You have little choice but to lock down these ubiquitous devices
Once a novelty of tech-savvy users, 802.11b wireless devices have taken the residential scene by storm and have even found their way into many organizations—despite negative publicity about inherent security vulnerabilities. These devices have charmed users, who simply plug them in, dismissing—or not understanding—the concept of intrusion. The devices are cheap, offer decent performance, and are easy to set up. However, 802.11b devices can leave your network open to attack.
I don't recommend deploying bare-bones 802.11b devices directly into networks that contain sensitive data and demand tightly controlled access. However, given the popularity of these devices, every IT administrator needs to know the basic security principles behind every 802.11b device. You're probably also ready for a primer that shows you how to use Windows XP's Wireless Zero Configuration service—or third-party drivers, if necessary—to configure your wireless client.
Ease of Use
The 802.11b protocol, which uses the 2.4GHz frequency, provides service as fast as 11Mbps and offers rudimentary authentication and encryption mechanisms. (The 802.11a and 802.11g protocols provide service as fast as 54Mbps.) Unfortunately, out of the box, these devices are typically configured without built-in security mechanisms enabled. And with an Access Point (AP) and NIC price of less than $200 combined, the devices are painless for non-IT departments to purchase and plug into the corporate LAN. This plug-and-play approach is the reason for much of 802.11b's popularity. Many vendors offer the ability to simply plug in the AP, plug in the wireless NIC (USB or PC Card), insert the driver CD-ROM when prompted, and presto—you have an AP-based wireless network. In this article, I focus primarily on the prolific sub-$200 equipment that you'll probably find popping up in your network. (Many more robust—and expensive—solutions offer advanced security and management features that are better suited for an enterprise deployment.)
The 802.11b devices work in two modes: ad hoc and infrastructure. Ad hoc mode is a peer-to-peer mode in which computers with 802.11b wireless NICs can talk directly to one another. (Access is generally restricted to computers configured in ad hoc mode.) Infrastructure mode requires an AP, a network device that acts as a bridge between your wired LAN and your wireless users. In infrastructure mode, many users can use one AP. Also, with some models, you can overlap the coverage areas of multiple APs to create a mesh across your campus that users can roam. (Roaming across subnets is a tricky endeavor that less expensive devices don't generally support.)
Active Breach and Passive Listening
To understand 802.11b's weaknesses, think of your wireless network as a typical wired LAN. Imagine a potential intruder accessing your wireless network by simply plugging his or her computer into your Ethernet switch. This scenario is close to what you're permitting if you leave the basic security features of 802.11b disabled. An intruder's access to your network could be twofold: First, the intruder could access any system available to your wireless users on your LAN; second, the intruder could use your IP network to access the Internet.
An intruder doesn't need to physically breach your network to cause damage. He or she can passively listen to your wireless traffic and sniff corporate secrets (e.g., passwords). If you occupy a building with other tenants, those tenants could feasibly identify your network and set up a device to silently log all wireless traffic for later analysis. Such passive reconnaissance is impossible to detect electronically.
Authentication and Encryption
The 802.11b protocol provides basic authentication and encryption mechanisms, with which you can protect your wireless network against external threats. Authentication validates you as a legitimate wireless client before the AP permits access to the network. Encryption protects the data stream between the wireless adapter and the AP, preventing casual eavesdroppers from poaching your traffic. Both of these processes use a key or secret that the wireless user and the AP share. This shared secret can validate the user and encrypt the data. Widely available hacker programs can decipher these keys, so you need to rotate your keys regularly and frequently. Rotating keys involves changing the Wired Equivalent Privacy (WEP) key on every wireless client and each AP. Unfortunately, most 802.11b products (particularly the less expensive solutions) don't offer effective key management, and key rotation can be cumbersome. (For more secure alternatives to 802.11b's built-in security, see "Related Articles in Previous Issues.") The emerging 802.1x standard provides stronger port authentication through dynamic and session-based keys. For more information about 802.1x authentication, see the sidebar "A Glimpse at 802.1x Authentication."
