Friday, September 30, 2005

Why-Fi Security?

Español | Deutsche | Français | Italiano | Português

So many people have become enamored with home wireless internet access, and with good reason. It’s simple, relatively cheap, and very convenient. Now you can watch TV in the family room while playing poker online. Yeah! It’s so easy in fact, that all you have to do is run out and buy a wireless router, a wireless card, plug them up and then by basically using the default configuration for both, start surfing! Unfortunately, that is exactly what most people who don’t know better do. What many people don’t realize is, as easy as it is for you connect to your new wireless connection, it’s equally easy for someone else nearby to do the same. I can connect to no less than three wireless routers from my home and surf the internet. Yikes!! Operating with such a huge security hole is just asking for trouble. Most people are unaware of, or confused by the difficulty of setting up, wireless security on their wireless access points leaving themselves susceptible to all kinds of mischief. Well you are in luck, because I am going to give you some basic security measures to help secure yourself from outside intrusion.

Let’s start with basics about wireless security. The original security mechanism for wireless connections was called WEP which stands for Wired Equivalent Privacy. WEP can use either 64 or 128 bit encryption (its actually 40 bit or 104 bit encryption with a 24 bit initialization vector, but lets keep it simple) and until recently was just about the only security option available for wireless connections without third party add-on equipment or software. WEP basically works by encrypting a pass phrase to be shared between the wireless card and the connection point for authentication. The problem with WEP is that there are many security flaws in its encryption method and it has become easily crackable by those who know they are doing. The FBI put on a demonstration using popular hacking tools to crack WEP on a wireless connection in just three minutes (Read More). And if the government can do it, just think what the hands of capable 16 year-old computer geek could do! However, if your only option is WEP or nothing, then WEP is obviously more desirable. At least it will keep the neighbors from perusing your personal files or looking at internet porn on your connection.

But all is not lost, you do have an alternative. Because of the security flaws in WEP, a non-profit association called the Wi-Fi Alliance introduced a new security specification called WPA. Wi-Fi Protected Access also has a distribution for Enterprise use, which will not be covered here. After all, if you are implementing an Enterprise security solution based on internet blogs, you have other, more serious problems. Anyway, WPA works with a PSK, or Pre Shared Key, encrypted with a stronger encryption method called Temporal Key Integrity Protocol (TKIP). All you really need to know is that it’s better and stronger than the WEP encryption method. There is also a second generation WPA specification called (oddly enough) WPA2. WPA2 uses an even stronger encryption method called AES using CCMP, and meets governmental security requirements. Wi-Fi Alliance's white paper on WPA/WPA2 also states that it "has been adopted as an official standard by the Department of Commerce and the National Institute of Standards and Technology." In other words, it’s really, really good! If you are feeling confused by all these acronyms like WEP, WPA with TKIP, or WPA2 with AES/CCMP, don’t worry, you are not DUMB. It’s a lot of information, so let’s make it EZ, and cover what you, the home user, need to do to secure your home wireless connection.

First, pick your encryption method. WEP should be available on any wireless access point you use. Like I said earlier, WEP is better than nothing, but not nearly as good as WPA or WPA2. Newer hardware should support WPA/WPA2, and some older hardware may be made compatible through firmware upgrades (check with the Manufacturer). Once you’ve decided on your method, follow these best practices listed below.

1) First, when creating pass phrases, use random strings of letters numbers, and non-alphanumeric characters like @#$%? (No, I am not cursing at you), or phrases that mean something only to you. Never use common words that can be found in a dictionary, or names of family members, etc., because they can be easily deduced by a savvy hacker. Make your pass phrase a decent length, short pass phrases are easier to attack through brute force methods.
2) Always change the SSID provided by the manufacturer for your hardware or disable the broadcast of it altogether. Hackers who know what they are doing, can still find it with special tools, but it will deter most people.
3) Always change the default password for your networking hardware, and unless you really need it, turn off the remote administration option if there is one.
4) Change the default channel for your access point. Most hackers are aware of what all the default passwords, channels, and SSID’s are, so anything you can do to make it tougher can make it more trouble than it’s worth to them, and they may choose to move on to an easier target.
5) Use MAC address access control lists by providing the MAC addresses of the systems that ARE allowed to access the network, and denying access to any others.

Following these best practices should limit your exposure to hackers and provide you a little security at home. Unfortunately, a talented and determined hacker will be tough to stop, but anything you can do to make it tougher, the better off you are.

Happy Computing!