Improving Security in Wireless Networks
Wireless networking provides many advantages over conventional wired networks. For
instance the ability to connect to your network resources without the capital costs of installing
structured wiring and the ability to roam within the range of your access points or gateway. It
also, however, carries a disadvantage over conventional networking systems in that anyone
within range of your access points or gateway while sharing your wireless settings may also
connect to your network. To combat this security issue, the IEEE standards body 802.11 have
provided a mechanism to improve the security of wireless connections called Wired
Equivalent Privacy (WEP).
This document will look at the security measures built-in to wireless networking, such as WEP
encryption and MAC address filtering, and other methods of providing more robust security as
well as providing a guide to securing the wireless connections to the OfficeConnect Wireless
The following text assumes that you have successfully installed a wireless network using the
OfficeConnect Wireless Cable/DSL Gateway installation wizard. If you have followed the
instructions then you will have one or more PC clients that are able to connect, via the
wireless network, to the OfficeConnect Wireless Cable/DSL Gateway. Communications at this
level are insecure but there are some steps you can make to improve security on your
Security Features in Wireless Networking
There are a number of features included in wireless networking that can be used to improve
the security of the network. These features will not make the wireless network completely
secure, but they can substantially improve security.
Each wireless network has a name; this is referred to as the SSID (Service Set
Identifier) or "Service Area Name". When wireless systems were first installed the SSID was
considered to be a security feature, without knowing the name of the network it was difficult to
connect to it., however, some wireless NICs now have the ability to scan for available SSIDs
and join that group – bypassing any security that might have been given by the SSID. This
means that anyone can see your network provided they are in range and can also join it if the
local network administrator has not taken the appropriate security precautions discussed later
in this article.
Although having a SSID is essential to setting up and using your wireless network it is not
sufficient security for a wireless network.
Wired Equivalent Privacy (WEP) secures the link between the access point or gateway and
the wireless computers and although not specified as part of the IEEE 802.11b standard for
wireless networking, almost all wireless equipment comes with WEP encryption built-in to the
product to increase security.
WEP is an encryption mechanism based upon a static key of either 64 or 128 bits in length,
which is used to encrypt the data stream using an RC4 encryption algorithm. It encrypts data
between a wireless computer and the access point to improve the security of the connection.
(Note: WEP 64bit encryption is commonly called 40/64bit encryption; this is because the user
definable key is only 40 bits, but there is a 24 bit static key that is automatically added to it
therefore providing a 64bit key.) A WEP key is a string of hexadecimal characters, 40/64bit
WEP has 10 characters while 128bit WEP has 26 characters.
To be able to use WEP both the wireless gateway or access point and the wireless NIC need
to have the same WEP key. This will allow the encryption and decryption of data. However,
up to 4 WEP keys can be programmed into a wireless NIC or Gateway, but only one (called
the transmit key) will be used for encryption. Different components of the wireless network
may have different keys defined as the transmit key, as long as both components have the
same keys defined in the same order (1-4) then communication will work. For example, if the
Gateway was configured to transmit using encryption key 1 then the wireless NIC that it is
transmitting to will use key 1 to decrypt the data. If the NIC is configured to use key 3 to
transmit then the Gateway will use key 3 to decrypt the data from the NIC. In this way, the
data is encrypted differently in either direction, improving the security of the network.
It should however be noted that the weakness with the WEP system is that it has a static key;
several studies exist where keys have been cracked where sufficient data has been collected
enabling someone to crack into the network. For this reason, higher levels of security have
been introduced by some vendors based on dynamic keys. These keys change at regular
intervals making it significantly more difficult to crack the keys. There is also further work
going on within the IEEE 802.11 committee to develop more robust encryption schemes. This
will be covered in greater depth later in this document.
The WEP key can normally be entered in several ways, by manually entering the desired
number of hexadecimal characters or by using a “passphrase”. A passphrase is a string of
ASCII characters which will be converted into a hexadecimal string. If the passphrase method
is used on wireless equipment from different vendors, ensure that the hexadecimal string
created is the same for both – this is not always the case.
