Feature Articles   MS-Security Blog   Favorite Links  Tech Book Reviews  Discussion Board  MS-Security Home

A new feature article is posted monthly. Check back on the 15th of each month for new content.

 

  REPRINTED FROM WWW.WINDOWSECURITY.COM       
  March 16, 2006

How to Secure Your Wireless Network
By Debra Littlejohn Shinder, MCSE, MVP

Wireless networking is all the rage -- and no wonder. Not having to deal with running cables makes it much easier to set up a home or small business network, and the freedom of being able to roam the building with your laptop, or even take it out by the pool and still stay connected, is very tempting. But before you cut the cords, keep in mind that wireless communications move across the airwaves, where anyone with the proper equipment can intercept them. Thus, security is more of an issue that with a cabled network.

Luckily, there are ways you can have your wireless and beat it (the security problem, that is), too. Here are some suggestions for making your wireless network more secure:

They say in real estate, the most important factor is location, location, location. Well, in wireless networking, it's encryption, encryption, encryption. Just about all commercially available wireless access points and routers support encryption of some kind, but most home users and many businesses don't bother to use it. Why? The perceived complexity of setting it up, mostly. But encrypting your communications is your first line of defense against unauthorized use of your network.

Also be aware that all encryption methods are not created equal. WEP (Wired Equivalent Privacy) is better than no encryption, but it has many known weaknesses and can be broken by a savvy attacker. If you do use WEP, set the authentication method to "shared key." You'll then need to enter a password that users need to put into their client computer's wireless configuration to connect. Most WAPs support both 40 bit and 128 bit WEP. Use the latter; the key is longer and harder to guess.

A better encryption choice is WPA (Wi-fi Protected Access). Not all WAPs support it, but newer ones do and you might be able to upgrade your older one to support it. Same for wireless network cards -- a firmware upgrade may be necessary for older ones. The WPA client software is included in Windows XP SP2, or if you don't want to install the service pack you can download the WPA client in Microsoft's Wireless Update Rollup for XP at http://support.microsoft.com/kb/826942/).

Next, consider using MAC filtering. This is set up through the administrative interface for your WAP or router (usually a web interface -- see your WAP/router instruction manual). Every network card has a physical address called the Media Access Control (MAC) address; this is entirely separate from the IP address and can't be easily changed like the IP. You can enter a list of MAC addresses that are allowed to connect to your wireless network, and computers other than those will not be allowed to connect. It is possible for hackers to spoof (forge) the MAC address of a legitimate computer, but this will keep casual wireless "hitchhikers" off your network. It should be used in conjunction with other security mechanisms.

You should also change the default settings on your WAP. Change the default network name (SSID) and the default administrative password. You can also turn off SSID broadcasting so the name of your network doesn't pop up in the "available networks" list of wireless users who are within range (such as the guy next door who has a wi-fi enabled laptop or the friendly neighborhood war driver who's out for a cruise). If you aren't going to use the wireless network for a while, turn off the WAP completely. If you do need to leave the WAP on all the time, limit the signal range by using a lower gain antenna or a directional antenna.

You could even use a less popular wireless technology such as 802.11a if you're really serious about security. It transmits on a different frequency from 802.11b and g, and most hackers are using b/g network cards. The distance range for a networks is shorter, too, which also helps protect against unauthorized users. On the downside, a equipment is more expensive and harder to find, and your a NIC won't be compatible with other b/g networks such as commercial wireless hotspots (of course, you can always use an a removable PC Card "a" NIC to connect to your own network and your laptop's built in wi-fi card or another removable b/g card to connect to hotspots.

Don't connect your wireless network directly to your wired network, either. Put a firewall between the two, in effect setting up a DMZ, or special isolated network, for wireless users. You can still access resources on your wired LAN from wireless computers if you need to, by creating a VPN.

 

 

 


 

802.11i, WPA, RSN and What it all Means to Wi-Fi Security
 REPRINTED FROM WWW.WINDOWSECURITY.COM   

We've all heard about the flaws and vulnerabilities in WEP, but the effort to create a standard that provides better security for wireless networks has been a long and bumpy one. The IEEE's 802.11i project has been implemented, in part, by the Wi-Fi Alliance's Wi-Fi Protected Access (WPA) and by the Robust Secure Network (RNS). What does it all mean to you, the wireless user or network administrator? In this article, we take a look at the new wireless networking security mechanisms and how you can use them to protect your Wi-Fi network.

In the Beginning: 802.11i

The long-anticipated 802.11i specification for wireless LAN security was finally ratified by the IEEE in June 2004. It had been in the works for years. Unlike 802.11a, b and g specifications, all of which define physical layer issues, 802.11i defines a security mechanism that operates between the Media Access Control (MAC) sublayer and the Network layer.

