Sunday, March 6, 2011

Why Should I Secure My Wireless Network Using Encryption?

All computer security measures slow down, rather than stop, would be hackers. If a network takes longer to crack, the hope is that the hackers will give up and go elsewhere. Wireless networks without encryption make eavesdropping a cinch.

What Can Be Done to Secure a Wireless Network?

The two primary areas of concern are eavesdropping and unauthorized access. Encryption algorithms such as WEP and WPA protect against eavesdropping by scrambling data sent over the wireless connection so that only network hosts that have the network shared key or certificates can decrypt the information. WEP and WPA also support authentication in that hosts attempting to connect to the wireless network are denied access unless they can provide the network pre-shared key or authorized certificate.

WEP (Wireless Equivalent Privacy) is the oldest of the wireless encryption standards. WEP depends upon a relatively weak security algorithm using RC4 encryption and shared security keys that are trivial to break. Free applications are available for download on the Internet that can crack WEP encryption in minutes (with no advanced computer skills required). WEP should be considered a last resort for wireless security. If your wireless network only supports WEP encryption, upgrade the wireless hardware and software to equipment that supports the stronger encryption algorithms below.

WPA-PSK (WiFi Protected Access with Pre-Shared Key) provides slightly better security than WEP. WPA-PSK also employs a pre-shared key similar to WEP and still uses the RC4 algorithm for encryption. However WPA improves upon WEP through the use of the TKIP algorithm that generates new keys periodically and also detects tampering when packets have been altered. The theory behind WPA security is that if keys used to secure the network are changed often enough, then by the time the key is cracked, the key has already been replaced by a new key, invalidating the cracked key. So is WPA secure? Not really, as I will explain in a moment.

WPA2-PSK improves upon WPA-PSK by employing the AES encryption algorithm rather than relying upon RC4. AES (Advanced Encryption System) uses the Rijndael encryption algorithm that yet to be cracked outside a lab in real-world networks. WPA2-PSK is highly recommended over the aforementioned algorithms simply because it uses AES.

So what’s the catch? A combination of basic Linux skills and 802.11 wireless network protocol knowledge is all that a hacker needs to access to your wireless network without cracking an encryption algorithms. They can overwhelm the wireless AP/router with a flood of packets so that wireless network hosts lose connection to the AP. When the hosts attempt to associate with the AP again, they capture the four packets sent during host authentication and then use downloaded password cracking software to reveal the passphrase.

Countermeasures

First, always use a complex pass phrase. Include upper case and lower case letters, numbers and special characters in the pass phrase.

Next, the pass phrase should be as long as possible. Using the full 63 character space for WPA is best however if you must keep it simple, make sure it is at least 12 or more characters.

The pass phrase should not employ easy to remember mnemonics such as placing the same numbers before and after a word as there are password crackers designed to break such pass phrases.

Enable MAC address filtering and statically assign IP addresses to MAC addresses if your network (like most) uses DHCP to dynamically assign IP addresses. In addition, configure the DHCP scope to include only IP addresses statically assigned to a network host.

Employ IEEE 802.1x and/or directory server authentication in addition to a wireless encryption protocol. Wireless network clients would be required to associate with a wireless AP and then authenticate with the directory servers before access is granted.

Remember that each security measure takes time for would be hackers to crack. If it takes too long, they will move on to the next target.



No comments: