Improving Security in Wireless Networks


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Improving Security in Wireless Networks

  1. 1. Improving Security in Wireless Networks Introduction Wireless networking provides many advantages over conventional wired networks. For instance the ability to connect to your network resources without the capital costs of installing structured wiring and the ability to roam within the range of your access points or gateway. It also, however, carries a disadvantage over conventional networking systems in that anyone within range of your access points or gateway while sharing your wireless settings may also connect to your network. To combat this security issue, the IEEE standards body 802.11 have provided a mechanism to improve the security of wireless connections called Wired Equivalent Privacy (WEP). This document will look at the security measures built-in to wireless networking, such as WEP encryption and MAC address filtering, and other methods of providing more robust security as well as providing a guide to securing the wireless connections to the OfficeConnect Wireless Cable/DSL Gateway. The following text assumes that you have successfully installed a wireless network using the OfficeConnect Wireless Cable/DSL Gateway installation wizard. If you have followed the instructions then you will have one or more PC clients that are able to connect, via the wireless network, to the OfficeConnect Wireless Cable/DSL Gateway. Communications at this level are insecure but there are some steps you can make to improve security on your network.
  2. 2. Security Features in Wireless Networking There are a number of features included in wireless networking that can be used to improve the security of the network. These features will not make the wireless network completely secure, but they can substantially improve security. SSID Each wireless network has a name; this is referred to as the SSID (Service Set Identifier) or "Service Area Name". When wireless systems were first installed the SSID was considered to be a security feature, without knowing the name of the network it was difficult to connect to it., however, some wireless NICs now have the ability to scan for available SSIDs and join that group – bypassing any security that might have been given by the SSID. This means that anyone can see your network provided they are in range and can also join it if the local network administrator has not taken the appropriate security precautions discussed later in this article. Although having a SSID is essential to setting up and using your wireless network it is not sufficient security for a wireless network. WEP Wired Equivalent Privacy (WEP) secures the link between the access point or gateway and the wireless computers and although not specified as part of the IEEE 802.11b standard for wireless networking, almost all wireless equipment comes with WEP encryption built-in to the product to increase security. WEP is an encryption mechanism based upon a static key of either 64 or 128 bits in length, which is used to encrypt the data stream using an RC4 encryption algorithm. It encrypts data between a wireless computer and the access point to improve the security of the connection. (Note: WEP 64bit encryption is commonly called 40/64bit encryption; this is because the user definable key is only 40 bits, but there is a 24 bit static key that is automatically added to it therefore providing a 64bit key.) A WEP key is a string of hexadecimal characters, 40/64bit WEP has 10 characters while 128bit WEP has 26 characters. To be able to use WEP both the wireless gateway or access point and the wireless NIC need to have the same WEP key. This will allow the encryption and decryption of data. However, up to 4 WEP keys can be programmed into a wireless NIC or Gateway, but only one (called the transmit key) will be used for encryption. Different components of the wireless network may have different keys defined as the transmit key, as long as both components have the same keys defined in the same order (1-4) then communication will work. For example, if the Gateway was configured to transmit using encryption key 1 then the wireless NIC that it is transmitting to will use key 1 to decrypt the data. If the NIC is configured to use key 3 to transmit then the Gateway will use key 3 to decrypt the data from the NIC. In this way, the data is encrypted differently in either direction, improving the security of the network. It should however be noted that the weakness with the WEP system is that it has a static key; several studies exist where keys have been cracked where sufficient data has been collected enabling someone to crack into the network. For this reason, higher levels of security have been introduced by some vendors based on dynamic keys. These keys change at regular intervals making it significantly more difficult to crack the keys. There is also further work going on within the IEEE 802.11 committee to develop more robust encryption schemes. This will be covered in greater depth later in this document. The WEP key can normally be entered in several ways, by manually entering the desired number of hexadecimal characters or by using a “passphrase”. A passphrase is a string of ASCII characters which will be converted into a hexadecimal string. If the passphrase method
  3. 3. is used on wireless equipment from different vendors, ensure that the hexadecimal string created is the same for both – this is not always the case. 40/64bit or 128bit WEP? This choice is will be based on the sensitivity of data that is being transmitted over the wireless network and the throughput requirements. 128bit WEP will offer a more secure link between wireless clients and the access point but there will have a slower throughput due to encryption and decryption times while 40/64bit WEP will offer less security but have a higher throughput rate. Whichever level of encryption is chosen it must be ensured that both the gateway or access point and the wireless NIC have the same level specified. If the same level is not specified at both ends then the communication between the NIC and access point will not be possible MAC Address Filtering In addition to using WEP to prevent unauthorised access to your wireless network, it is possible to specify exactly which PCs are allowed to access the network by MAC address. (A MAC address is a unique identifier for every device that connects to your network). This is basically a list of authorised PCs that the gateway or access point uses to control access to the wireless network. If MAC address filtering is used then only the MAC addresses specified by the network administrator will be able to connect to the wireless network – yet another obstacle placed in the way of a hacker trying to access the network. The OfficeConnect Wireless Cable/DSL Gateway has a list of all MAC addresses accessing the gateway on the user interface; this can be used to form the basis of a MAC address filtering scheme. However, to find the MAC address of your wireless NIC… Windows 2000/XP While using the wireless NIC 1. From the Start Menu go to Programs ->Accessories ->Command Prompt 2. Type ipconfig /all 3. The parameter called Physical Address will have a 12 digit hexadecimal number. This is the MAC address of the Wireless NIC. Windows 95/98/ME While using the wireless NIC 1. From the Start Menu choose Run… 2. Type winipcfg 3. Choose the wireless NIC from the pull down menu 4. The parameter called Adapter Address will have a 12 digit hexadecimal number. This is the MAC address of the Wireless NIC. Higher levels of security As previously mentioned, there are methods of further securing the wireless network against hacking although these security features are normally only found in higher end wireless devices, such as the 3Com Access Point 6000 and the 3Com Access Point 8000. Dynamic Security Link increases security by using a 128-bit encryption key that is automatically changed for each networking session. This increases security as the key is no longer static (as in WEP) and therefore is harder for a hacker to break. The new keys are negotiated between the wireless client and Access Point so there is no need for a manual key
  4. 4. to be entered by the user. User Authentication can also be used for an even higher level of security by requiring users to enter a username and password for each session. Another way to increase security is by using central authentication to validate the log-in details of any user trying to use the wireless network. The most popular way of doing this is by using a central RADIUS server to validate the user details. All user details are stored on the central RADIUS server and the Access Point will authenticate users using the RADIUS server. Each of these features makes the security of the wireless network more secure. Details of both the 3Com Access Point 6000 and 8000 can be found on Virtual Private Networking Another way of further securing the wireless network is by using Virtual Private Networking (VPN) to encrypt data transmission to the private network. In this case, the wireless access point is positioned outside a gateway or router that has the ability to terminate VPNs, so once the connection to the wireless network is made (with or without WEP enabled) then the user will connect to a VPN server to access the private local network using PC based VPN client software. Wireless Network Private Network VPN Terminator/ Firewall Internet RADIUS Wireless Server Access Point (optional) Switch VPN Tunnel By using this scenario the local network is seperated by from the wireless network but is still easily accessed by authorised users. This offers a very high level of security for the local network whilst still protecting unauthorised access to the Internet connection using WEP encryption if enabled. Note: The OfficeConnect Wireless Cable/DSL Gateway cannot be used in this scenario although the 3Com Access Point family can.
