Beefing up Wi-Fi security

« News takes the holiday
More Security: Arpwatch »

Original date: January 14, 2005 12:58 AM by sonnik

Lately, for no apparent reason, I've been pondering the strength of the security on my home 802.11g networks.

A few months ago I picked up O'Reilly's Network Security Hacks. It's a good book that follows their typical "Hacks" series of books, with one-hundred or so tips or tricks on the subject. Many of these hacks seem like basic tricks, but in the case of the network security book, the authors do seem to find some ideas you may have not thought of.

After that, I also picked up the bookWi-Foo, which builds on the concept but is directed more at wireless.

Like a lot of those individuals that have the typical Linksys, Netgear, or D-Link wireless routers, I've been forced to accept WEP or WPA, along with some other measures to ensure security. However, they all have their pros and cons.

WEP: Or Wired Equivalent Privacy, is the earliest form of encryption over wireless 802.11b/802.11g networks. It's also the most compatible with the most devices. However, programs now exist to analyze the encrypted data and extract your secret WEP key.

WPA: Or Wi-Fi Protected access, was an improvement on WEP. The most major of the improvements over WEP include Temporal Key Integrity Protocol. Essentially, this means your secret key changes over time, making it harder to extract a usuable key. The downside is that a lot of hardware and software still don't utilize WPA. So, for ease of interoperability, many people still use plain WEP.

Disable SSID Broadcast: Many people opt to set their routers to disable SSID (Service Set Identifier). This should not even be considered security. It does initially make the wireless access point invisible to most casual hotspot users, but anyone who opts to dig deeper can sniff out this SSID string which is then used to join the network.

MAC Address Filtering: Again, not secure - but could be monitored to enhance security. Every LAN PCI card, every PCMCIA card, every 802.11b/g adapter, and any other network device is assigned a unique MAC (Media Access Control) address at the time of it being manufactured. In fact, hardware manufacturers are assigned pools of MAC Addresses they can use by the IEEE. However, this value can often be changed, and there is often a legitimate need to do so. One may think they can set up their wireless router or access point to limit wireless access by way of filtering MAC Addresses. Much like a WEP key can be sniffed out, the MAC address can be sniffed out also. As I mentioned, the MAC Address can be changed on an adapter and an unwelcome vistor could then bypass MAC Address filtering.

However, If you do have MAC Address filtering enabled, and only a limited number of MAC Addresses allowed on your network, the intruder would have to duplicate one of the valid MAC Addresses. This may or may not be plainly noticeable, but a utility called "arpwatch" available from LBNL's (Lawrence Berkeley National Laboratory) Network Research Group (http://www-nrg.ee.lbl.gov/) can monitor for this occurrance and notify you if an intruder has gained access to your network by this method.

So, right now, I'm using WEP as I have two devices that don't seem to like WPA. I think the logical answer is to use a package like OpenVPN (http://openvpn.sourceforge.net). I'm currently in the process of installing and troubleshooting it for my particular installation (a wired Linux OpenVPN server, and a wireless WinXP laptop as the client.) I would think this is a pretty common scenario, but I can't seem to find previous recent documentation. I could be having issues with a firewall or routing, but haven't really had time to work it out. When I do, I'll be sure to post it in case it is of use to anyone else.