Last modified on 5 November 2010, at 14:00

Wifi/Security

This page details some brief strategies for securing a wireless network

SSID BroadcastEdit

By default, most access points will automatically broadcast their SSID so that the network can be more easily detected and configured. For example the default SSID for many Linksys products is linksys.

  • One of the first things that you should do when setting up your wireless network is to change the default SSID from whatever the manufacturer set to something that is easy to understand and easy to identify as yours (e.g., your street address).
  • Disabling SSID broadcast (as recommended in some articles) won't stop an experienced wardriver, and is not a significant contribution to security. Worse, it can make it harder to manage the network. Instead, focus on WPA.

MAC Address FilteringEdit

Another security feature commonly included with modern routers is the idea of MAC Address filtering. The basic concept being that the administrator explicitly lists all of MAC addresses allowed to connect to the wireless LAN. A great idea in theory: because all MAC addresses are, by standard, supposed to be globally unique. One would have to go through a bit of trouble finding all of these addresses, but once in place, it is a system that needs very little attention. Unfortunately, there are a number of problems with a network that is only MAC filtered.

The primary problem is that network traffic remains completely unencrypted. Any passwords, e-mails, or other sensitive information is sent completely in the clear, thus leaving it highly vulnerable to the most cursory of snoops. Also, it is very easy to modify the MAC address of a network adaptor through simple system registry changes (At least, in Windows XP.)

The real kicker is, any packet on the network that isn't a broadcast from the router contains the MAC address of a computer that can communicate to it! Again, with a very cursory sniffing, it is easily possible for an attacker to build a list of MAC addresses that can communicate to the router, then simply change his adapter's address to match one not currently in use.

MAC address filtering is not a significant contribution to security. Instead, focus on WPA.

EncryptionEdit

There are two main standards for encryption of wifi networks: WEP and WPA.

WEPEdit

WEP stands for Wired Equivalant Privacy.

WEP is the most commonly used encryption standard. It supports key lengths of 40 bits and 104 bits.

WEP has some major security flaws:

  • It uses the RC4 cipher
  • A wifi network that uses WEP can be passively cracked

WEP should be avoided unless it is the only available option. It provides insufficient protection against crackers, and provides only a false sense of security.

When using WEP, the network key should be changed on a regular basis.

WPAEdit

WPA was created by The Wi-Fi Alliance, an industry trade group, to address the serious weaknesses of WEP.

WPA-EnterpriseEdit

WPA-Enterprise uses an authentication server to distribute keys to each wireless user. It can be expensive to implement and may not be necessary for homes or small offices.

WPA-Personal (WPA-PSK)Edit

WPA-PSK stands for Wi-Fi Protected Access - Preshared Key. It is a simplified version of the more complicated and expensive WPA-Enterprise protocol.

WPA-PSK allows for a passphrase of up to 63 characters to be specifed, that a user must provide before connecting to a network. The passphrase should be a minimum of 14 random characters, or more than 20 non-random characters. It provides several major improvements over WEP.

It uses a system called Temporal Key Integrity Protocol (TKIP) to distribute keys based on the passphrase to each user, and these keys are automatically updated at a specific interval.

WPA2Edit

An improved and more robust version of WPA. This form of encryption is based on the AES(Advanced Encryption Standard) form of encryption. It is even harder to break than the original WPA encryption method. Again it is available in Enterprise and PreShared Key versions

Selecting a Good PasswordEdit

WPA and WPA2 depend on a "passphrase" (also known as a Pre Shared Key or PSK). Like any other, its strength depends almost solely on its complexity. Good WPA passphrases should be long compared to other passwords, and extremely confusing. The more nonsensical your passphrase, the better. Actual words are not recommended, unless in a very long sentence. For examples,

f7S9^jeiF9ratt4-esttM8,25.4nZ8s

is more secure than the passphrase

fff4526----354

which is better than

4352354frewch

which is better than

sdfnvuihgwkjsgdf

which is better then

toaster

etc.

Finally, remember you will probably only need to enter this once (When you first set up your network and computers), so you can make it really strong and write it down rather then try and remember it. Just make sure you don't lose the paper, but keep it safe somewhere.

See AlsoEdit