Define Your SSID
To begin configuring basic 802.11b security, you first need to define your wireless network's service set identifier (SSID). The SSID, which is set on every wireless client and AP, defines the logical network for the group of wireless network devices that share that particular SSID. Be careful: Some vendors market the SSID as a type of security. A NETGEAR FAQ, for example, states that "the SSID is a common password unique to each wireless network," which might literally be true but not in the traditional sense of a password. NETGEAR's device broadcasts this SSID, which XP picks up as an available network, as Figure 1, page 70, shows. Obtaining the SSID is the first step toward gaining access to (or hacking into) a wireless network.
Many vendors use a default SSID for their devices, and I recommend that you set your SSID to a name that uniquely describes the deployment. (However, use discretion: Using the name Finance WLAN for a wireless LAN—WLAN—that serves the accounting department might draw unwanted attention.) If possible, disable your AP's broadcasting of your SSID. Check your AP's documentation to determine whether your AP will let you disable SSID broadcasting. Eavesdroppers will then have a tougher time finding your network.
The WEP Key
The WEP static network key is similar to IP Security's (IPSec's) preshared key—it's a shared secret between two wireless devices that want to communicate with each other (e.g., wireless client to AP). WEP uses a network key, 40 or 104 bits in length, for authentication and data encryption. Confusing matters, vendors might specify a 40-bit key as 64 bits in length or a 104-bit key as 128 bits. In each set, the systems are the same; the actual key lengths are 40 bits and 104 bits, respectively. The remaining 24 bits are for an initialization parameter that isn't user configurable.
Most systems support a hexadecimal network key, but some support an ASCII key—important to remember if you're mixing vendor products. You can store four keys in an 802.11b wireless device and set the key index to specify the active key. The key index also varies according to vendor: Some vendors prefer to number the key index 03, whereas others use 14.
The 802.11b standard specifies that the network key be installed on each network device independent of the wireless medium. Most vendors require the user to install the keys manually (or store them on the wireless device). Therefore, most users must type a key into their AP and type the same key into their wireless client. An example of a 128-bit WEP hex key is AB 02 1F 1A 93 2C DF FF 71 AB 29 F5 D9. (Encryption and decryption use the same key.) Inexpensive 802.11b systems don't offer a slick means of managing these keys. Imagine running around to your wireless users and typing in this key—and imagine changing it frequently! (Remember that regular and frequent key rotation is important to maintaining security in your basic 802.11b WLAN.)
I recommend using 128-bit encryption. If both your AP and wireless adapter support ASCII keys, consider them an alternative to the more difficult-to-remember hex keys. Also, consider devices that support automatic key management, although such devices are typically more expensive and often proprietary in nature.
Open System or Shared Key
Authentication is the process of validating a user or system before communication can occur; 802.11b connections support Open System and Shared Key authentication. Open System authentication, as its name implies, permits any wireless device to communicate with another wireless device.
Shared Key authentication uses the WEP network key to authenticate the client. The process is simple: The AP sends the wireless client a clear-text challenge; the client uses the network key to encrypt the challenge, then sends it back to the AP. If the client uses the wrong key, or no key, the AP denies access to the user. Although Shared Key authentication keeps unauthorized devices from associating with your AP, both the encrypted and unencrypted challenges are vulnerable to eavesdropping, which makes deciphering the WEP key easier. However, Shared Key authentication prevents random unauthorized users from connecting to your AP. So unless your AP supports a stronger (probably proprietary) authentication mechanism, and until we're all using 802.1x (or its future superior), I recommend that you use 802.11b's Shared Key authentication. However, you need to understand this weakness and remember to rotate your WEP keys frequently.
Set Up a Secure AP
Inexpensive APs that strictly adhere to the 802.11b feature set might offer 64-bit or 128-bit WEP and Shared Key or Open System authentication. (Some vendors might extend security features—for example, by limiting the media access control—MAC—address of specific authorized wireless NICs.)
