Posted by: Ken Harthun
14 Golden Rules of Computer Security, Security, Security practice, Wireless security, WPA
It’s far too easy to set up WiFi for your home or business; all you have to do is go to your local electronics superstore and pick up a wireless router, plug it in to your network, and connect to it. The default configuration of most consumer products–completely open with no security enabled–will allow you to connect without having to enter any configuration information into your wireless PC. That’s why in any given neighborhood you’ll see multiple unsecured wireless network connections available. Most public WiFi hotstpots are also unsecured, open connections. If you just surf the web and send an occasional email, you might be OK (besides the fact that anyone in range can connect to and use your Internet connection), but the moment you start using your PC for banking, making purchases, and paying bills online, that wireless connection absolutely must be secured. It must be done right, and there’s really only one right way to do it. Before I explain that, let me tell you what not to do:
1. Don’t rely on SSID hiding. I’ve seen numerous articles that tout SSID hiding as a security measure. While this technique may serve to hide your network from casual view, there’s nothing secure about it: the SSID is transmitted in clear text in every packet and is easily sniffed by wireless packet sniffers. For example, Network Stumbler will identify the SSIDs of any network within range, regardless of whether or not the wireless access points are broadcasting.
2. WEP is broken. Using 40,000 to 100,000 packets, which can be captured in about a minute, you can crack a WEP key in about three seconds on a Pentium M 1.7 GHz PC. Don’t believe me? Check it out: This list even provides video tutorials on how to do it. Sure, it provides a small measure of security and it’s better than nothing, but why use something that’s already been proven inferior? Would you feel more secure knowing the garage where your store that vintage Corvette is protected by a Master lock or one you bought at an everything-for-a-dollar store? Your personal information is much more valuable than that car.
3. Don’t rely solely MAC address filtering . I don’t know why so many people are recommending this. MAC address filtering is equivalent to SSID hiding–it’s virtually useless, except to keep a casual user from inadvertently connecting to your wireless network. Like the SSID, MAC addresses are sent in clear text within the network packets and can easily be discovered and spoofed by anyone sniffing your network. That said, using MAC address filtering in conjunction with other measures can give an additional layer or safety.
So, what’s the right way? WiFi Protected Access, known by its acronym, WPA. There are two versions: WPA2 and WPA2-Enterprise. WPA2 relies on a pre-shared key (PSK), while WPA2-Enterprise requires a special authentication server and is therefore more suited to corporate environments. WPA2 implements 256-bit encryption and as long as you create a strong, unguessable passphrase, it’s completely secure. Configuring WPA2-PSK on a given wireless router depends on the brand, but you can find a general tutorial at this site.
And that, my dear reader, is Golden Rule #13: When it comes to securing a WiFi network, the only way is WPA.