Securing a Wireless Network From Snoopers By Joel Rydbeck
uring my time in the computer industry, I've seen few technologies take off as quickly as corporate and consumer wireless. Wireless technology allows us to connect to the Internet whenever, and almost wherever, we want. Almost everyone is using it: family, friends, neighbors, airports and coffee shops ... the list goes on.
Many of you have outfitted your homes and offices with this technology. I have, too, and so have five of my neighbors. Wireless access has made it easier to set up a personal or office network, and I think that's a strong indicator of how well this technology meets our business and personal needs.
Wireless Protocol Glossary
As you delve into securing your network, use this glossary of wireless protocol terms
- 802.11b - The first wireless protocol that reached broad distribution. The 802.11b protocol provides up to 10Mbps. It supports WEP but has very limited support for WPA.
- 802.11g - Probably the most popular wireless protocol now. This added a lot of sophistication and efficiency to wireless interactions. Based on this, speeds of up to 54Mbps became achievable.
- 802.11i - A proposed wireless standard that includes WPA.
- Channel - The radio frequency that your access point uses. The FCC has certified 11 channels (5MHz each) for use in the United States. Other countries have varying channels that they allow.
- Internet Protocol Address - A temporary address that the network typically assigns to your computer.
- MAC Address - The unique address of the wireless card in your computer. Actually, each network device (routers, cable modems, computer network ports, wireless cards, etc.) has a unique MAC address. This allows the network to quickly and uniquely address new devices on the network.
- SSID - The access point identifier. In the case of Nubrek, we might call our access point "nubrek" to identify ourselves from the guys next door. By default, this identifier on Linksys access points is "linksys."
- WEP - Wireless Encryption Protocol. The first encryption protocol for wireless access points. It had some flaws that allowed it to be cracked. This opened the door for WPA, which is now the accepted standard in most corporate IT departments.
- WPA - Wi-Fi Protected Access. This provides two areas of security. First, it requires a key to get on the network. If you don't have the key, you can't use this access point. Second, it uses that key to encrypt all the data traffic on the network. This means snoopers can't use my network and also can't see what I'm doing on the network.
However, with this incredible flexibility also comes a lot of exposure to the outside world. It would be pretty obvious if someone waltzed uninvited into your office and plugged his laptop into your network. Like me, you'd probably have him promptly removed.
What about the guy sitting at a coffee shop across the street? Would you even know if he's on your network? Anyone with a wireless laptop can gain access to your network unless you take several precautions.
This article will provide you with a better understanding of what it means to secure a wireless network and how to implement that security. I will walk you through a few simple steps to help you lock down your network.
As merchant level salespeople, many of you have merchants using Internet protocol (IP)-based terminals and equipment, and they need a high level of security around it. Making merchants aware of the various aspects of their security is equally critical.
If Your Wireless Access Point Isn't Secure, What Is Exposed?
With the technology many of us use in our offices, it's rather difficult to understand what's always happening on the network. That said, presuming your network is not secure, here's what already may be compromised:
- Intellectual Property and Confidential Information. Anyone can access and use your network. If you share files between computers, you're probably also sharing them with wireless snoopers. Even if you have password-protected your network resources, once someone is on the network, it's only a matter of time before he has access to everything.
- Legal Liability for Network Content. It's a nice gesture to share your Internet connection with anyone within range, but what if that person starts doing something objectionable? Would you allow employees to spam, hack or exchange illicit material? What do you tell the cops when they come to visit?
- Resource Consumption. There are a lot of areas in which people snooping on your network can use up your resources. The best example is Internet bandwidth; there's only so much to go around. When you have a 1.5 Mbps DSL Internet connection, and five of you are in the office, anyone sharing your wireless network will eat up that bandwidth. You'll be left wondering why Web pages take forever to load.
I'm sure many of you already have locked down your networks. If you have, great. If you haven't, review the following steps:
Locking Down the Network
There are two key elements to securing a network:
1) Require authentication to enter the network, and
2) encrypt or restrict network traffic to ensure that nobody can "listen in" on your "conversation" or modify it.
To accomplish this on a wireless network, a very powerful tool is at your disposal: Wi-Fi Protected Access (WPA). WPA is an excellent standard because it requires a key to enter the network. Once on the network, all traffic is encrypted so that snoopers can't peek at all those credit reports you're transferring. This is probably the single best way to protect the network.
Wireless Encryption Protocol (WEP) is an option that's available on most wireless routers, but I strongly recommend against using it. This standard started out strong and was a good first step in securing wireless resources and data, but several years ago it was compromised. Now several applications are readily available to download to hack into a WEP network.