The new spec offers significant improvements over the old standard, Wired Equivalent Privacy (WEP). The specifications were developed by the IEEE’s TGi task group, headed by David Halasz of Cisco. However, during 802.11i’s long, long gestation period, WPA emerged as an interim solution.

WPA

Wi-Fi Protected Access (WPA) was created by the Wi-Fi Alliance in 2002 – in part out of impatience with the slow-moving 802.11i standard. The industry consortium’s consensus was that an alternative to WEP was needed quickly, and WPA was the result. To avoid multiple “standards” and conflicts later on, WPA was designed from the get-go to be compatible with 802.11i and was based on its early draft specifications. This sets WPA apart from a number of proprietary Wireless LAN security solutions that were developed by Proxim, Funk and other vendors.

WPA provides several security advantages. First, it uses a stronger key management scheme, by implementing the Temporal Key Integrity Protocol (TKIP). TKIP creates encryption values that are mathematically derived from a master key, and changes these encryption keys and IV values automatically (and transparently to the user) so to prevent key stream reuse. This is important because WEP keys have to be changed manually, and this can be an administrative hassle, leading to administrators not changing the keys often enough (or not at all). TKIP also uses a Message Integrity Code called Michael that uses a 64 bit key. The integrity checker is designed to block forged messages.

There are two methods for generating the master key, and WPA operates in two different modes, depending on whether pre-shared keys are used or a central authentication server is available. For home users, WPA offers easy setup (one big problem with WEP was that many users found it too difficult or confusing to set up and manage, so they didn’t). Authentication is based on the Extensible Authentication Protocol (EAP) and can use pre-shared keys that make it simple to configure on the WAP and clients in small network settings: you manually enter a password, and then TKIP does its thing, automatically changing the keys periodically. This is called PSK (for PreShared Key) mode.

Tip:
It is recommended that when using PSK mode, you should set a password with at least 20 characters.

At the large network level, operating in Enterprise mode, WPA supports RADIUS so that users can be authenticated through a centralized server. WPA 802.1x authentication methods include EAP-TLS, EAP-TTLS, EAP-LEAP, EAP-PEAP and other implementations of EAP.

WPA uses the same encryption algorithm for encrypting data that WEP uses: the RC-4 cipher stream algorithm. However, TKIP uses a 48 bit initialization vector, as opposed to the weaker 24 bit IV used by WEP.

The Wi-Fi Alliance started certifying WPA-capable wireless equipment in April 2003. You can find a list of certified products on the Wi-Fi Alliance Web site at http://www.wi-fi.org/OpenSection/certified_products.asp?TID=2. To use WPA, older WAPs must have a firmware upgrade applied. Some WAPs can support both WEP and WPA clients simultaneously. The client computer’s operating system and wireless network adapter must support WPA.

The Windows WPA client is available from Microsoft for Windows XP (with SP1) and Server 2003 systems. The WPA update is included in the Wireless update rollup package for XP (See http://support.microsoft.com/default.aspx?kbid=826942). You can download the WPA patch for XP Professional and Home at http://www.microsoft.com/downloads/details.aspx?FamilyID=009D8425-CE2B-47A4-ABEC-274845DC9E91&displaylang=en.

After you install the update and reboot, there will be new dialog boxes added to the Network configuration window, for configuring WPA.

Note:
If you’re using an operating system other than XP/2003, you must install a third party client program called a supplicant, such as the one available from Funk Software (www.funk.com).

You may need to get updated drivers for your wireless network card from the NIC vendor. For step-by-step instructions on upgrading your WAP and network card, see http://www.pcmag.com/print_article/0,3048,a=107756,00.asp.

RSN

Another element of the 802.11i is Robust Security Network (RSN), which dynamically negotiates the authentication and encryption algorithms to be used for communications between WAPs and wireless clients. This means that as new threats are discovered, new algorithms can be added.

RSN uses the Advanced Encryption Standard (AES), along with 802.1x and EAP. The security protocol that RSN builds on AES is called the Counter Mode CBC MAC Protocol (CCMP). AES supports key lengths up to 256 bits, but is not compatible with older hardware. However, there is a specification designed to allow RSN and WEP to coexist on the same wireless LAN; it’s called Transitional Security Network or TSN. It’s important to note, however, that a WLAN on which some devices are still using WEP is not optimally secured.

Tip:
Current handheld devices (Pocket PCs and Palms) don’t have enough processing power to support AES, so WPA is the best security choice if you have users who store and transmit sensitive data via handhelds. A WPA/802.1x client for Pocket PC 2002/2003 and Palm is available from Meetinghouse (http://www.mtghouse.com/company/index.shtml).

Tying it All Together

802.11i takes WPA a step further. For one thing, it requires the use of AES. The good news is that AES meets government security criteria and provides stronger encryption than WPA/TKIP. The bad news is that AES has to have its own coprocessor, which means older existing wireless hardware can’t just be upgraded via software as with the transition to WPA; instead, it will have to be replaced. Hardware purchased in late 2003 and 2004 may be upgradeable via software or firmware to support 802.11i. Now that the specification has been ratified, new equipment that supports AES out of the box should soon become available.

In addition, 802.11i will encrypt the whole data frame with AES. In WEP and WPA, the RC4 cipher encrypts the data payload only.

The Wi-Fi Alliance refers to the new 802.11i standard as WPA2. Despite the potential costs of implementing it, the new wireless security standard is welcomed by most in the industry as the next, and necessary, step in protecting data that is transmitted over the airwaves. However, those with a large investment in existing hardware this isn’t compliant with AES/802.11i might find it more cost effective to implement WPA at present and transition to 802.11i more slowly.

 

 
 BY DEB SHINDER

 
Understanding the Roles of Server 2003 Security Policies
  
Implementing EFS in a Windows Server 2003 Domain
   
Will upgrading to 64 Bit Windows make you more Secure?
   
Protect your network from rogue users
  
Protect your Web Servers with SSL
   
Use Free Microsoft Tools to Protect your Computers
   
New Security Features in IE 7.0
   
First Look at Windows Vista: Secure at Last? 
 
Managed E-Mail Security Services: Is it the right solution for your network?
 
Being Big Brother: Monitoring employees’ network activity   
 
How to Use Microsoft’s Shared Computer Toolkit
   
Product-based Security vs. Service-based Security   
Bluetooth: Is it a Security Threat? 
 
Ethical Issues for IT Security Professionals   
 
How Do Compliance Issues Affect your Network?
   
NAT Traversal (NAT-T) Security Issues
   
Code Signing: Is it a Security Feature?
   
Preserving Digital Evidence to Bring Hackers and Attackers to Justice
   
Increasing Security with Limited User Accounts and Restricted Groups
   
Making MOM More Secure
   
Disk Based Backup: All Hype or the Best Protection for your Data?
   
Testifying in a Computer Crimes Case
   
Use Microsoft's Virtual PC to Test Software Before Deploying It
   
Web Server Security Issues and Front Page Server Extensions
   
Is it Time to Start Encrypting Your E-mail?
   
Do You Leave Sensitive Data Lying Around?
   
Instant Messaging: Does it have a Place in Business Networks?   
 
Understanding E-mail Spoofing   
  
Review: Windows XP Security Guide
   
Controlling Portable Storage Device Usage (USB/CDs etc) - Software Review: GFI LANguard P.S.C.
   
Personal Firewalls for Remote Access Users
   
Web Browser Vulnerabilities: Is Safe Surfing Possible?   
 
802.11i, WPA, RSN and What it all Means to Wi-Fi Security
   
Securing Your Pocket PC
   
Software Review: LANguard N.S.S. 5
   
Comparing VPN Options
   
SSL Acceleration and Offloading: What Are the Security Implications?
   
Server 2003’s Network Access Quarantine Control: What is it and How Does it Enhance Security? 
Securing Server 2003 Domain Controllers 
 
Should Microsoft Identity Integration Server Be Part of Your Security Plan?   
 
How to Defend your Network Against Social Engineers   
 
Is Open Source Really More Secure?
   
Comparing Firewall Features   
 
Making Microsoft Software Update Services Part of your Patch Management Strategy
   
E-mail spam: Is it a Security Issue?
   
Application Layer Filtering (ALF): What is it and How does it Fit into your Security Plan?
   
How URL Authorization Increases Web Server Security   
 
How Secure are Windows Terminal Services?   
 
IPv6: Windows Server 2003 Supports a More Secure IP – Sort of
       
Changes to Default Settings Make Windows Server 2003 More Secure (Part 1)
 
Changes to Default Settings Make Windows Server 2003 More Secure (Part 2)
   
How New Delegation of Authentication Options Improve Security
   
How the Windows Rights Management Service can Enhance the Security of your Documents   
 
What’s New with Windows Server 2003 Certificate Services?
       
What’s New in Windows Server 2003 IPSec (Part 1)  
 
What’s New in Windows Server 2003 IPSec (Part 2) 
 
What’s New in Windows 2003 Server: IIS Security Enhancements
   
Protecting your Email from Viruses and Other MalWare
   
Securing Remote Access Connections
   
Passwords: the Weak Link in Network Security
   
How Windows Server 2003’s Software Restriction Policies Improve Security
   
Where Does EFS Fit into your Security Plan?
   
Understanding the Role of the PKI   
 
Securing Data in Transit with IPSec