Network Security Basics: Tightening Down Your Wireless LAN
By now we're all familiar with the benefits of wireless networks, and we've probably heard most of the horror stories. Ten recommendations to bring security on your WLAN to 'good enough.'
Wireless networking is terrific. I have the freedom to work on the Internet anywhere around my office or even outside on my porch. I do not worry about drilling holes in my walls or fishing wires. What could be better than that? Think again. Someone could be stealing your precious data right now without your knowledge.
Recently, my neighbor stopped me and commented that I had a wireless network. When asked how he knew, he said he saw it in his pick list when he installed his last week. Geoff Davies, managing director of i-sec, a British security consultancy says, "An informal survey revealed that 67% of the networks they found had the built-in encryption system turned off." Now I know that my network uses strong 128-bit encryption and is reasonably secure. But, are you broadcasting your private computer data to anyone who drives by with a working laptop wireless network card and a Pringles can antenna?
The "wired" nation is embracing the next wave of network technology - wireless networking. Linksys, D-Link and other manufacturers of wireless equipment are cleaning up in this arena, selling millions of wireless network devices like the Linksys BEFW11S4, a wireless router that connects directly to your Cable or DSL Internet service. These devices are simple, painless, and convenient. For a few hundred dollars and an hour of time, anyone can install a wireless network in their home or small office. However, out of the box they are NOT secure. "To insure a reasonable first use experience, the default setting for the encryption is "off". The problem is that many users never configure their systems to use the encryption that is present. And, to make matters worse, 802.11b systems vendors don't make it really easy to configure the encryption mechanisms properly." writes Harry Forstick, former BBN advanced technology guru.
Who could possibly be interested in my data anyway? Hackers, maybe, but never underestimate the amount of mischief that a local bored teenager can create. Getting into your network can be as easy as using your garage door opener to break into your house. A number of years ago, a gang of thieves would drive around Los Angeles with a set of remote controls to see which garage door would open. They had discovered that there were only a few frequencies used for all garage door openers and most people never bothered to change the factory settings. The manufacturers had thought of them as conveniences, not door locks. Think of your network like those garage doors. Since you are broadcasting your information to the world, you need to make it harder to steal.
We use all sorts of encryption already. Do we have to worry about yet more security? Security mechanisms at the application layer are sent encrypted but the network layer routing and protocol information is generally sent without encryption. Many, if not most, security protocols that people are familiar with, VPN, SSL, and IPSec work at the application network layers. An attacker could use the unencrypted network layer data to ferret out information about their network that the user might not want to reveal. Internal IP addressing schemes or the type of network your company is running, for example. They can also find out what type of computers your company has. With this knowledge, the wily hacker will know what your likely vulnerabilities are. For example, they might spoof an internal company address. If your routers and systems are not properly protected, they could easily masquerade as a "trusted" machine that has innocently joined your wireless network. In a small installation, you might notice (if you bother to look) that an unauthorized "extra" machine has joined your network. Since I have two machines on my wireless network, it would be obvious if there were now three. In a large installation, it is extremely difficult to determine this information since machines are moving on and off the network constantly.
Wireless networks use two standard protocols that are of importance to understanding the issues, 802.11b and WEP. 802.11b or (Wi-Fi) is the standard protocol used by wireless network hardware to broadcast and receive network packets on an over-the-air interface between the client and a base station or between two clients. The 11 Mbps transmission rate allows network speeds comparable to the 10 Mbps Ethernet Since the protocol is just concerned with the mechanics of moving network packets, it has no inherent security.
To address the user community's concerns with network security, WEP (Wired Equivalent Privacy) is now incorporated directly into the 802.11b standard. WEP provides the same level of security as traditional wired network. Unfortunately, this is not good enough for a broadcast technology, where anyone can tap into it easily. Pringles cans make perfect antennas for snooping wireless networks as Davies found out when he drove around the London financial district with his laptop and a wireless network card. "When it became clear that wireless networks unprotected by WEP were extremely vulnerable, users were urged to select products that implemented WEP, and WEP became the linchpin of 802.11 network security. It was, however, a flawed anchor point for security. One member of the 802.11 working group memorably described WEP as "unsafe at any key length" and urged the working group to redesign WEP," writes Matthew Gast, author of O'Reilly's 802.11 Wireless Networks: The Definitive Guide.
What can I do?
So what CAN I do to secure my wireless network? Immediately take out the hardware manuals and find all the factory settings you left in place. Change all the default settings for the network name, administrative passwords, and turn on the built-in encryption to the highest level possible for your hardware. This will not stop the truly determined hacker, but it will certainly discourage him and likely stop the local bored teenager. Although using the current wireless security standards, you can never reach the same security levels you have with wired networks; you can improve your security to "good enough". Geoff Davies from i-sec has these 10 simple recommendations:
- Disable broadcasting on wireless network hubs
- Change default network names
- Don't give the network a name that identifies your company
- Move wireless hubs away from windows
- Use the built-in encryption
- Disable the features you do not use
- Put a firewall between the wireless network and other company computers
- Regularly test wireless network security
Happy secure networking!
Beth Cohen is president of Luth Computer Specialists, Inc., a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in a number of different fields including architecture, construction, engineering, software, telecommunications, and research. She is currently writing a book about IT for the small enterprise and pursuing an Information Age MBA from Bentley College.