An Easier Way To Secure Wireless Networks

If you set up Wi-Fi networks for your clients with any degree of regularity, you've probably come across security set-up issues of your own. Sometimes, WPA (Wi-Fi Protected Access) won't set-up properly, so you reduce the level of security to WEP (Wired Equivalent Privacy), the older, more easily crack-able scheme. Or maybe you've thrown in the towel altogether to run wireless networks without any protection at all--a dangerous setup.

Combine lax security with Wi-Fi security threats--such as drive-by spamming, man-in-the-middle attacks, and network snooping, sniffing and spoofing--and you're leading your users into trouble. They could lose intellectual property, suffer privacy breaches, or fall prey to malicious network attacks.

Fortunately, wiress equipment makers are improving their security set-up wizards and interfaces, though that does nothing for users of existing equipment. In this TechBuilder Recipe, I'll show you how secure existing wireless networks by choosing and positioning the Wi-Fi hardware, understanding important options (like 802.11a, b, g and n), installing the equipment, and locking down security settings.

Take a Site Survey

id
unit-1659132512259
type
Sponsored post

If your client has a large network, you'll need to start by conducting a site survey. Users in large organizations often introduce new equipment to the network without telling the IT department, so it's now your job to detect every device on the network. If you have a small network, you can do a simple walk-through, surveying existing equipment and talking to users.

On large networks, you need to survey the site with RF sensors and protocol analyzers to identify rogue equipment and determine whether existing access points have been secured. A number of vendors offer site-survey solutions, including NetStumbler, YellowJacket, AirMagnet, and WildPackets. These products also measure encroaching networks. You can even put an access point into "monitor" mode to view other Wi-Fi activity on or near the network.

PocketWINC is a free and useful tool that runs on wireless PDAs to identify wireless access points, security levels, channels, signal quality and more. You load it onto a Wi-Fi enabled PDA, which makes it easy to walk around the premises and survey the site from every possible angle and distance. Here's a look at the tool's main screen:

No matter which tool you use, once you've identified rogue equipment at the site, you need to either shut it down or adjust the equipment's security settings to comply with company policy. We'll cover those settings in a moment. But first let's examine hardware choices for new installations.

Coverage Options

There's a lot of new, inexpensive Wi-Fi equipment on the market, with more to come. I tested a couple of nice Wi-Fi routers: one basic model and one "Pre-N" router with an impressive range. Pre-N means the device was released prior to certification of 802.11n, which is a 108 megabits per second (Mbps) standard that broadcasts Wi-Fi signals much further and stronger than earlier Wi-Fi standards.

The first device I tested was SMC's 2.4-GHz 54-Mbps 802.11a/b/g wireless broadband router (Model #SMC2304WBR-AG). This router has four wired ports. It sells for about $80 on Amazon and just $47.33 on Buy.com after the mail-in rebate. Here's a look:

The second device I tested was the Belkin Pre-N router. It has three antennae, as opposed to the standard two, which boosts the router's range and throughput. The device has four ports for wired lines and 108-Mbps throughput on the local network (either wired or Wi-Fi). It sells for about $120 on Amazon. Here's a photo of this router:

The Belkin Pre-N router provides strong connectivity coverage for about 1.5 to 2 acres of area (with the router in the center). I've even seen some reports of five-acre coverage. Also, the Pre-N router is considered "tri-mode," meaning it's compatible with existing 801.11b and "g" equipment.

To use this router, you will need to add Pre-N adapter cards to your client's systems. The Belkin Pre-N router works with laptop adapters that either fit straight into a laptop PCMCIA slot or cradle into a PCI card that utilizes the same form factor (but in a desktop configuration), as shown below:

If you're buying a new router for your client, consider coverage options. For example, while the SMC router can easily cover a 2,000- to 2,500-square-foot office, line-of-sight issues that involve metal structures will hurt coverage performance. So your results will definitely vary by location.

Also, if users are located in a busy metropolitan area, using a Pre-N router is practically inviting hacker attempts. To avoid or at least lessen this risk, position 2.4-GHz 54-Mbps routers within the building so that their signal reaches only as far as the walls. That way, the only people who can access the router are those within the building.

Wireless Speeds and Standards: 802.11a, b, g, and n

Today there are three common 802.11 Wi-Fi standards, with one more on the way. The first popular standard was 802.11b. This offers 11 Mbps of throughput on the network and whatever rate you can get out of the DSL, cable modem or T1 pipe (up to 11 Mbps). Typically, you'd get 1-1.5 Mbps download speeds from a standard DSL modem, so the rest of the 11 Mbps bandwidth only helps for shuttling files around the network and managing multiple, simultaneous Web connections.

The second standard is 802.11a, which transmits in the 5 GHz frequency range. This is less crowded than 2.4 GHz; you avoid interference from mobile phones and microwave ovens. 802.11a can reach 108 Mbps speeds in ideal conditions.