AP configuration varies according to vendor, but you can count on following these basic steps:
- Physically connect the AP to the LAN, and—if the AP supports direct cable management—connect the USB or serial cable to the management computer. Otherwise, you might use HTTP/HTTPS, Telnet, SNMP, or a vendor-specific network client to manage your AP. For maximum security, consider using a direct connection or a secure protocol (e.g., HTTPS, if your AP supports it) for managing your AP.
- Load the AP management software onto the management computer. Run your management software and scan for the AP. If you have other APs on the network from the same vendor, you might also see them. (These APs are often denoted by their configured name, SSID, or MAC address.) Some vendors configure the AP's IP address to a default static address (e.g., 192.168.1.1), whereas others default to DHCP. So, to connect to it, you might need to change your management computer's IP address so that it's on the same subnet (e.g., 192.168.1.2) or be sure it can communicate with a DHCP server. After you successfully connect to the AP, follow the AP management software's documentation to change the AP's IP address to be on your LAN.
- Because the AP is likely set with a common set of users and passwords, you need to change the default Administrator password and review any other default users who can manage the AP. (For example, some APs allow guest access for remote management.)
- Select a descriptive word for your wireless network and set your SSID (or Extended SSID—ESSID—depending on the model of your AP) to this word. Every wireless client that wants to be a part of this logical network must use the same SSID. Figure 2 shows an AP setup screen in which the ESSID is set to Blackstatic.
- Enable Shared Key authentication. Figure 3 shows the setup of an AP with Shared Key authentication enabled.
- Enable WEP. Specify the hex network key. (Some AP models support ASCII keys in addition to hex keys.) Write down the network key; for static basic WEP implementations, you'll need to enter this key manually on every machine. The 802.11b standard supports four network keys, which are indexed. Some devices require you to enter the three other network keys (thereby defining all four). To specify the default (active) key, refer to your AP management software documentation for instructions about how to set the index to that key.
You've now completed basic security configuration for an 802.11b AP. Remember that some proprietary solutions add extra security features beyond the basic 802.11b specification, so be sure to check your vendor's documentation. Now, it's time to use Wireless Zero Configuration services or third-party drivers to configure the client. The steps to do so are similar. For the Wireless Zero Configuration example, I used an Intel 2011 wireless NIC. For the third-party driver example, I used an SMC SMC2632W wireless NIC. Both communicate with NET-GEAR's ME102 AP. These products are popular, inexpensive 802.11b solutions that you might see in home or workgroup implementations.
Wireless Zero Configuration Steps
Wireless Zero Configuration, which promises to centralize and sanitize wireless configuration in XP, is a service that's installed and started by default on all XP machines. When you install a wireless card that supports Wireless Zero Configuration, you don't need to install any third-party drivers. You need only to install the supported card (PC Card or USB) onto your computer, and Windows automatically installs the drivers and attempts to connect to an available AP. To use Wireless Zero Configuration to get up and running, follow these steps:
- Insert the card into the computer. XP might prompt you to install drivers, although the Intel 2011 card didn't prompt me. In fact, after I plugged in this card, XP silently installed the necessary drivers. I viewed progress in XP pop-up balloons. The first balloon notified me that the new hardware was ready to use. The second balloon notified me that a new wireless network was available.
- Connect to the network. Next to the system tray, you should see a balloon stating that a new wireless network is available. Click the balloon to access the Wireless Networks dialog box. In this dialog box, you can enter your network key, connect to your network, and perform advanced configuration. Because you've locked down the AP, you need to manually configure the client. To do so, in the Wireless Network dialog box, click Advanced, which takes you to the Wireless Network Connection Properties dialog box's Wireless Networks tab.
- Configure your network connection and configure 802.11b security. Under Preferred networks, select your network's SSID and click Properties. If you don't see any networks listed, click Add to access the Wireless Network Properties dialog box, which Figure 5 shows. Because basic 802.11b devices don't support automatic key management, you need to clear the The key is provided for me automatically check box. You can now configure the WEP network-key settings. Select both the Data encryption (WEP enabled) and Network Authentication (Shared mode) check boxes. (Shared mode is synonymous with Shared Key authentication.) Enter your WEP network key and specify its format, length, and index. The key index tells the system which of the four keys it should use. Click OK.