40/64bit or 128bit WEP?
This choice is will be based on the sensitivity of data that is being transmitted over the
wireless network and the throughput requirements. 128bit WEP will offer a more secure link
between wireless clients and the access point but there will have a slower throughput due to
encryption and decryption times while 40/64bit WEP will offer less security but have a higher
throughput rate. Whichever level of encryption is chosen it must be ensured that both the
gateway or access point and the wireless NIC have the same level specified. If the same level
is not specified at both ends then the communication between the NIC and access point will
not be possible
MAC Address Filtering
In addition to using WEP to prevent unauthorised access to your wireless network, it is
possible to specify exactly which PCs are allowed to access the network by MAC address. (A
MAC address is a unique identifier for every device that connects to your network). This is
basically a list of authorised PCs that the gateway or access point uses to control access to
the wireless network.
If MAC address filtering is used then only the MAC addresses specified by the network
administrator will be able to connect to the wireless network – yet another obstacle placed in
the way of a hacker trying to access the network.
The OfficeConnect Wireless Cable/DSL Gateway has a list of all MAC addresses accessing
the gateway on the user interface; this can be used to form the basis of a MAC address
filtering scheme. However, to find the MAC address of your wireless NIC…
While using the wireless NIC
1. From the Start Menu go to Programs ->Accessories ->Command Prompt
2. Type ipconfig /all
3. The parameter called Physical Address will have a 12 digit hexadecimal number. This
is the MAC address of the Wireless NIC.
While using the wireless NIC
1. From the Start Menu choose Run…
2. Type winipcfg
3. Choose the wireless NIC from the pull down menu
4. The parameter called Adapter Address will have a 12 digit hexadecimal number. This
is the MAC address of the Wireless NIC.
Higher levels of security
As previously mentioned, there are methods of further securing the wireless network against
hacking although these security features are normally only found in higher end wireless
devices, such as the 3Com Access Point 6000 and the 3Com Access Point 8000.
Dynamic Security Link increases security by using a 128-bit encryption key that is
automatically changed for each networking session. This increases security as the key is no
longer static (as in WEP) and therefore is harder for a hacker to break. The new keys are
negotiated between the wireless client and Access Point so there is no need for a manual key
to be entered by the user. User Authentication can also be used for an even higher level of
security by requiring users to enter a username and password for each session.
Another way to increase security is by using central authentication to validate the log-in
details of any user trying to use the wireless network. The most popular way of doing this is
by using a central RADIUS server to validate the user details. All user details are stored on
the central RADIUS server and the Access Point will authenticate users using the RADIUS
Each of these features makes the security of the wireless network more secure. Details of
both the 3Com Access Point 6000 and 8000 can be found on www.3com.com.
Virtual Private Networking
Another way of further securing the wireless network is by using Virtual Private Networking
(VPN) to encrypt data transmission to the private network. In this case, the wireless access
point is positioned outside a gateway or router that has the ability to terminate VPNs, so once
the connection to the wireless network is made (with or without WEP enabled) then the user
will connect to a VPN server to access the private local network using PC based VPN client
Wireless Network Private Network
Access Point (optional)
By using this scenario the local network is seperated by from the wireless network but is still
easily accessed by authorised users. This offers a very high level of security for the local
network whilst still protecting unauthorised access to the Internet connection using WEP
encryption if enabled.
Note: The OfficeConnect Wireless Cable/DSL Gateway cannot be used in this scenario
although the 3Com Access Point family can.
For more information about VPN technology, refer to the VPN white paper found on
How to configure security on the OfficeConnect Wireless
Security Step 1: Ensure you change your SSID from "101" (3Com OfficeConnect Wireless
Cable/DSL Gateway default value) to another set of characters. Currently your product is set
up with a default, we strongly recommend that you define a unique name for your wireless
network, it is worth considering using an abstract name that does not relate to you or your
business, in the same way you might consider any password. You have up to 32 characters
that can be used to define the SSID. You will also need to change this in all of your clients.
