Securing 802.11 Wireless Networks

Wireless networking has quickly become the most exciting networking technology of this decade. No longer limited to propeller heads and weekend data warriors, wireless networks have hit the mainstream. Anyone who's explored wireless security features, though, knows how little security such networks inherently provide. Frequent warnings and white papers demonstrate the security weaknesses in the Wired Equivalent Privacy (WEP) standard, which is a part of the 802.11b and 802.1x wireless LAN (WLAN) protocols. Yet many administrators assume that their wireless network signal is too remote or too contained (e.g., within a building) to be open to attack. However, resources such as NetStumbler.com (http://www.netstumbler.com) and Peter Shipley's "Open WLANS" presentation (http://www.dis.org/filez/openlans.pdf) give accounts of accessing thousands of wireless Access Points (APs) while war driving (i.e., automatically scanning for wireless networks while driving through an area).

The 802.11b wireless standard (the most popular and most widely available standard) has two general configuration settings that don't provide the protection some administrators think they do. First, systems administrators sometimes have the mistaken impression that Service Set Identifiers (SSIDs) relate to security. SSIDs aren't security related, although you can use them to administratively segregate wireless users into smaller, more logical networks. SSIDs aren't meant to be kept secret or private, hence using them won't contribute to the security of your wireless network. To facilitate connections by users, OSs such as Windows XP report all the SSIDs they find. Second, many administrators use WEP keys to configure rudimentary wireless encryption. These keys come in two sizes: 40-bit and 128-bit. (For information about WEP encryption, read Eric Janszen's article "Understanding Basic WLAN Security Issues" at http://www.80211planet.com/columns/article/0,,1781_937241,00.html.) Obviously, the 128-bit key is the stronger choice, but WEP has substantial weaknesses, so I suggest that you instead rely on a VPN tunnel to provide all the encryption you need. This solution works well in a Windows 2000 network.

Three Models of Connectivity
You have three models that build on each other to provide wireless network connectivity in a Win2K network. First, you can use the Internet Connection Sharing (ICS) service and create a DHCP scope on a Win2K server to set up a basic wireless gateway. To secure wireless traffic and provide minimal encryption protection, the second model adds Win2K's Routing and Remote Access service and PPTP to the first model. To take advantage of the strongest security commercially available today, the third model replaces PPTP with IP Security (IPSec) as an encryption option.

In the first and simplest model, you connect your AP to a Win2K computer running the ICS service. (For more information about ICS, see "Related Articles in Previous Issues" at http://www.winnetmag.com, InstantDoc ID 24873.) You install the DHCP service and create a DHCP scope for your wireless clients, then run the ICS Wizard on the Internet-facing computer. The result is a wireless Internet gateway for your users (and anyone else within a short distance of your AP).

However, this model provides no security to your wired network or wireless clients. To secure your new wireless connection, you need to make a few changes to your environment, such as installing a VPN server and adding encryption. You want to make sure that any data transmitted across your wireless networks remains confidential and that would-be intruders can't arbitrarily connect to your network or observe the data you're passing.

The second model uses PPTP to encrypt your wireless data. Using the 128-bit Microsoft Point-to-Point Encryption (MPPE) that comes with Win2K's Routing and Remote Access implementation might be ample protection for your network. Encrypting data with 128-bit MPPE inside a Generic Routing Encapsulation (GRE) tunnel provides enough protection to stop the casual or unskilled war driver. However, MPPE doesn't provide mutual authentication of client and server or the strong 168-bit Triple DES (3DES) encryption that you get through Microsoft's implementation of IPSec over Layer Two Tunneling Protocol (L2TP).

The majority of security researchers agree that IPSec currently offers the best protection for wireless encryption. Therefore, the third (and most secure) model uses IPSec rather than PPTP.

To set up a wireless network that uses IPSec, you first need to plan a stub network (i.e., a child network that uses a subset of the parent network's IP addresses but is segregated from the parent network by a router or gateway device) and set up DHCP and Routing and Remote Access. You need the stub network to give clients a means to connect to your wireless network. The wireless clients can use a statically assigned IP address to attach to one of your wireless network's APs; to assign addresses dynamically, you can offer a DHCP service in the stub network. The only resource available to clients on the wireless network is a Routing and Remote Access server. Any wireless clients that want access to your internal network must first connect, encrypt, and authenticate, similar to any Routing and Remote Access client that connects from across the Internet.

   Previous  [1]  2  3  4  Next