If you didn't configure your wireless AP for Shared Key authentication and WEP, XP automatically connects to your network. Remember that anyone else can just as easily attach to your network!
You can check the Microsoft Hardware Compatibility List (HCL) to ensure that your wireless device supports Wireless Zero Configuration—not all of them do. Devices that have proprietary features will likely require specific drivers. Another way to check for Wireless Zero Configuration support is to go ahead and install the card—if XP prompts you to install drivers, your card might not support Wireless Zero Configuration. After you install the card, open Network Connections and look for a Wireless Network Connection icon next to your adapter. Right-click the icon (or the icon of the NIC that you know is wireless), and click Properties. If your network connection adapter's Properties dialog box contains a new Wireless Networks tab, as Figure 4 shows, your card supports Wireless Zero Configuration. If it doesn't, you'll need to use the card's third-party drivers to manage it.
If you don't see the balloon next to the system tray, you can access the advanced-configuration options manually. Open Network Connections, right-click the wireless adapter, and click Properties. On the Wireless Networks tab, you'll see fields for your Available networks and Preferred networks. A preferred network is a wireless network that you can configure to automatically connect to in the future. If you've already configured your AP, you might see the SSID name under Available networks. (Many APs broadcast the SSID name, and Microsoft's Wireless Zero Configuration service uses it to help with configuration. These are two reasons you shouldn't rely on your SSID as a part of your security.)
XP will now automatically find and connect to your wireless AP. Repeat this process for each of your wireless clients. (The 802.1x protocol will centralize and streamline much of this process, providing a higher level of authentication security and requiring less management.)
Third-Party Driver Steps
The steps for configuring a third-party driver are similar to those that comprise the Wireless Zero Configuration setup.
- Insert the card into the computer and install its latest drivers. Some wire-less adapters install proprietary client-configuration software. Look in your system tray or Start menu for any adapter-specific utilities. You might also be able to access some of the configuration settings through the adapter's Properties sheet. In XP and Windows 2000, open Network Connections, right-click the wireless NIC's icon, and select Properties. Click Configure to configure the wireless adapter.
- Maneuver to the dialog box that includes a tab on which you can enter the SSID. (The field might also be called ESSID or Network Name.) Enter the name with which you configured the AP. Figure 6 shows an example of an SMC card configured to connect to the Blackstatic SSID network.
- Navigate to the tab on which you configure WEP settings. Enable WEP and specify the key length and the WEP key. Figure 7 shows the SMC's Encryption tab: Click OK and exit the dialog box.
The 802.11b protocol provides built-in security mechanisms that organizations typically—and unfortunately—deploy in a disabled state. Particularly guilty are non-IT or nontechnical departments. You need to seek out any rogue 802.11b deployments and lasso them into alignment with your entire WLAN infrastructure. Even if you have a basic deployment, you must review the security requirements of your WLAN attached network, remembering that unauthorized access to the WLAN will likely permit trespass to the network to which it's connected. Most large organizations will want to add security measures to the basic 802.11b built-in security features, which alone are simply weak and subject to compromise. However, these fast, cheap devices are popular and will continue to sprout up everywhere. You need to understand how to properly configure your wireless devices for basic security—particularly in environments in which isolated networks or dedicated firewalls are impossible.
|Related Articles in Previous Issues|
| You can obtain the following articles from Windows & .NET |
Magazine's Web site at http://www.winnetmag.com/magazine.
"802.11 Security Shortcomings," December 2001,
InstantDoc ID 22934
"Is 802.1x the Answer?" December 2001, InstantDoc
"Windows XP Goes Wireless," January 2002, InstantDoc ID 23294
"802.11 Wireless Devices," July 2001, InstantDoc ID 21146
"Securing 802.11 Wireless Networks," June 2002,
InstantDoc ID 24873