The ABCs of securing your wireless network (from arstechnica.com)
By Joel Hruska | Published: April 29, 2008 – 11:46PM CT http://arstechnica.com
Introduction
Ars Technica’s original Wireless Security Blackpaper was first published back in 2002, and in the intervening years, it has been a great reference for getting the technical lowdown on different wireless security protocols. As a sequel to the original blackpaper, we wanted to do something a little more basic and practical, because the number of devices with 802.11x support has greatly expanded since 2002. Wireless security is no longer the domain of geeks and system administrators, but is now an issue in the lives of everyday users, from the worker with a home office who wants to keep sensitive files secure to the homemaker who wants to avoid an RIAA lawsuit because the teen next door is a wireless-leeching P2P addict.
In this practical introduction to the basics of securing your home wireless network, we’ll cover the important, high-level points that ordinary users need to know in order to secure a network of game consoles, phones, and PCs. Along the way, we’ll also recap some of the relevant information from the original wireless blackpaper, which I recommend if you want to pursue the topic further. So look through the guide, and if you’re already technically savvy then send it along to your uncle or your sister-in-law, and you may get one less phone call when it comes time for them to set up their new WLAN.
Note: This short guide will focus on securing 802.11g/802.11 draft-n routers, since these are the two most common types on the market today. Most of the information we’ll present should be applicable to older 802.11b or even 802.11a routers as well, assuming that your device’s manufacturer provided appropriate firmware updates.
First things first
The first thing to understand about wireless security is that by default, you have none. The router you buy from Newegg or Best Buy is going to come preconfigured for open access, which means that all of your neighbors can hop on and begin snarfing up MP3s with your bandwidth. This makes the router easier to set up—on a modern OS, you shouldn’t have to do much more than plug in both adapter and router—but it leaves the wireless access point (WAP) completely open to attack. Most manufacturers use a simple login/password combination, and such information is easily available online.
The first step to securing any wireless network, therefore, is to change the default router password. Most manufacturers set the default password to something along the lines of “admin,” “password,” or “changeme,” and the router IP address is almost always a simple variation on 192.168.x.1, where x = 0, 1, or 15. A nonstandard, strong password is no substitute for actual encryption, but it’s a step in the right direction. The next step should be to check for a firmware update for your router, particularly if it’s an older model. Many routers that didn’t support more advanced security settings (i.e., WPA, which I’ll describe later) had such support added via later firmware updates.
Setting a password for your router should be one of the first things you do
Debunking myths
You’re likely to get some bad wireless security advice from the guy at your local electronics superstore who sold you your router, because many of the commonly recommended wireless security tips floating around out there aren’t actually all that useful and may even do more harm than good by lulling the end-user into a false sense of security.
Hiding the SSID
The SSID (Service Set Identifier) is an identification code (typically a simple name) broadcast by a wireless router. If a wireless device detects multiple SSIDs from multiple access points (APs), it will typically ask the end-user which one it should connect to. Telling a router not to broadcast its SSID may prevent basic wireless access software from displaying the network in question as a connection option, but it does nothing to actually secure the network. Any time a user connects to a router, the SSID is broadcast in plaintext, regardless of whether or not encryption is enabled. SSID information can also be picked up by anyone listening to the network in passive mode.
Changing the SSID
This is sometimes touted as a security measure. It isn’t. Changing your access point’s SSID will change the identification code the router is broadcasting, but it won’t change anything else. It doesn’t prevent the router from being detected, snooped, or hacked in any way.
Disable DHCP
Switching DHCP off and using static IP addressing is no defense against hacking. Anyone snooping the network can usually figure out the pattern that has been used to assign the IP addresses in question and then make a specific request accordingly.
Filtering MAC addresses
In theory, this sounds great. Every NIC has its own unique MAC address, and wireless access points can be configured to block all but a handful of specified NICs. The problem with filtering by MAC address, however, is that these addresses are easily faked and readily detected by anyone using appropriate monitoring software. In addition, this approach requires a great deal of overhead in corporate environments, and even for a large home network with multiple machines and gadgets (consoles, phones, and consumer electronics) it quickly becomes untenable.
Of the above bogus “security” measures, filtering MAC addresses is the only one with even a minimal level of value. MAC address filtering can keep obnoxious and non-tech-savvy neighbors from easily freeloading on your wireless network, but it won’t do much else. To keep more determined intruders off of your network, you’ll have to use encryption.
Encryption methods
Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) are the two encryption standards that are widely used in today’s wireless devices. Of the two, WPA is far superior in every respect, and should be used in any situation where it’s available, but the sheer number of people using WEP requires that we discuss it here as well. Each of these standards contains several specific implementations, which we’ll also discuss.
WEP: Old, busted, and better than nothing
Wired Equivalent Privacy (WEP) was the first wireless security protocol. Originally, WEP used a 40-bit encryption key, but this was later extended to 104 bits due to concerns over the security of the WEP standard. This change, however, was little more than a stop-gap measure, meant to make WEP less susceptible to brute-force attacks. WEP used a 24-bit initialization vector (IV) when encrypting both 40-bit and 104-bit ciphers. This 24-bit IV is vulnerable to cracking due to the low number of possible permutations (16,777,216 for those of you keeping count). Just last year, researchers succeeded in cracking 104-bit WEP encryption in about two minutes using an old Pentium-M machine.
Unfortunately, WEP’s flaws have yet to drive it from the market. As recently as last November, surveys showed that up to 25 percent of WAP hotspots were still using WEP, and the largest data theft in US history is thought to have been caused by the use of WEP encryption. Now that even WEP’s 104-bit encryption can be brute-forced easily, this standard should no longer be considered secure by any measure.
Easily cracked, but still used about a quarter of the time
There is, however, a reason to mention it here. Despite its numerous flaws and weaknesses, running WEP is still better than running your wireless access point completely in the clear, and it’ll at least keep your neighbors (or random passers-by) from surfing on your network. WEP should also be compatible with virtually any router ever made, including orphaned models that haven’t seen firmware updates in years. Your best bet when dealing with this kind of situation is to replace the router, but if that’s not possible for whatever reason, WEP may be all you’ve got.
There have been a few other WEP-related encryption standards worth mentioning here. WEP2 was a short-lived attempt to improve on the original standard by incorporating both a 128-bit encryption key and a 128-bit initialization vector. WEP2 doesn’t improve on any of the inherent weaknesses of the WEP model, but it does make brute-force attacks substantially more difficult. In the absence of support for other standards, WEP2 is a better option than standard WEP.
Several other vendors have developed their own specific and proprietary technologies to address WEP’s flaws. These typically require a matched WAP and adapter combination, and their efficacy may vary widely. Again, such solutions should only be considered only when they represent the best alternative to a standard WEP configuration or no security whatsoever.
WPA and WPA2
WPA was developed in response to the flaws in WEP, and it’s a much better security protocol than its predecessor. Unlike WEP, WPA uses a 48-bit initialization vector and a 128-bit encryption key. More importantly, however, WPA uses what’s called the Temporary Key Integrity Protocol (TKIP). Whereas WEP recycles the same key for encrypting all the packets flowing across the network, WPA’s TKIP changes the encryption key every single time a packet is transmitted. This, combined with the use of longer keys, prevents a hacker from compromising a router simply by passively observing a large enough set of packet transmissions.
The WPA2 standard is a 2004 update to the WPA specification that includes support for a US government-approved encryption protocol called Advanced Encryption Standard (AES). (AES can also now be used with WPA, though the presence of this option will probably depend on how recently your router received a firmware update.) Unlike WPA, WPA2 was not explicitly developed with backwards compatibility in mind; older routers that are capable of handling WPA encryption via TKIP may not be able to use WPA2, as WPA2 mandates both AES and TKIP compatibility. If possible, you should use WPA2 instead of WPA.
WPA2 is more secure, but lacks the backwards compatibility of WPA
There are two security levels built into WPA and WPA2, WPA Personal (or WPA-PSK) and WPA Enterprise. WPA-Personal uses a preshared authentication key between all the systems on a network. This means that the network is potentially vulnerable to dictionary-based attacks if strong passwords are not used. Home networks don’t have much to worry about here, provided your authentication key isn’t something along the lines of “cat.”
Enterprise-level WPA implementations make use of a separate RADIUS (Remote Authentication Dial In User Service) server. In this case, the adapter attempts to connect to the wireless access point, which then demands a set of credentials. The access point forwards this request and any associated information to the RADIUS server. The RADIUS server then checks these credentials against its own stored data. At this point, the RADIUS server can authenticate the user’s login, deny it, or return a request for further information in the form of a second password or equivalent source.
RADIUS servers are typically reserved for enterprise-level deployment, where they provide both an additional level of security and an increased level of control over how network resources are allocated on a per-user level. As such, they fall outside the realm of what most home users are likely to encounter.
Once you understand the terminology, the basics of wireless security fall firmly into place. If you want a secure configuration, use the WPA protocol in combination with a strong passkey. Past that point, we’re mostly splitting hairs. AES-based WPA2 is more secure than TKIP-based WPA, but either solution is light-years beyond WEP.
