PCCITIZEN.com - SAFE COMPUTING/HOME NETWORKING/COMPUTING TIPS/CLEANUP-FIXUP-ADDUP

PicoSearch

 

HOME

START HERE

BE SAFE

ROUTERS

SIGNUP INFO

DIAGRAMS

TROUBLECITY

DEBUGGING

SPYING

WIRELESS

NETWORKING

ENCRYPTION

INTRUDERS

SPYWARE

ADD DISK

ANTIVIRUS

CLEANUP

FIREWALL

REMOTE

LINUX

UPGRADE

WPA!!

SWITCHES/HUBS

PC STUFF

CABLING

BACKUP

ETHERNET

TCP/IP INFO

PC INFO

ADSL INFO

WIRELESS INFO

 

HAVE I HELPED?

antenna

IRRADIATE YOUR FRIENDS AND NEIGHBORS, AT NO CHARGE

I tend to avoid wireless if at all possible.  Nevertheless it is a great solution for certain situations.  The biggest current problem with wireless is security.  If you do not take precautions, people can drive by on the street, and they DO, and can sniff all the traffic on your net, hack into your PC and network, and get a free Internet connection.  This is how some spammers and hackers may find a free way to perform abuse!  And the ISP can track it back to your connection if they have to.  And the latest threat to your security is that strangers will now connect to your network behind your NAT/router, so this may defeat all your safe computing practices that you have learned from this site.  So you must be really vigilant if you run a wireless network.  See this page for a recommended technique to implement wireless on your home network!

Nevertheless, most of my customers are doing wireless installs, so I have had to learn about this technology, at least the networking aspects of it.  Here are some initial experiences, including the install of WPA which will help address the security concerns of 802.11b.  Unfortunately most vendors are only introducing WPA with 802.11g - it is not certain they will backpedal it to 802.11b!  Argh!

It is quite distressing to see the almost devil-may-care attitude with which so many organizations are putting up "WiFi" networks.  These are also called Wifi "hotspots."  New vernacular, goodie, goodie.  This includes airports, Kinko's, Starbucks, etc. etc.  Many of these do include some sort of authentication control, so you must pay.  But once you pay you have "free rein."  Just think what a free ride this is giving to all the Internet terrorists, and what they can do with this essentially anonymous access to the internet!  I know, I know,  it is providing a good service for all the law-abiding citizens.  I would sure be careful about using my wireless laptop in these situations.  There really is no such thing as a NAT/router for a laptop - there probably should be.  Until then, you better have a good software firewall on that laptop.  And I wouldn't conduct any sensitive business, including especially personal email in these situations.  If you have a VPN client, it would be OK to use.  OTOH, there are some very crafty individuals who can get into your laptop, behind the wireless router, and take over your VPN connection.  Be careful out there....

In case you think I am crazy, check this recent story.  Spammers are loving this free wireless access!  And check out this story.  Even the professionals don't seem to get it yet.  

Be sure you use the WEP protocol, included in most wireless setups.  Even then, be aware that there are tools on the Internet which can break the WEP encryption protocol fairly easy.  I would not conduct sensitive business over wireless links at any time, certainly not in the airports, downtowns, coffee houses that are starting to support these networks.  Even at home I am not sure I would use a wireless link, especially to do sensitive business, like my taxes, my investing, etc.  Just confine your important business to the PC that is wired, not wireless!  The other problem with wireless networks is the abuse that some people will subject them to.  What is to stop the spammers from setting up shop on the street next to the free Wifi hotspots [or your house for that matter], getting an IP address, connecting to an open mail relay somewhere on the Internet, and shooting out a million emails.  Of course they all look like they came from your Internet connection, and your ISP may be breathing down your neck when all this trash is tracked back to your IP address.  I doubt you will have any problem from home, but just remember that somebody driving on the street can see your network. 

The next improvement in wireless security is WPA, which is available on most of the new 802.11g products.  If you can implement WPA on your wireless infrastructure, it basically solves the security problems [at least in a trusted "hardware" environment - see the next paragraph].  So it is definitely worth going for! The manufacturers have back hauled it to very few 802.11b products as of the beginning of 2004 however. 

The WPA solves the security problems, but it only locks down the wireless network!  Now you may have the basic problems of security on windows networks, which are a big problem if there are strangers on the network you just connected so securely to!  This is why we need a firewall at all times on that PC in wireless situations. 

