Configure and Troubleshoot Wireless Networking (part 2) - Wireless Security

Wireless Security

Microsoft Windows Vista offers the full complement of wireless security. Wireless security presents the most troublesome aspect of wireless network configuration because the WCN wizards, along with a host of other wizards in the Network and Sharing Center, allow easy creation of a wireless connection.

Several security features offer a thin layer of security to wireless communication. The following sections look at these before proceeding into the two major aspects of securing wireless communication: authentication and encryption.

To Broadcast or Not Broadcast the SSID: That Is the Question

Many previous works on wireless security describe one way to make it harder to hack a wireless network: disable the broadcast of the SSID. This is a nonissue anymore because a plethora of tools can easily discover access points that are not broadcasting the SSID as well as prompt the APs to give up the SSID. Although this may seem like a good idea because it hides the AP from the casual bad guy, in reality it is probably more of a nuisance not broadcasting the SSID to the network administrator than it is to the bad guys attempting to crack into your wireless network. In addition, considering that even Windows Vista now supports the ability to “see” APs that are not broadcasting their SSID also makes this security mechanism fairly useless when you are trying to hide its presence.

MAC Address Filtering

Wireless access points usually contain a feature referred to as MAC ID filtering. This allows you to select which MAC addresses are allowed to associate with the AP for a wireless connection. This is a tedious process because you must acquire the MAC IDs of all wireless adapters within the environment. In addition, you must manually update this list as MAC IDs are added or subtracted in the environment due to new devices being added or older devices being discarded.

One obvious downside to relying on MAC ID filtering is that MAC IDs can be easily faked because the MAC address is unencrypted by wireless encryption schemes. Tools such as SMAC can adjust the MAC ID used by a network device without modifying the burned-in address. SMAC is one of many widely available security or cracking utilities for this purpose. An additional downside to this thin layer of added security is that MAC IDs within the BIOS of many computers can also be adjusted, thus making it harder to manage which MAC IDs are allowed on the network.

With that being said, using this approach is still a decent first start because it does make the casual cracker look elsewhere. On the other hand, you should not consider this feature to be anything more than a casual nuisance to a true bad guy intent on entering your wireless network.

Static IP Addressing

Static IP addressing ups the ante a bit when attempting an illicit entry into a wireless network. Because most APs offer a DHCP service within their configuration, disabling this feature and manually assigning IP addresses would make it one step harder to gain entry into the wireless network beyond an association to the AP. If the subnet size used for the wireless portion of the network is sized according to only the desired need of that subnet, a would-be hacker would have a more difficult time picking up the use of an additional IP address and going unnoticed. Using this approach definitely stops the casual hacker and requires a bit more sophistication. But once again, there are tools available that aid a bad guy in working around this issue.

Another downside of this approach to wireless security is, once again, the tedious nature of managing the wireless network. Manual IP addressing in IPv4 is bad enough; it is inconceivable when discussing IPv6 networks. Also, using this method may not stop a wireless cracker because there are Man-in-the-Middle attacks and many others around this approach to wireless security.

Authentication and Encryption Methods to Wireless Security

The preceding methods may offer an initial starting point to securing your wireless network, but they also have trade-offs when you’re attempting to manage the networks employing those methods. Windows Vista supports several wireless standards when it comes to authentication and encryption. Table 2 offers a snapshot of the protocols that are available to use within Windows Vista itself.

The following sections disregard the last two security feature types from Table 2, focusing the discussion on the more useful settings. Using these two security features by themselves presents a flawed approach to wireless security:

• Using Open as the only security feature is using no security feature at all. This is fine for publicly accessible APs but not for corporate use.

• The 802.1x authentication protocol is highly secure, but it does not provide any encryption. Therefore, using 802.1x alone provides no security for the actual data that is communicated after authentication.

WEP

WEP was the original encryption scheme when 802.11 wireless standards were first created. It was soon discovered to have severe flaws in the way it employed the use of the RC4 algorithm for its encryption services. It is considered to be better than nothing and may be the only choice if you are using legacy devices or software. WEP, as defined by the IEEE, comes in 64-bit and 128-bit sizes as well as a newer 256-bit flavor. Using Shared for the authentication means that the Pre-shared key used for the encryption process by WEP is also used to authenticate the connection. This is actually considered to be less secure than the Open setting for authentication. Figure 9 shows how to reconfigure a wireless connection for WEP with Shared key authentication.

Using the dialog box in Figure 9 as a guide, you can change the security type to any of the listed security types in Table 4.7.

WPA-Personal

Wi-Fi Protected Access (WPA) was a standardized update to the encryption scheme used by WEP. Essentially, WPA was the first step toward IEEE’s 802.11i specification. WPA-Personal is also known as WPA-Preshared Key (PSK). In addition to using a PSK, WPA is required to use Temporal Key Integrity Protocol (TKIP). TKIP still uses RC4 but adds a message integrity check, providers for per-packet keying, among other items. It was designed to be backward-compatible with most WEP-enabled products at the time so that only a software update was necessary. WPA-PSK may also provide for the use of the Advanced Encryption Standard (AES) that uses the newer Rijndael algorithm. AES is a much stronger block cipher that allows the use of up to 256-bit keys. This is built for small office/home office (SOHO) use.

WPA-Enterprise

WPA-Enterprise adds the use of a centralized authentication server (called an authenticator) such as a Remote Authentication Dial-in User Service (RADIUS) server and employs the use of the IEEE 802.1x authentication protocol. The client (known as the supplicant) is required to authenticate prior to unrestricted access through the wireless AP to the wireless network. WPA-Enterprise uses the same encryption services as described for WPA-PSK. This protocol is built, as its name suggests, for an enterprise network. This security model requires a Public Key Infrastructure (PKI) to hand out certificates because the certificate takes the place of the PSK used in WPA-PSK. The certificate also provides for additional authentication encryption services for the wireless clients.

WPA2-Personal

WPA2-Personal provides the same security services as WPA except that the WPA2-Personal protocol is required to support AES as the default protocol of choice. This essentially ensures that legacy wireless adapters need to be replaced or upgraded. A PSK is also used instead of a certificate.

WPA2-Enterprise

WPA2-Enterprise is the true implementation of 802.11i, where the IEEE 802.1x authentication protocol is used along with a centralized authenticator service running RADIUS. Windows Vista inherently supports WPA2-Enterprise, whereas Windows XP required an update. This security model also requires a Public Key Infrastructure to hand out certificates for the same reasons described for WPA-Enterprise.