In contrast, the majority of WPA traffic is encrypted using Advanced Encryption Standard (AES). This is a very popular up-and-coming standard known for its robust security model. (For more information on AES see "Analysis: A Look at Encryption, From Then to Now," By Steve Weingart, Contributor, ATMmarketplace.com, reprinted with permission in The Green Sheet, Sept. 12, 2005, issue 05:09:01.)
Setting Up WPA
At the Nubrek office, we have a Linksys WRT-54G wireless router, which does a superb job guarding our network. I will use this product as an example since it is one of the most popular access points on the market.
Many of you may have NETGEAR, Belkin, SMC Networks or another brand of a wireless access point. The concepts are similar, but some of the details may vary. Check your manual for exact instructions.
To set up WPA:
- Check your hardware and software. Make sure that both your wireless access point and wireless laptop computers support WPA.
- Secure the wireless access point by activating WPA with a key.
- Connect wireless laptop to the secured network. Connect each laptop to the wireless access point by entering your WPA key.
1. Check your hardware and software
Check to see if your wireless access point supports WPA. Open up the Web administration interface and look on the Wireless Security tab.
If you don't see WPA or WPA2 in the Security Mode dropdown menu, check with your access point vendor (Linksys is my vendor) for an updated version of the firmware. (Firmware is software that's loaded on the actual wireless router.)
An earlier model of one of our routers didn't support WPA, but its firmware was over a year old. We upgraded it so WPA was supported. Upgrading is fairly straightforward and most vendors (Linksys, NETGEAR, Belkin, SMC, etc.) provide instructions. You usually can find firmware and instructions under the Downloads or Support sections of the vendor's Web site.
It's possible that your router simply doesn't support WPA. If WPA is not an option but WEP is, use WEP. Because of WEP's security holes, I caution against using it as a long-term solution. New wireless access points cost as little as $50. This is a small price to pay for the added security.
I assume most of you use Windows XP on your wireless laptops. If so, Windows XP service pack (SP) 2 supports WPA. If you prefer to use SP 1 (minimum SP required), you'll need the recommended Windows Update (update 815485).
2. Secure the wireless access point with a WPA key
Perform the following step from a computer that's connected to the router with a physical network cable. (I've made the mistake of securing my access point from a wireless laptop and found myself locked-out. A network cable took care of that problem.)
On your wireless access point, change your Security Mode setting from Disable to WPA2 Personal. Enter a WPA Shared Key. Enter something that you can easily repeat on each of the laptops that you will connect, but that other people won't guess. I recommend including several nonalphanumeric characters such as "$," "#," "@," and "".
3. Connect wireless laptops to the secured network
On your wireless laptops, right-click on your wireless network connection (either in the Windows task bar or under Control Panel/Network Connections) and select View Available Wireless Networks.
Your wireless access point should appear with a lock next to it. This means the network is locked. Select your network, and click Connect. You will be prompted for your WPA key. Enter the same key you entered on the wireless access point under WPA Shared Key. Within a few moments you should be connected. If nothing happens, double check your key.
Congratulations! At this point you've successfully secured the wireless network.
You also can take the following additional steps to lock down the network:
- Employ MAC Address Filtering
Each network device (routers, cable modems, computer network ports, wireless cards, etc.) has a unique MAC address. A MAC address is the unique address of the wireless card in your computer. This allows the network to quickly and uniquely address new devices on the network. An option on many wireless routers is to filter based on MAC addresses, so that only MAC addresses you've authorized can access the network.
- Don't Broadcast Your SSID
At any given time, I can see four or five of my neighbors' wireless networks. The prominent ones are something like, "linksys," "netgear," and "L!b3rty."
These are all SSIDs (Secure Set Identification) that the access points are broadcasting. An SSID is an access point identifier. At Nubrek, we might call our access point "Nubrek" to distinguish ourselves from the guy next door. It's easy to see "Nubrek" and to connect to it. Unfortunately, it's also easy for the folks in the office next door to see it.
One way to protect your business is to not make this SSID available. Instead of the access point saying "Here I am; here's my address!" others will need to know it in advance. Now their computers have to ask "Would the SSID named 'Nubrek' please respond?" This makes it a lot harder for snoopers to stumble onto your network.
Joel Rydbeck, Chief Executive Officer of Nubrek Inc., brings his strong background in e-commerce and business process automation to the merchant services industry. Nubrek offers eISO, a Web application for ISOs that tracks leads and provides automated residual and commission reports. For more information on eISO or to view a free demo, visit
www.nubrek.com/eiso.html . E-mail
Rydbeck at joel@nubrek.com .
|