This is Part 6 on Securing Your WHS & Network.
We have classified the threats to the network into three major categories. Part 4 addressed threats associated with the computer user. Part 5 addressed general network threats. This part gives an explanation of how Wireless data is encrypted and decrypted using a key and algorithm. We stress the importance of creating a strong key or password for wireless devices so that it cannot be guessed easily or broken by brute force. We explain in greater detail how to configure the wireless router or access point in a way that provides the maximum level of security. We also address what should be done if a laptop has been lost or stolen.
As discussed in Part 2, a wireless network uses radio signals to transmit and receive data between computers and wireless devices such as print servers and access points. The wireless access point can be a stand-alone device or part of a cable/DSL modem or network router.
The wireless topology introduces a far greater threat to the network environment because it is very difficult to stop the radio signals from being received by an unauthorized person inside or outside the building. A wireless signal can be transmitted up to 300' (90m) outside and 150' (45m) inside a building. It is ironic that the same technology that permits a radio signal to be strong enough to be transmitted through furniture, walls, or floors can be strong enough to be received by unauthorized users.
It is very important to place restrictions as to which computer can communicate with the network. The threats range from giving your neighbor free access to your network and Internet service to inadvertently permitting an unknown person who uses their computer to intentionally steal or destroy files on your computer network. However; it is impossible to selectively control the distance a wireless signal can be transmitted or who can receive a wireless signal.
The wireless access point and wireless network card generally provides two levels of protection to help restrict the unauthorized use of the network. The great majority of access points manufactured today use encryption and MAC (media access control) filtering to achieve an effective level of security.
Encryption is the scrambling of a message in a way that is difficult to unscramble and read. The interesting thing is that It has been in use for thousands of years. Early Romans used an encryption method by shifting the alphabet by a set number of characters. This is called a Caesar shift. For example, by using a Caesar shift of 1, the word HAL becomes IBM.
Encryption has evolved through the years. Some methods like the Enigma machine used by the Germans in World War II used a machine that was set to the appropriate key to encode and decode a message. Today encryption is computer-based and can use multiple keys each with lengths that can exceed 1,024-bits to make the decoding nearly impossible.
A very simplified example of encryption could be based on using a key with a length of 8-bits. We are using 8-bits because every character can be represented using the binary system with 8-bits. Our encryption algorithm is based on adding the binary value of the key to the binary value of the character that is to be encrypted. This is done for every character in the message.
The following demonstrates what happens when the letter A is encrypted with the letter M. The binary value of M our key is added to the binary value of A which results in an encrypted value of 10001110 or the Latin capital letter N with acute Ń. To us, that character is a meaningless but to decode this character, the binary value of M is subtracted to yield the letter A.
One needs to know the key and algorithm to decode the message. As the length of the key gets larger and more complex and the complexity of the encryption algorithm increases, it is easy to see that it becomes very difficult to decode and read an encrypted message.
There are several types of encryption that are used to safeguard the traffic broadcast on a wireless network. Some methods are better than others. The encryption method depends on when the wireless access point or wireless network card was manufactured.
Older models provide a "low" level of protection. The first generation of wireless devices used an encryption algorithm based on Wired Equivalent Privacy or WEP to protect the wireless network activity. The encryption was based on a 64- or 128-bit hexadecimal code that looked like AEEF52261FFEEC.
By 2001, a major weakness was identified with the WEP algorithm. Intruders, using a commonly available software program, are able to crack the hexadecimal code and encryption with little effort, usually within 10 to 20 minutes.
To address the weaknesses and vulnerabilities with the WEP encryption algorithm a more secure Wi-Fi Protected Access or WPA was implemented in 2003 as an immediate solution to address the WEP weaknesses. WPA2 was ratified in 2004 to fully implement the 802.11i standard.
The second generation WPA and WPA2 algorithms use a full alphabet character set string to compose a password like This1SMyPP@ssword! as the encryption key. Because the password is used as a key for encryption, the password assigned to the wireless access point and wireless network card in the computer must match to allow a computer to communicate with other devices on the network. A complex password combined with 256- or 512-bit encryption is strong enough to make it nearly impossible to decode and read the wireless network activity.
