enhanced security can be found by combining WPA's shared secret key with authentication via a RADIUS server. To view this image, click here.

Step 7: Use MAC Address Filters

MAC address filtering can be a viable technology for protecting WLANs that have a limited number of wireless clients that rarely change. MAC address filtering works by allowing only authorized MAC addresses to access the access point. Specifically, the only devices that are allowed to use the WLAN are wireless cards whose MAC address has been entered into a table stored on the access point.

There are, however, three limiting factors. First, any authorized system must have the MAC address identified and then entered into each access point it may use. Second, someone must maintain the list of MAC addresses, and it's often a completely manual process. Third, any additions or client changes must be recognized and updated in the filter table.

MAC address filtering also becomes increasingly complex as access points are added to a network. What's more, some wireless network cards allow a MAC address to be assigned. By this means, a determined hacker could use a sniffer to discover a legitimate MAC address and then spoof that address to gain access to the WLAN.

The next screenshot shows a MAC address filter being used to deny or accept connections to an access point based upon the wireless client's physical MAC address. To view the image, click here.

Step 8: Consider A Wireless VPN

Some of your customers require the ultimate in wireless security. For them, several off-the-shelf solutions may fit the bill. Companies such as ReefEdge, Blue Socket, SMC, and AirFortress have developed security appliances that use advanced encryption and authentication techniques to provide secure wireless access.

These devices function as Virtual Private Network servers tuned for wireless communications. To further enhancing security, most of these third-party security products require you install and configure an additional software client on each wireless computer.

FRANK J. OHLHORST is Technology Editor at CRN.