advertisement
Click Here 
To print: Click here or Select File and then Print from your browser's menu

	--------------------------------------------------------------
	This story was printed from Anchordesk,
	located at http://review.zdnet.com/AnchorDesk/.
	--------------------------------------------------------------

6 ways to secure your wireless network
By Robert Vamosi: Senior Editor, Reviews
Wednesday, August 28, 2002
 

Wireless networks are proliferating, and so are the number of individuals who roam city streets looking for open hot spots to plunder, an activity known as "war driving." In London, some people even chalk the sidewalks with symbols that indicate an available wireless network.

Before you protest the unfairness of someone taking a free ride on your hookup to the information highway, and possibly driving up your bandwidth charges, let me say that there are  ways to shield your wireless network. And while these tactics--especially the controversial WEP (Wireless Equivalent Protection)--aren't fail-safe, you should at least try them.

For those who don't know, a wireless LAN (or WLAN) consists of one or more access points (APs) that relay data packets between a physical network server and a wireless device (such as a handheld or laptop). To send and receive data, the device must have an antenna (usually PCMCIA or USB) that adheres to the 802.11 standard.

So what can you do to keep your network from becoming a war driver's favorite hot spot? Here are six suggestions.

Change your name. Start by changing the default name of your network, the Service Set ID (SSID). For example, Tsunami is the default SSID for Cisco's Aironet Access Point, so you want to make sure you're not one of the thousands of Tsunami networks in the world today. Also, don't use personal info like your street address in your ID, either. That's too revealing to strangers. Try random numbers instead.

Turn off SSID. If your unit allows for it, turn off SSID broadcasting altogether. This prevents strangers from passively scanning the area and receiving your network's broadcasts.

Set high connection speeds. I suggest raising the minimum speed for connecting to your network. Wireless signals degrade rapidly over a large area, so requiring a faster connection speed means the person trying to get on your net must be relatively close to an AP.

Protect your intranet. Be sure to place your access points outside  your firewall. If you place your APs inside the firewall, and someone breaks into your WLAN, he or she has access to your intranet, too.

Block unknown devices. You should restrict your wireless network to known Media Access Connection (MAC) addresses, unique identifiers for every hardware device. If you don't currently know the addresses of the devices on your network, make an audit today. Then you can block rogue devices trying to connect to your net without your permission.

Enable WEP. Though WEP is one of the most talked-about means of protection for a wireless net, it will not by itself make your network secure.

The first thing to know about WEP is that it's not quite as secure as it sounds. 802.11 network devices on the market today provide either 64-bit, 128-bit, and 256-bit WEP encryption. But, according to Ian Goldberg of Zero-Knowledge Systems, those numbers are inflated. WEP uses the first 24 bits of any packet as a unique identifier, so really you're limited to 40, 104, or 232 bits of secure data.

That would be adequate if WEP used different encryption keys for each message packet--but it doesn't. Instead, WEP is based on symmetric keys that never change and are set manually in each device. This seriously compromises security for both home and office WLANs.

For example, when an employee leaves a company, ideally the IT staff would change every key for every employee that has access to the corporate WLAN. But often this is not done. Thus, former employees can often continue to use a company's network through their own 802.11 devices.

For a home network, the danger of the unchanging key is that it makes it easier for malicious users to recognize a key (since they see the same one over and over again) and to crack the encryption. Once an intruder's cracked the encryption, he'll be able to read the data you send over your WLAN.

Nonetheless, despite WEP's shortcomings, you should still use it. Recognizing your key takes a few hours, even with a fast computer, and requires a lot of effort. Using WEP at least provides protection against the casual war driver who's not willing to spend time cracking your encryption. I would also suggest periodically changing your shared keys and using a virtual private network (VPN) as an additional layer of security.

If you want to know more about wireless networks, I recommend the book 802.11 Wireless Networks: The Definitive Guide  by Matthew S. Gast (published by O'Reilly & Associates). Gast provides a thorough explanation of the technical minutiae administrator or a motivated home user, the book may be too technical for some.

For now, heed the suggestions I've made, and you'll be better able to stop the pedestrian war driver from gaining access to your WLAN. However, to deflect a more aggressive attack, you'll need to go even further. I'll discuss those tactics in my column next week. Stay tuned.

Has your wireless network ever been broken into? How do you protect it? TalkBack to me!