  5. 5. For more information about VPN technology, refer to the VPN white paper found on
  6. 6. How to configure security on the OfficeConnect Wireless Cable/DSL Gateway Security Step 1: Ensure you change your SSID from "101" (3Com OfficeConnect Wireless Cable/DSL Gateway default value) to another set of characters. Currently your product is set up with a default, we strongly recommend that you define a unique name for your wireless network, it is worth considering using an abstract name that does not relate to you or your business, in the same way you might consider any password. You have up to 32 characters that can be used to define the SSID. You will also need to change this in all of your clients. For the time being make a note of your new SSID here. SSID: Security Step 2: Which version of WEP? Currently your system does not have WEP enabled at all, your gateway can support two versions of WEP, the first is referred to as 40 or 64 bit WEP, the second is referred to as 128 bit WEP. The choice of what level of WEP to choose is down to the level of WEP offered by all of your clients. Check your clients to see what they support, some products offer only 40/64 bit WEP, others offer both 40/64 and 128bit WEP. 128bit WEP offers better security than 40/64, but may have an impact on your overall system performance depending on the elements in your system. If you are not sure which key size is best, and your clients can support both, we recommend trying the 128bit key size first and then monitor the network performance. Security Step 3: Enable encryption by selecting either 40/64 bit or 128bit encryption from the pull-down menu. Next select which method of key generation will be used. This selection should be based on the generation methods supported by the wireless clients – the same method should be used on the Gateway and the clients. The Gateway offers a number of methods for converting plain text into hex keys. The text is much easier to remember than hex keys but it relies on your wireless adapters also supporting this feature. Different manufacturers have developed different ways of converting plain text and so interoperability is not guaranteed. If you are experiencing difficulty, the Manual Hex Key method is supported by most vendors. The Gateway supports 4 methods to specify the WEP Keys : a) Manual Hex Key This method allows you to manually enter hex keys. Virtually all manufacturers support this scheme. b) 3Com Encryption String This method is only supported by 3Com Wireless products. The string can contain any alpha numeric characters and must be between 6 and 30 characters long. A single string will automatically generate 4 unique keys for 40/64 or 128 bit WEP. c) ASCII This method is supported by some adapter cards running under Windows XP. The string must be exactly 5 characters for 40/64 bit WEP or 13 characters for 128 bit WEP. You must enter a separate string for each of the 4 Keys. You can leave a string blank so long as this Key is not selected as the Active Transmit Key. d) Passphrase This is another common method and similar to the 3Com Encryption string. In 40/64 bit WEP, the Passphrase will generate 4 different keys. However, in 128 bit WEP, this method only generates 1 key which is replicated for all 4 keys.
  7. 7. Select the "Active Transmit Key". This selects which of the 4 Keys the Gateway uses when it transmits. You can change the selected key every now and then to increase the security of your network. Make a note of your keys in the table(s) below Hexadecimal characters Key # Active 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Transmit Key? 1 y/n 2 y/n 3 y/n 4 y/n Hexadecimal characters Key # Active 17 18 19 20 21 22 23 24 25 26 Transmit Key? 1 y/n 2 y/n 3 y/n 4 y/n Security Step 4: The next step is to switch on WEP on all of your clients. Using the information you have collected you will now need to consult the documentation for your client wireless NICs and set up the corresponding information: SSID or Service Area Name, 40/64bit WEP or 128 bit WEP. Remember you have to choose one or the other for your whole network. Finally enter all of the keys you generated on the Gateway in the correct order on each client. If you have a wireless client that only supports one key, ensure you enter the active transmit key as defined in the gateway. While you are making the changes to your clients it would be a good idea to note the MAC addresses for each NIC card you are using. The MAC address is recorded as a sequence of twelve hexadecimal characters. This will be useful if you wish to make further enhancements to the security of your network. Make a note of your Wireless NIC MAC (Media Access Controller) addresses below: Client # Media Access Controller Address PC Name or Owner You may now test the network with encryption enabled. If you encounter any problems go to the trouble shooting section at the end. If you are happy that the encryption settings are working then you can optionally move to the next section for to further enhance security. Security Step 5: The Gateway provides a list of connected PC's, confirm that the PC's on your network that are powered up with a live wireless card can be seen in the list of clients. Verify that all of your clients can still connect to the Gateway. You will need to remember that if MAC address filtering has been enabled, any new device added to the network, or any changes to the existing configuration will need to be recorded in the gateway MAC address table. We also recommend ensuring that you keep the table up to date, accurately reflecting the active devices in your network. Finally, it is also useful to consider that any system using WEP is not unbreakable, therefore regularly changing the keys between the devices is a further precaution you could take.
  8. 8. 3Com Corporation, Corporate Headquarters, 5400 Bayfront Plaza, Santa Clara, CA 95052-8145 To learn more about 3Com solutions, visit 3Com Corporation is publicly traded on Nasdaq under the symbol COMS. The information contained in this document represents the current view of 3Com Corporation on the issues discussed as of the date of publication. Because 3Com must respond to changing market conditions, this paper should not be interpreted to be a commitment on the part of 3Com, and 3Com cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only; 3Com makes no warranties, express or implied, in this document. Copyright © 2001 3Com Corporation. All rights reserved. 3Com is a registered trademark and the 3Com logo is a trademark of 3Com Corporation. Windows NT is a trademark of Microsoft. UNIX is a trademark of UNIX Laboratories. Other company and product names may be trademarks of their respective companies. DMA5119-6CAA01 05/02