Since WiFi offers the benefits of easy setup without wires and cables, it has proved to be very popular among net savvy users. The increase in the number of available access points is a testament to WiFi’s new found popularity. Easy connectivity, however, comes at a price - wireless networks have poor security compared to their wired counterparts. When you network two computers using a wireless connection, the data is sent via radio waves on a certain channel. Thus anyone with a receiver (a wireless card will do) can analyze the data being sent. This is called sniffing.
If you are running an open network, a cracker with a laptop can listen in and analyze everything that you are doing online - the websites you visit, the emails you send, even the user name and passwords you exchange with servers. After connecting to your network, he may be able to scan and connect to other machines as well. Sharing your WiFi by keeping your access point open is regarded as nice, but there are instances where you want to secure your data. Here’s how to protect your WiFi network:
SSID Cloaking
Wireless networks identify themselves by a SSID, which can be something like ‘mywireless’. Computers with a wireless card whose SSID is set to 'mywireless’ can connect to each other. Access points send out periodic beacons which are meant to indicate their presence. These beacons also usually broadcast the respective SSID. Thus, anyone with a sniffer can find out that there is a network with a SSID and connect to that.
A basic form of security is to disable the broadcast of SSID. When this is done, the access point doesn’t identify itself when sending out its beacon packets. An intruder who doesn’t know the SSID won’t be able to connect to the network. The weaknesses of this method is that the network’s SSID is sent via other data packets as well. If you listen long enough to the communications between two networks, the SSID can be easily found, making connecting as easy as before.
MAC Address Filtering
A MAC address is the hardware address of the wireless card. The network uses this to identify where to send data packets. If you have a wireless network with a router and two wireless cards connected to it, you will see two machines connected with two unique MAC addresses. Here is an example of a MAC address, 00:0F:3D:EA:AB:F5. Since a MAC address is unique for each network card, another method of security is to ask the wireless router to accept connections only from certain MAC addresses. Using this method, you could ask the router to only connect machines known to you.
The weakness in this method is that you can set the hardware MAC address of a wireless card to whatever you wish. If an attacker listens to a wireless network for long enough, he can get a list of connected computers along with their MAC addresses. Then all he has to do is to wait till one of the computers disconnect from the wireless access point. If he sets his own wireless card’s MAC address to that number, then he is on the network. As far as the access point is concerned, the new connection will be from a known client. This technique is called MAC address spoofing.
Wired Equivalent Privacy (WEP)
This a security method where the computers in a wireless network use a pre-shared security key to encrypt data. Since the data is encrypted before transmission you cannot decrypt WEP enabled network traffic if you don’t have access to the key. The problem with WEP is a design limitation, it is inherently insecure at high volumes of traffic. If you have enough data that is transmitted in a WEP encrypted network you can subject the data obtained to a statistical analysis and guess the security key with near one hundred percent accuracy. Once you have obtained the key, the network is completely decrypted and is like an open access point. Because of these problems, security experts no longer recommend the use of WEP for securing a network.
Wireless Protected Access (WPA)
Due to the weaknesses of the WEP system, a stronger security model was needed. The WPA encryption method is much stronger than WEP and is more resistant to attempts at guessing the security key. However, one weakness in WPA is weak passwords (‘blue’, for example). An attacker can guess the security key by subjecting captured WPA authentication packets to a dictionary attack. However, WPA is a secure method far superior to WEP if you use a proper password with alternating letters and numbers and no dictionary words.
IP Security (IPSec)
This is the strongest security method available. IpSec is initiated by the computers connected to the network themselves, independent of the medium of transmission (wires or wireless). This method can be used to establish a secure encrypted channel of communication between two computers. The data is authenticated as well, meaning that no outsider is able to insert data packets or generate false packets.The disadvantage of IpSec is that it is difficult to setup without trained, professional help.
Although wireless network security has always been problematic, viable solutions are slowly emerging. Although IpSec is by far the most secure encryption method to use on a network, we also recommend WPA for combining both security and ease of setup.
[tags]SSID Cloaking, WPA, WEP, IPSec, Wireless Security[/tags]