For the time being make a note of your new SSID here.
Security Step 2: Which version of WEP? Currently your system does not have WEP enabled
at all, your gateway can support two versions of WEP, the first is referred to as 40 or 64 bit
WEP, the second is referred to as 128 bit WEP. The choice of what level of WEP to choose is
down to the level of WEP offered by all of your clients. Check your clients to see what they
support, some products offer only 40/64 bit WEP, others offer both 40/64 and 128bit WEP.
128bit WEP offers better security than 40/64, but may have an impact on your overall system
performance depending on the elements in your system. If you are not sure which key size is
best, and your clients can support both, we recommend trying the 128bit key size first and
then monitor the network performance.
Security Step 3: Enable encryption by selecting either 40/64 bit or 128bit encryption from the
pull-down menu. Next select which method of key generation will be used. This selection
should be based on the generation methods supported by the wireless clients – the same
method should be used on the Gateway and the clients.
The Gateway offers a number of methods for converting plain text into hex keys. The text is
much easier to remember than hex keys but it relies on your wireless adapters also
supporting this feature. Different manufacturers have developed different ways of converting
plain text and so interoperability is not guaranteed. If you are experiencing difficulty, the
Manual Hex Key method is supported by most vendors.
The Gateway supports 4 methods to specify the WEP Keys :
a) Manual Hex Key
This method allows you to manually enter hex keys. Virtually all manufacturers support this
b) 3Com Encryption String
This method is only supported by 3Com Wireless products. The string can contain any alpha
numeric characters and must be between 6 and 30 characters long. A single string will
automatically generate 4 unique keys for 40/64 or 128 bit WEP.
This method is supported by some adapter cards running under Windows XP. The string must
be exactly 5 characters for 40/64 bit WEP or 13 characters for 128 bit WEP. You must enter a
separate string for each of the 4 Keys. You can leave a string blank so long as this Key is not
selected as the Active Transmit Key.
This is another common method and similar to the 3Com Encryption string. In 40/64 bit WEP,
the Passphrase will generate 4 different keys. However, in 128 bit WEP, this method only
generates 1 key which is replicated for all 4 keys.
Select the "Active Transmit Key". This selects which of the 4 Keys the Gateway uses when it
transmits. You can change the selected key every now and then to increase the security of
Make a note of your keys in the table(s) below
Key # Active 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Key # Active 17 18 19 20 21 22 23 24 25 26
Security Step 4: The next step is to switch on WEP on all of your clients. Using the
information you have collected you will now need to consult the documentation for your client
wireless NICs and set up the corresponding information: SSID or Service Area Name,
40/64bit WEP or 128 bit WEP. Remember you have to choose one or the other for your whole
network. Finally enter all of the keys you generated on the Gateway in the correct order on
each client. If you have a wireless client that only supports one key, ensure you enter the
active transmit key as defined in the gateway. While you are making the changes to your
clients it would be a good idea to note the MAC addresses for each NIC card you are using.
The MAC address is recorded as a sequence of twelve hexadecimal characters. This will be
useful if you wish to make further enhancements to the security of your network. Make a note
of your Wireless NIC MAC (Media Access Controller) addresses below:
Client # Media Access Controller Address PC Name or Owner
You may now test the network with encryption enabled. If you encounter any problems go to
the trouble shooting section at the end. If you are happy that the encryption settings are
working then you can optionally move to the next section for to further enhance security.
Security Step 5: The Gateway provides a list of connected PC's, confirm that the PC's on
your network that are powered up with a live wireless card can be seen in the list of clients.
Verify that all of your clients can still connect to the Gateway. You will need to remember that
if MAC address filtering has been enabled, any new device added to the network, or any
changes to the existing configuration will need to be recorded in the gateway MAC address
table. We also recommend ensuring that you keep the table up to date, accurately reflecting
the active devices in your network.
Finally, it is also useful to consider that any system using WEP is not unbreakable, therefore
regularly changing the keys between the devices is a further precaution you could take.