802.11 wireless networks are notoriously insecure in today's network infrastructure, but yours doesn't have to be. Athough there's no perfect way to protect your network, here are some tips that will prevent most would-be invaders from entering your network.

Wireless networks are proliferating, and so are the number of individuals who roam city streets looking for open hot-spots to plunder, an activity known as war driving. In London, some people even chalk the sidewalks with symbols that indicate an available wireless network.  This war driving is growing at a phenomenal rate with more noted scans/attacks.

Before you protest the unfairness of someone taking a free ride on your connection to the Information Highway, possibly driving up your bandwidth charges, let me say that there are various ways to shield your wireless network. While these tips, especially the controversial WEP (Wireless Equivalent Protection), aren't fail-safe, you should at least try them, as they will lower any risk of such occurances.

For those who don't know, a wireless LAN (or WLAN) consists of one or more access points (APs) that relay data packets between a physical network server and a wireless device, such as a handheld or a laptop. To send and receive data via a computer, the device must have an antenna (usually PCMCIA or USB) that adheres to the 802.11 standard.

So what can you do to keep your network from becoming a war driver's favorite hot spot? Below are some suggestions.

1. Change your name. Start by changing the default name of your network, the Service Set ID  (SSID).
For example, Tsunami is the default SSID for Cisco's Aironet Access Point, so you want to make sure you're not one of the thousands of Tsunami networks in the world today.

Don't use personal info such as your street address in your ID, either. That's too revealing to strangers. Try random numbers and/or random alhpa characters instead.

2. Turn off SSID. If your unit allows for it, turn off SSID broadcasting altogether.
This prevents strangers from passively scanning the area and receiving your network's broadcasts.

3. Set high connection speeds. I suggest raising the minimum speed for connecting to your network.  Very importantly, wireless signals degrade rapidly over a large area, so requiring a faster connection speed means the attacker must be relatively close to an AP to get onto your network.

4. Protect your intranet. Be sure to place your access points OUTSIDE your firewall.
Even better would be to have the AP behind it's own firewall, prior to any other firewalled intranet access. If you place your APs inside the firewall and someone breaks into your WLAN, they will have access to your intranet, too.

5. Block any unknown devices. Restrict your wireless network to known Media Access Connection (MAC) addresses, which are unique identifiers for every hardware device. If you don't know the addresses of the devices on your network, make an audit today. Then you can block rogue devices trying to connect to your net without your permission.

6. Enable WEP. Although WEP is one of the most talked-about methods of protection for a wireless network, and by itself, it WILL NOT make your network secure.

The first thing to know about WEP is that it's not quite as secure as it sounds. 802.11 network devices on the market today provide either 64-bit, 128-bit, or 256-bit WEP encryption. But, after further reading I noticed, those numbers are inflated. WEP uses the first 24 bits of any packet as a unique identifier, so you're actually limited to 40, 104, or 232 bits of secure data.

That would be adequate if WEP used different encryption keys for each message packet, but it doesn't. Instead, WEP is based on symmetric keys that never change and are set manually in each device. This seriously compromises security for both home and office WLANs.

For example, when an employee leaves a large company, ideally, the IT staff would change every key for every employee that has access to the corporate WLAN. But often this is not done. Thus, former employees can continue to use a company's network through their own 802.11 devices.

For a home office network, the danger of the unchanging key is that it makes it easier for malicious users to recognize a key, since they see the same one over and over again. An attacker would simply crack the encryption. Once an intruder has cracked the encryption, he or she will be able to read the data you send over your WLAN.

Nonetheless, despite WEP's shortcomings, you should still use it at minimum. Recognizing your key takes a few hours, even with a fast computer, and requires a lot of effort. Using WEP at least provides protection against the casual war driver who's not willing to spend time cracking your encryption. There are WEP key cracking tools on the internet for those who think this won't happen to them. I would strongly suggest changing your shared keys periodically and using a virtual private network (VPN/IPtunnel) as an additional layer of security.

7. Use other  methods of encryption beyond WEP. If you require a high level of security across your WLAN, assume that 802.11 networks are insecure and that the link layer offers no security.  Suggestions include:

  - Using higher-level security measures like IPsec and SSH for security instead of relying on     WEP.
  - Treat all systems that are connected via 802.11 as external, and place all Access Points       outside the firewall.
  - Assume that anyone within physical range can communicate on the network as a valid user.       Keep in mind that an attacker may use a more sophisticated antenna with much longer range       than found on a typical 802.11 PC card.

The experience with WEP shows that there are difficulties in getting security right. With many flaws at every level, including design of the protocol, implementation and deployment, can render a network completely vulnerable.

If you want to know more about wireless networks, a highly recommended book is:
802.11 Wireless Networks: The Definitive Guide by Matthew S. Gast, published by O'Reilly & Associates. Gast provides a thorough explanation of the technical minutiae for a network administrator or motivated home user.

Hopefully after following such suggestions, you'll be better protected against a pedestrian war driver, and other attackers from gaining access to your WLAN. To deflect a more aggressive attack, you may need to go even further with your network security than merely these tips alone.
 

.:[ © cana5ta ]:.