The third standard, 802.11g, uses the 2.4 GHz range, transmits at 54 Mbps, and is backwards compatible with "b" equipment. The slower "b" speeds prevail when combined with "g."

With each of these 802.11 hardware platforms, throughput is variable but distance-dependent. So data speeds will drop as the remote device is positioned farther from the base station. Also, if you layer on encryption, speeds will drop considerably.

The new Pre-N equipment uses a technology called Multiple Input Multiple Output, or MIMO, that uses multiple transmitters and receivers (that is, antennas) to improve performance. With its two transmitters and two or more receivers, the equipment can send two simultaneous data streams. That effectively doubles the data rate and allows for greater distances between transmitters and receivers. For this reason, equipment for both Pre-N and the upcoming 802.11n standard is rated at 108 Mbps and higher. Typical Installation

Installing a wireless router is relatively easy. There are just three general steps:

This is the easy part. It gets more challenging when we set up security.

Security Precautions

Several basic security precautions will help you to ensure a secure installation right off the bat. To take these precautions, start by entering the router's IP address (usually 192.168.1.1 or 192.168.2.1) in a standard browser. From there, you'll be able to access the administration/configuration settings.

Precaution 1: Change the router's default passwords.

The router's administration page, like that of the Belkin Pre-N equipment (shown below), lets you change the router's password. But if you leave the password in the default setting ("SMCadmin," for example), you'll make it easier for outsiders to access the admin page and change the router settings to suit their dubious ways. So I recommend changing it.

Precaution 2: Make SSIDs invisible.

SSID stands for Service Set Identifier, and it is the public name of a network. Either change this setting to "invisible" or disable "broadcast SSID."That way, outsiders won't be able to see the name you've given the Wi-Fi network. Once you do this, the client systems will also need to have the SSID manually entered in order to connect to the WLAN. The screen shot below shows the Belkin channel and SSID page:

To input the SSID manually on the client PC (Windows XP), open Wireless Network Connection Properties (Control Panel/Network Connections/Right Click Wireless Network Connections/Select Properties/Click Wireless Networks Tab/). Then click the Add button. You'll see a screen for inputting the SSID (see screen shot below). Here you'll put in the exact same SSID as the one the wireless router broadcasts:

Precaution 3: Disable DHCP, and assign IP addresses manually for client systems.

If you're working on a small network, you can do this easily. Afterwards, only those IP addresses you've assigned can access the network. Otherwise, DHCP software on the router assigns an IP to any device that can see the network and log-on. Here's a shot of the Belkin LAN settings page, which you'll use for this task:

You'll need to choose the actual Wi-Fi security settings: WEP (wired equivalency privacy), WPA (Wi-Fi Protected Access), WPA-PSK (WPA-Pre-Shared Key), or WPA2. Most routers and wireless access points have similar processes for establishing security settings. Generally, the process goes as follows:

Setting Up Client Devices

Starting from Windows XP Service Pack 2, first open the control panel, then click on Network Connections. Next, right-click Wireless Network Connection. Click Properties, then the Wireless Networks tab as shown below:

Next, highlight an available network, and click the properties button. Then input the right network key for your security settings, as shown below.

Once you match the right security key with the router, you'll be connected.

Sidebar: Choosing Among WEP, WPA and WPA2

WEP security works best in situations where neither the network nor the data contain critical information, sensitive user data, or intellectual property. In fact, some security experts say that keeping your data protected by WEP is like using a chain lock on your door rather than a deadbolt. That's because on a WEP-protected network, a hacker with the right cracking software can gather enough packets to deduce passwords (64-bit or 128-bit).

However, cracking WEP will take a lengthy period of time. So if your client is out in the boondocks and is only moving family photos and videos around their network, then chances are good hackers won't spend the time needed to crack the user's WEP password. For these types of applications, WEP may be fine. As the experts also say, you don't need a bank vault to protect a dollar bill.

Still for most users, the wiser choice is WPA. This wireless security standard employs advanced encryption and authentication processes that are sufficient for most networks.

To use WPA, both the router and the wireless network adapter must support WPA. The good news is that all new routers--and even most of the one- to two-year-old routers--support both WEP and WPA.

Also, client systems need to be configured correctly and supplied with the correct keys and pass phrases. While that's an easy task for small networks, it's a sizeable burden for larger concerns.

WPA2 is an even better encryption scheme. It's based on the Advanced Encryption Standard (AES), sometimes referred to as the 802.11i standard, and promises to make security a non-issue for larger enterprises. Vendors are already selling WPA2 products that are certified by the Wi-Fi Alliance--a trusted international nonprofit association, though not an official standards body. For example, Cisco's Cisco Aironet 1200 Series Access Point and Broadcom's Airforce products have WPA2 versions.

PHIL DUNN is a technology journalist and independent communications consultant for high-tech companies. He's been reviewing, testing, and reporting on products since 1995.