We recommend that a password used for the wireless access point be based on a "strong, non-dictionary" set of characters to offer the greatest level of protection. The term "strong" means the use of characters not used in words, such as numbers, punctuation, or randomly chosen capitalized letters. "Non-dictionary" means that the password cannot be found in an unabridged dictionary. The greater number of characters used for the password significantly decreases the probability that an intruder can determine the password, thus increasing the security of the wireless network. We recommend a password that contains at least 13 characters be used so that it cannot be discovered by random selection or brute force.
The wireless access point, whether it is a stand-alone device or built into the router, needs to be configured to permit wireless devices to join the network. The administrator must take great care to properly configure the wireless settings to ensure that the wireless LAN is adequately secured. We are using a SonicWALL TZ-180 router to demonstrate configuration settings. This router is capable of deep packet inspection which provided the greatest level of security.
We address the settings that are generic across the majority of routers. Please refer to your router's manual for other settings that are specific to the manufacturer and model. We at Home Server Land recommend the following settings to be configured in the router/access point.
The following is an example of the settings to achieve the highest level of security for the wireless network. Refer to your router's manual for features that are specific to the manufacturer and model.
The Wireless Settings window is used to enable the wireless network by placing a check mark in the Enable WLAN Radio option.
By selecting the 2.4GHz 802.11g Only option for the radio mode ignores 802.11b wireless devices. We identified in Part 2 that wireless devices that are based solely on 802.11b are outdated and should not be used. This is because the encryption method is ineffective and these devices can significantly reduce the network throughput.
The value for channel can be changed to other values or Auto Select can be chosen. Some routers may require a specific channel to use other special features that are unique to the router. Commonly used channels like 6 and 7 should be avoided. Select a channel that provides the best reception.
The default value for SSID or service set identifier can be changed to a name that logically describes your wireless network. This name is used by site survey utilities and Windows XP/Vista to identify the wireless network. Perhaps for a home network, the SSID could be <familyname>-Wireless where <familyname> is the family's last name. For small businesses the SSID could be <businessname>-Wireless where <businessname> is the name or abbreviated name of the business.
Click the Apply button to save the wireless configuration settings.
The authentication type should be set to WPA2 - Auto - PSK to achieve the highest level of security. PSK uses phase-shift keying and requires a passphrase or password.
The cipher type should be set to AES or advanced encryption standard to achieve the highest level of security.
The passphrase should be a "strong, non-dictionary" word as described in the beginning of this blog. For example, This1SMyPP@ssword! is a good example of a strong, non-dictionary passphrase.
Click the Apply button to save the wireless security configuration settings.
Broadcasting the SSID allows the wireless network to be discovered by other wireless devices. When this option is disabled, the SSID for the network must be entered manually. This is a type of "stealth" mode. We recommend that the Hide SSID in Beacon option be selected for greater security.
The transmit power allows for the selection of the strength of the radio signal. Full Power mode is used to boost the radio signal to overcome dead spots. This also permits the wireless signal to be transmitted to greater distances. We recommend using lower values unless there are reception problems.
We recommend that protection mode be set to Always to maximize network security.
Click the Apply button to save the wireless advanced configuration settings.
The broadcast area of a wireless network is called a hotspot. Hotspots can be either a network that is available to the general public to access the Internet or can be a private local area network. Public hotspots do not require user authentication. They usually use a password that is needed for the connection and encryption of the network traffic. This is the code the coffee shop or hotel gives you so that you can use your laptop to connect to the Internet while you are on their premises. The code is changed frequently to discourage abusive use.
Private local area networks require both the password for the wireless connection and user authentication. All the wireless networks used by homes and small businesses fall into this category. Networks established by wireless network companies for their subscribers are also included. The major difference is that the equipment used by these companies employ network equipment designed to add a significantly increased level of security and can manage a large volume of network traffic.
MAC or media access control filtering is based on using the 48-bit physical address of the network card to permit or deny a computer's access to the local network. Whitelists and blacklists are used with MAC filtering where a whitelist contains the physical addresses of devices that are permitted and a blacklist contains the physical addresses that are not permitted to access the network. The following is an example of the MAC or physical address of a computer's network card.