Securing your media network
Wireless support is now a common feature in many different types of consumer devices. All current-generation game consoles support wireless connectivity, and it’s a built-in feature on any decent laptop, handheld device, or Internet tablet. Wireless networking is on its way to becoming a ubiquitous home technology, but there’s a difference between having a home full of network devices and having those same devices happily sharing a single wireless network. It can be difficult to find a single encryption standard that all the devices can agree on.
The table below should be some help the next time you have to synchronize security settings between a mishmash of hardware.
| Device | WEP | WPA-PSK | WPA2-PSK |
| PlayStation Portable | Yes | Yes | No |
| Nintendo DS | Yes | No | No |
| PlayStation 3 | Yes | Yes | Yes |
| Wii | Yes | Yes | Yes |
| Xbox 360 WiFi adapter | Yes | Yes | No |
| iPhone | Yes | Yes | Yes |
| Nokia N800/N810 | Yes | Yes | Yes |
| Asus Eee PC | Yes | Yes | Yes* |
*The EEE PC’s hardware supports WPA2, but the native ASUS Linux install may not expose this capability.
We’ve listed a number of the most popular Wi-Fi-capable devices above. The good news is that all of them support some kind of encryption. The bad news is that the choice between TKIP and AES complicates the picture a bit. For instance, the Nintendo Wii supports AES for both WPA and WPA2, but not TKIP for WPA2. So if you’re looking for maximum compatibility among all your networked devices, your first choice in router settings should be WPA2 (AES) and your second should be WPA (TKIP). Forget about permutations like WPA2 (TKIP) and WPA (AES) and stick with the two options just mentioned.
Unfortunately, the Nintendo DS is the odd man out here, and only includes support for WEP. If you plan on running a wireless network that includes a Nintendo DS, you’re stuck on an awful security protocol. This was downright shortsighted on Nintendo’s part. The DS itself may have no particular need for strong wireless security, since there’s virtually nothing a hacker could do with your DS, even if he broke into it—but as we’ve already observed, an increasing number of homes deploy a WAP as a general access point for multiple wireless devices. The DS might not need much security, but the same can’t be said for the desktop, laptop, and PS3 that might all be sharing the same connection.
Set the DS aside, and WPA is easily the way to go. All of the other devices listed above support it and you’d be hard-pressed to find a router on the market today that didn’t include WPA as well. WPA2, however, is still hit-and-miss. The newest encryption standard doesn’t share WPA’s near-universal backwards compatibility, and some routers on the market may not support it. In all honesty, this shouldn’t be much of an issue—WPA2 is more secure than WPA, but WPA is still considered a secure standard, and it’s still recommended as a general solution.
Enabling a wireless security standard
Actually enabling a security standard (assuming you don’t already run one) is simple. I’ll provide a few sample screenshots from a Linksys WRT150 router (802.11n Draft 2.0 compliant); the procedure should be similar on any other product. Drop into the “Wireless Security” of the WRT150 and open the selection tab, and this is what you see:
We’re going to ignore WEP, since you really shouldn’t be using it, and focus on the various WPA options. WPA Personal (aka, WPA-PSK) and WPA2-Personal are configured more-or-less identically. Select the option, choose your encryption method (TKIP or AES), and enter your chosen encryption key. There should be no need to change the default key renewal time (3,600 seconds) but if you need to do so, you can do that, as well. From this point, all you need to do is configure your various wireless adapters with the same information, and you should be up and running.
Linksys’ options for switching to RADIUS mode are a bit misleading. WPA Enterprise and WPA2 Enterprise are the options you’d choose for a RADIUS server using one of those two protocols. The actual RADIUS option refers to a RADIUS server combined with WEP, and probably isn’t used much at this point.
Configuring WPA/WPA2 Enterprise is also simple: Choose your encryption standard (TKIP or AES), and punch in the IP address and port number for the RADIUS server that handles authentication, as well as your shared secret. Once you’ve finished these steps, the router itself should be ready—make the appropriate configuration changes for your wireless adapters, and you’re good to go.
Conclusion
It’s actually quite easy to secure a wireless network, once you have a handle on what works and what doesn’t. Don’t waste time manually configuring MAC addresses or disabling DHCP when enabling an appropriate encryption standard is both faster and more effective.
WPA2 (AES) is the best encryption method currently available, followed by WPA2 (TKIP), WPA (AES), WPA (TKIP), and WEP. The relative gap between WEP and WPA, however, is far greater than the gap between WPA (TKIP) and WPA2 (AES). Generally speaking, any router that supports WPA is “good enough” in terms of its overall security. WEP, as we’ve previously stated, is an “only if you must” protocol, but it’s still a better option than transmitting in the clear.
Follow these simple guidelines and you’ll soon be leeching off your neighbor’s wireless network in peace, confident in your assurance that he can’t do the same to you.