One thing you must watch for in wireless public settings, even if you think you are secured with simple WPA, is the possibility of a "man in the middle attack."  WPA only works when you are certain of the reliability of the hardware providing the wireless infrastructure.  It protects against "wireless intrusions."  What happens if somebody installs a rogue wireless AP into the previously reliable hardware environment?  Since WPA only provides for one way authentication (the network authenticates the supplicant [you]), what happens if the network itself is malicious!?  The network can pretend to be trustworthy, and get you to authenticate to it!   The simple forms of WPA do not provide for authenticating the network.  There are other protocols, such as EAP-TLS, which are part of the the WPA specification which provide for two way authentication, and will protect against this.  Beware out there!!

In the next few years I suspect new versions of The Patriot Act will make setting up open, insecure wireless networks a very risky business.  You may start being held responsible for providing this insecure open access to the Internet.  Gee, what an astounding concept, holding people responsible for what they do.  Do you think our mad descent into liberalism and socialism will be able to handle this?

This is an excellent overall discussion on wireless network security, although it needs updating for 802.11i.  This is an excellent discussion on securing your wireless network:  http://www.extremetech.com/article2/0,3973,34635,00.asp   It is comparable to "safe computing practices for wireless users!"  I am going to repeat it here because it is such valuable advice.  Thanks to www.extremetech.com !

Update Jan 2007

This procedure was recently documented in one of our labs...

1. Right click on wireless NIC in Network Connection Window (or right click on NIC icon in tray)
2. Left click properties
Make sure “show icon in notification area when connected” is checked
3. Click on “wireless networks” tab at top.
4. Remove any networks listed in “Preferred Networks” Listing.
5. Click on Advanced tab at top.
6. Uncheck the ICS setting
7. Click OK at bottom

8. Reopen wireless NIC and properties as in 1 and 2 above
9. Open “Wireless Networks” tab
10. click on “view available wireless networks”

11. connect to wireless network desired

Once you connect to a wireless network, windows puts it in the “Preferred Networks”
Listing to automatically connect!!??

You have to go back in and “change order of preference”
Click on wireless networks tab
Find the network now listed (with automatic next to it)
Click on properties, click on connection, and deselect “automatic connection”
Click OK
Click OK
The word “on demand” will now appear in the list on this network.

There must be a global setting to disable the automatic connection to a network.
There must be a way to NOT cache the key which logs in as well.
Update Mar 2007:  You MUST get the wireless client update.  Microsoft does NOT push it as a critical update!  Another example of Microsoft allowing convenience to trump security!

TCP/IP STUFF

WIRELESS STUFF

PC STUFF

ADSL/CABLE MODEM STUFF

Tips For Securing Your Wireless Network

 

Keeping your wireless network safe

  1. Enable WEP. Yes, WEP isn't secure as by now virtually everyone knows, but at least it's a first barrier. And best of all, it's free. Nearly all Wi-Fi certified product ships with basic encryption capabilities. (40-bit key WEP). It's just disabled. As we discovered from our war driving, in excess of 50% of our data sample wasn't even using WEP. It's an invitation for someone to pay you a visit anytime. Granted, we did log some number of wireless access points that didn't use WEP because they were either public access networks, or access points in Starbuck's coffee shops. But even if you back those access points out of our data sample, non-WEP access points still comprised over 50% of our sample.

     
  2. Change the default SSID of your product. We were surprised how many access points/wireless routers we found that had the manufacturer's default SSID. We figured, correctly, that if it still had the manufacturer's default SSID, that the owner probably hadn't bothered to change the default password, either.

     
  3. Don't change the SSID to reflect your company's main names, divisions, or products. It just makes you too easy to target. If your naming is enticing enough, it may attract hackers who are willing to put in the additional effort with tools like AirSnort to break your WEP encryption keys.

     
  4. Don't change the SSID to your street address. Surprisingly, we found a number of SSIDs that used the company's street address. It sure does make it easier to zero in on your location if you broadcast it.

     
  5. If your access point supports it, disable "broadcast SSID". As you take your access point out of the box, broadcast SSID is enabled which means that it will accept any SSID. By disabling that feature, the SSID configured in the client must match the SSID of the access point.

     
  6. Change the default password on your access point or wireless router. Any hacker worth his salt knows the manufacturers' default passwords, and will try them first. Since programs like NetStumbler identify the manufacturer based on the MAC address, it doesn't take much work to figure out what type of device it is even if you do change the SSID.

     
  7. As you do your site survey for access point deployment, think about locating the access points toward the center of your building rather than near the windows. Plan your coverage to radiate out to the windows, but not beyond. If the access points are located near the windows, a stronger signal will be radiated outside your building making it easier for people to find you.

     
  8. As a network administrator, you should periodically survey your site using a tool like NetStumbler to see if any "rogue" access points pop up. With the declining pricing of access points, it's not hard to imagine that a department might run out to Best Buy, buy a couple of NICs and an AP, and plug it into your corporate network. All of your hard work to "harden" your wireless network could be wasted if a rogue AP were plugged into you network behind your firewall.

     
  9. Take a notebook equipped with NetStumbler and an external antenna outside your office building and survey what someone parked in your parking lot might "see". You'll be surprised how far the signal radiates. You might only associate at 1-2 Mbps, but it's still a security breach.

     
  10. Many access points allow you to control access based on the MAC address of the NIC attempting to associate with it. If the MAC address of your NIC isn't in the table of the access point, you won't associate with it. And while it's true that there are ways of spoofing a MAC address that's been sniffed out of the air, it takes an additional level of sophistication to spoof a MAC address. The downside of deploying MAC address tables is that if you have a lot of access points, maintaining the tables in each access point could be time consuming. Some higher-end, enterprise-level access points have mechanisms for updating these tables across multiple access points of the same brand.

     
  11. Consider using an additional level of authentication, such as RADIUS, before you permit an association with your access points. While it's not part of the 802.11b standard, a number of companies are optionally including some provision for RADIUS authentication. Orinoco access points, for example, can enforce RADIUS authentication of MAC addresses to an external RADIUS server. Intermec access points include a built-in RADIUS server for up to 128 MAC addresses.

     
  12. If you're deploying a wireless router, think about assigning static IP addresses for your wireless NICs and turn off DHCP. It's true that it's more of an administrative overhead to manage, but we found a number of wireless networks that passed out IP addresses to us once we associated with the AP. Although a wireless sniffer could easily pick out IP addresses, by not passing them out, it just adds another barrier. It makes it tougher for the casual "drive by" to use your network.

     
  13. If you're using a wireless router and have decided to turn off DHCP, also consider changing the IP subnet. Many wireless routers default to the 192.168.1.0 network and use 192.168.1.1 as the default router. We discovered one network that didn't give us an IP address, but we assumed that they were using the defaults. We were right. We configured our notebook with an IP address in the 192.168.1.0 network using 192.168.1.1 as the router address, and we had access to the Internet through their network.

     
  14. Don't buy access points or NICs that only support 64-bit WEP. Some low-end products only support 64-bit (40 bit key) WEP, and as you know by now, even 128-bit WEP is universally considered not very secure. Note that some NICs may only require a driver upgrade to attain 128-bit WEP capability.

     
  15. Only purchase access points that have flashable firmware. There are a number of security enhancements that are being developed, and you want to be sure that you can upgrade your access point.

     
  16. Some products support additional security features that are either not defined by the 802.11b standard, or not mandated by the standard. For example Agere Systems' Orinoco access points include a feature called "closed network". This is proprietary, and not part of the 802.11b standard, but if you're in a corporation and deploying one vendor's solution throughout, it really wouldn't matter. With Orinoco's closed network, the AP doesn't broadcast the SSID, so someone using NetStumbler won't see it. The client workstation must be configured with a matching SSID to associate with the AP. The default "ANY" configuration wouldn't associate with a closed network.

     
  17. Most people agree that the best method of securing your wireless network is by using a combination of the suggestions above. However, the most effective strategy would be to put your wireless access points into a DMZ, and have your wireless users tunnel into your network using a VPN. (See PC Magazine's VPN story titled "Safe Passage".) If your corporation doesn't already have a VPN infrastructure in place, it's going to cost you some money to implement. Even if you do have a VPN in place, and all of your clients already have the VPN software, there's going to be an extra effort associated with setting up a VLAN for your DMZ. But this solution adds a layer of encryption and authentication that could make a wireless network suitable for sensitive data.

In closing, you can implement as much or as little security as you want to on your wireless network, but at an absolute minimum, even with it's vulnerabilities, you should enable WEP. Whether you implement 64-bit or 128-bit doesn't really matter too much, as it's not the encryption scheme that's determining how long it takes to crack it, but the number of possible Initialization Vectors. WEP is only a low barrier to entry, but it will keep out many of the casual hackers because there are so many other wireless networks that are wide open and easier targets.

 

Update:  There should now be a point 18.  Investigate whether your vendor will support the WPA upgrades for your wireless gear. 

 

Copyright John D Loop Wednesday October 26, 2005