We recommend that the MAC addresses for each laptop be recorded and saved by the administrator. This will serve as a record in case the laptop is lost or stolen. As mentioned in Part 1, a study conducted by Dell, Inc. and the Ponemon Institute found that more than 12,000 laptop computers are lost per week at US airports1.
1 Used by permission. Larry Ponemon, Airport Insecurity: The Case of Missing & Lost Laptops, June 30, 2008, sponsored by Dell, Inc. and Ponemon Institute.
If a laptop is lost or stolen, the administrator can use this record as a basis to create a blacklist that contains the computer name and MAC address. The router's MAC filtering option is used restrict the laptop from accessing the local wireless network.
MAC filtering only identifies the network card and does not necessarily identify the user or computer. The original wireless device can be deactivated and a different wireless card can be used to access the network. Therefore, we highly recommend that the encryption passphrase be changed if a laptop is lost or stolen.
Click the Enable MAC Filter List option and define a deny list to have the router deny access for the MACs included in the list. For example, a deny list named Black List is created and the administrator would enter the computer name and MAC address for the computer that is denied access to the wireless network.
Click the OK button to save the MAC filtering configuration settings.
We at Home Server Land make the following recommendations to enhance the security of your wireless network against theft of signal and network intrusion threats.
This blog identified threats that are associated by a wireless network. The security plan should be updated to identify threats specific to your network and address methods to resolve each threat. We have developed the Wireless Network Risk Assessment to assist with the identification and methods that can reduce threats we identified. The Threat and Risk Assessment Worksheet can be used to document the threats that have been identified and used as a basis to manage them. Both documents are attached at the end of this blog.
This concludes Part 6 of Securing Your WHS & Network. We identified the risks and vulnerabilities that are associated to the wireless network. The administrator should use prudent means to protect the network from unauthorized intrusion or theft of signal. Also, wireless devices based on the WEP algorithm are obsolete and should not be used.
In Part 7, we will identify the threats and attacks that email messages can contain. We will explain how to identify email threats and how to increase the user's awareness of threats.
In the meantime, we invite your discussion and any ideas that you may have.
This series has been developed by the Home Server Land team to introduce computing and networking technologies. Throughout the series, we identify threats and vulnerabilities that exist and identify methods that can be taken to reduce them. We encourage
I am using WPA2 on my Negear Giga router but is there a way how I can test the effectiveness or see any intrusion attempts? I live in an apartment building and I can pick up a good 10 or more wireless networks. Yesterday on my way home I noticed someone sitting outside in a car with a laptop and now I am paranoid? Any suggestions or advice
Good question. There are several things you can do.
You are using WPA2, that is the most current standard and I am assuming you have chosen the WPA2-PSK {AES) option.This uses AES encryption. How long and complex is your passphrase? It should be at least 13 characters and have a complexity as we described.
You could lower your power settings.
You can create a white list that contains the MAC addresses of your wireless devices that are permitted to connect and enable MAC Filtering. Page 2-14
You could hide your SSID and you can make the name complex like "n3Tg38R". I am assuming you have the WNR854T model. On page 2-6 of the reference manual explains how to turn off the SSID broadcast.
You can view who has connected to your wireless network. On Page 4-9 it displays the IP address, device name and MAC for every device that is connected. If you do not recognize a device, write down the device name and MAC address and put that in your black list.
Do not enable remote management.
It appears that the only logging your router does is to record the websites you have visited. I cannot tell by the documentation that the router can track types like "system activity" or "attacks". Check with Netgear support.
I would recommend if you suspect that someone is snooping, check the "Viewing a List of Attached Devices" from the router. After accounting for your devices, this will confirm if someone has connected.
If you are using the WPA2-PSK {AES) you are pretty secure from disclosure. Someone can pick up the signal but they will not be able to read it. Unless they are from NSA and that is a different story.
Excellent article covering an wireless security in the home, home office and business. I particularly liked the use of keeping track of MAC's not only as an additional layer of verification at the access point, but as a way of blacklisting in the event a PC is stolen.
Additionally, I'd like to point out that infrared wireless access points, although not popular in the home office, does not penetrate walls and may offer a localized (liimited) WAP solution for some large flats.
Thank you for your comments. That is interesting about infrared access points. It makes sence that they would have to be line of sight. Do you have any examples?