Blog

Wireless networking is ubiquitous, and with their proliferation comes increased security concern. There’s a lot of you other there with wireless networks that are woefully insecure, or are made less secure daily by the people that use them. I’m going to take a few minutes to explain common wireless security standards, and how you can use them to remedy your wireless security problems.

Wireless Encryption

You are using encryption on your wireless network, aren’t you? By now, there are extremely few manufacturers producing Access Points (AP) that aren’t secured by default, or as part of the setup process. Here’s a small explanation of the various wireless LAN security methods:

Wired Equivalent Privacy (WEP)

Often mistakenly referred to as the “Wireless Encryption Protocol”, this is a depreciated method of wireless security which can be cracked by a malicious individual within minutes (PDF link). So what you really need to know is don’t use it. It’s usually easily identifiable, since the password is generally a series of hexadecimal characters (that is: 0–9, A–F).

Wi-Fi Protected Access (WPA)

WPA, and it’s more secure and more resource intensive successor WPA2 use a few different methods to encrypt traffic. The differences between WPA and WPA2 lie in the encryption methods used, TKIP and the AES-based CCMP respectively. There are flaws in the older TKIP protocols that can also be used to gain access to your network, but it tends to be more compatible with older hardware (and even modern hardware, such as the Sony PSP and the Nintendo DS) which may limit your ability to run a WPA2-only network.

Pre-shared Key (PSK)

PSK is the most common method of securing a wireless network, mostly because it’s the easiest to implement and doesn’t require a separate authentication server (more on that later). In this method, everyone on your secure wireless network connects to access points utilizing the same password, which is probably known by everyone. For a home environment, this is probably OK. You’d assume that most of the people you’re letting on your network are your friends or family, and – depending on the quality of your friends and family – you can probably trust them with access to your network.

The trouble with PSK is, especially for businesses, that if you want to remove one user’s access to your network, you need to give everybody else the new key. This may include all of your employees, contractors, and any other guests that have been on your network. It could be a lot of work for a large company, especially if it’s all because of one employee leaving the company.

There’s a solution, and most corporations already have the tools necessary to implement the fix.

802.1X

The IEEE standard 802.1X is a method of providing authentication to a Wireless Access Point, where every user that connects to the network is required to use a unique username/password pair for access. This requires a separate authentication server to provide the usernames and passwords, but most businesses already have a capable system. This is commonly known as a RADIUS server, which can be provided by both Microsoft Active Directory, or Mac OS X Server (since OS 10.5), and will integrate with most any modern Wireless Access Point. Once configured, if you need to cut off access to a single person, you disable their username/password, rather than changing everyone’s. Sounds pretty good right?

But what about guest access?

Good question. Even on my home network, I don’t want anyone who only requires internet access to have full access to everything on my network. Your business? Certainly even less so. What most businesses don’t realize is that every user that they’ve given access to their wireless network (probably just because they needed internet access) now potentially has access to all of their systems, including file servers, printers, databases, you name it. Sure, those probably have separate encryption methods but many of these can be circumvented by listening to network traffic as it streams across the network. And who has access to your network? Everybody.

So how do you combat this? In a simple network setup, such as a home network, a device like an Dual-Band Airport Extreme Base Station already provides a facility to create a separate guest network, provided it’s acting as the network endpoint (router/firewall). That’s a fine solution for many, but often not for businesses who have much more demanding network routing needs, and are already using an enterprise grade firewall/router solution.

For these customers, provided their router can support separate networks or VLANs, we usually supplement their existing network with a few low cost Wireless Access Points to act as a separate wireless network. It’s a cheap and efficient solution and most enterprise or even small business routers already support the network separation necessary to make this work.

So what did we learn?

Think about who has access to your networks! Old employees? Enemies? Competitors? Untrustworthy “friends”? It might be time to think about your wireless network security!