Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


November 29, 2005

Easy 802.11g Security

Take 15 minutes to lock down your wireless Access Points
A Web Exclusive from Windows IT Pro
Jeff Fellinge
Solutions +
InstantDoc #48168
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    Advanced Authentication

STEP 3: Use WPA If You Can, but Use WEP Rather Than Nothing
Wired Equivalent Privacy (WEP), Wi-Fi Protected Access, and WPA's follow-on, WPA2, each provide a cross-vendor framework for access control and for securing and encrypting data sent between a wireless AP and a wireless client. You should enable WEP or WPA for every wireless AP deployment. When you have a choice between the three technologies, choose WPA2 over WPA over WEP. WEP has serious flaws in its design and implementation, and numerous tools can crack the WEP encryption key and defeat its security.

WEP's replacement, WPA, is based on a subset of the IEEE 802.11i standard, and WPA2 is based on the final IEEE 802.11i standard. WPA offers a number of techniques and options, such as Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES), that improve key management and encryption methodologies. Most current wireless APs support WPA, and some older models let you upgrade the firmware to add WPA support, so be sure to check with your vendor. However, keep in mind that you can choose WPA only if both your AP and every client that you want to connect to it support WPA.

WEP and WPA encrypt the data sent between your AP and remote clients. In simple terms, a key (i.e., a string of characters) that's known by both the wireless AP and the client is used to encrypt and decrypt the data sent between the devices. An attacker who gets a hold of this key can decipher data communications between the wireless AP and a client or possibly connect to the wireless AP.

A major shortcoming of WEP is that you must manually enter the actual key used for encryption on both the wireless AP and the client. This is a laborious process and most people enter a key once and never change it. Because of other flaws in WEP, determined attackers can crack this key, then use it to access the wireless AP or decrypt data sent between the wireless AP and legitimate clients. Because the key doesn't change automatically, the attacker could access data for long periods of time until someone manually changes the key.

WPA corrects this deficiency by adding features for key management. Like WEP, a key is used to encrypt the data. However, you enter a key once, and WPA subsequently uses this key to generate the actual key that encrypts the data. And WPA automatically regenerates the key periodically. This means that even if an attacker gets lucky and cracks an encryption key, the key is useful only until the wireless AP and client change the key automatically. By default, the Linksys wireless AP changes the encryption key once an hour.

By default, older versions of the Linksys AP set Wireless Security to Disable. To enable security, click Wireless Security on the Linksys firmware's Wireless tab. In the Security Mode drop-down box, select your desired wireless security configuration. The older versions of the Linksys AP support security modes named WPA Pre-Shared Key, WPA RADIUS, RADIUS, and WEP. In the newest version, WPA Pre-Shared Key and WPA RADIUS are renamed WPA Personal and WPA Enterprise, respectively, and WPA2 has been added. Most other vendors support the same technologies, but they might have slightly different names.

The best setting for small office/home office (SOHO) users is WPA Pre-Shared Key (WPA-PSK), or WPA Personal, because it offers the strong security of WPA and easy configuration. Midsized and large businesses will be better served by Linksys's WPA RADIUS (WPA Enterprise) option, which requires a Remote Authentication Dial-In User Service (RADIUS) server—although these users might want an enterprise-class AP instead of an entry-level model like the one described in this article. For more information about WPA RADIUS, see the "Advanced Authentication" sidebar. Linksys's RADIUS option, like the WEP option, is mostly for legacy deployments, meaning that you should choose it only if you have wireless clients that don't support WPA.

To configure the Linksys for WPA-PSK, select the WPA Pre-Shared Key option, as Figure 2 shows. The Linksys AP supports two WPA algorithms: TKIP and AES. TKIP is a stopgap measure that was designed to solve many of WEP's problems until the next generation of WPA (WPA2) was widely released. Although TKIP uses the same encryption algorithm as WEP, it addresses many of WEP's weaknesses by dynamically changing the key used to encrypt the data, encrypting configuration data that's clear text in WEP, and including a message integrity check. AES is a newer encryption algorithm that's exceptionally strong and supported in the WPA2 802.11i standard implementation but might not yet be supported on all hardware or software. Select AES if you can.

Next, enter a WPA Shared Key. You'll need to enter the same key on any clients you want to connect to the Linksys AP. Choose a long, hard-to-guess key. Linksys supports as many as 63 characters, and I recommend a key at least 20 characters long.

The Group Key Renewal field specifies how often (in seconds) the automatically generated key is changed. As I mentioned, the Linksys AP's default Group Key Renewal value is set to 1 hour, which is sufficient for most SOHO networks.

If your clients don't support WPA, definitely choose to configure WEP over nothing at all. To configure WEP on the Linksys WRT54G, select the Security Mode as WEP and choose a key to use as your default transmit key (i.e., choose a key numbered from 1 through 4) and the WEP encryption type, which is typically 64 bits or 128 bits (the longer the better) and hex or ASCII. In the Key field that corresponds to the default transmit key that you selected, enter the key. (For example, if you chose a 64-bit hex key, you could enter a 10-digit hex key such as af592de129.) Remember that you'll need to match this WEP key configuration on all your clients, so choose something that will work on all your devices.

For details about configuring WEP, see "Configuring Basic 802.11b Security," October 2002, InstantDoc ID 26355. WEP configuration varies across different vendors' products more than WPA configuration does, so you might find it a little more difficult to adapt my WEP instructions to your situation.

   Previous  1  [2]  3  Next 


Learning Path For details about configuring WEP:
"Configuring Basic 802.11b Security, October 2002."


To learn more about 802.1x and configuring a RADIUS server:
"A Secure Wireless Network Is Possible, May 2004"

"Security Administrator, Using Certificates to Secure Your WLAN, August 2004"
Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

Understanding File-Size Limits on NTFS and FAT

A general confusion about files sizes on FAT seems to stem from FAT32's file-size limit of 4GB and partition-size limit of 2TB. ...
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events Managing IT Across Multiple Locations

Best Practice Tips for Managing and Supporting User-Owned Smartphones

Introduction to Identity Lifecycle Manager "2"

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement