Wi-Fi Security

Wireless networking is a great boon which basically does away with all that nasty CAT5 cabling and, in some case, some of the hardware associated with using conventional wires. It also saves on having to rip up floorboards, fix trunking and faceplates etc., in order to lay cables in the first place!

Wireless does have some disadvantages to wired networks, however, as the wireless network is more prone to abuse and casual snooping than a wired one. It can also be slightly more complicated to secure. The following page discusses some options available to secure a wireless network.

SSID Broadcast

The SSID of a wireless network is the wireless network's identifier that is broadcast by an Access Point or Wireless Router. By default, most APs and routers will broadcast the SSID so that clients can automatically associate with the network. With the broadcast switched off, clients are unable to associate with the network and have to be specifically configured to use the network. This prevents casual snoopers automatically associating with the network.

In addition, it is also good practice to change the default SSID of a router or AP as there are many common ones in existance so it can be trivial to just guess a SSID, especially as WIRELESS and WLAN are common defaults!

MAC Locking

Every network adapter is furnished with a unique MAC, Physical or Hardware, address that is used below the data protocols, such as TCP/IP, by network devices to pass data. It is possible to configure known MAC addresses in routers and APs so that only trusted MAC addresses can connect.

MAC addresses consist of 6 HEX 'numbers' usually in the following formats:

00:02:6F:55:23:1A

or

00-08-0A-2B-CC-24

The MAC address of a NIC can either be found on a sticker on the card or thru' using an OS's IP configuration utility such as ipconfig or ifconfig.

WEP

WEP, or Wired Equivalent Privacy, was the first encryption method used on Wi-Fi systems and consisted of either 64-bit or 128-bit shared keys. The same key is configured on both client and WAP and data passed between the two is encrypted using the key.

WEP is not a particularly strong encryption method and can be broken quite easily using widely available tools available off the Internet.

WPA

The next generation of wireless encryption is Wi-Fi Protected Access, or WPA. WPA does away with the shared key concept used in WEP and instead uses a PassPhrase to encrypt the data.

Further Considerations

In addition to the above there are also a couple of other aspects that should also be addressed when adding wireless to a network. The first is trivial to fix and that is to change the default password of whatever AP or Router is employed. Like the issue with SSIDs previously mentioned, default password lists for many network devices also exist on the Internet and are often contained in the manufacturer's documentation for these devices if they are not on a list somewhere.

The second consideration is more difficult to deal with and is really a fundamental flaw with wireless networks. The issue with Wi-Fi connections is that they are designed to connect devices to private LANs, where generally facilities such as File and Print Sharing are in place, often to make those LAN users' life easier. A consequence of a wireless connection direct into a private LAN can also make life easier for unwanted users too! Where a router is used, it may be impossible to separate a wired network from a wireless one but where an AP is used then it may be possible to run a separate subnet for wireless connections. This, of course, may reduce the convenience of having a wireless LAN so may not be practicable in most cases but is worth considering, especially if it is not possible to implement some of the options discussed above.


© Nig's Net Written using the Bluefish HTML Editor on RedHat 9.0.

All Copyrights and Trademarks ACK'd. Not to do so would be a SYN!