On a conventional wired network, physical security is a given: if someone plugs a computer into your hub, you'll know about it immediately, and you can trace the physical wire back to the intruder's computer. On wireless networks, however, anyone who comes into range of your wireless access point can tap into your network and intercept signals from it. Finding open access points has become something of a sport; participants call it war driving. Although some war drivers seek open access points just for fun, other users who find their way into your network present several risks:
• Theft of service An intruder might be able to access the internet using your connection, which could degrade the quality of your internet service .
• Denial of service An intruder who is unable to connect to your network can still cause some degree of havoc by flooding the network with connection requests. With enough persistence, an attacker could completely deny legitimate users access to the network.
• Privacy violations An intruder with the right tools can monitor all data sent over the network and can therefore see which websites you visit (along with your passwords for those sites), documents you download from a shared network folder, and so on .
• Theft or destruction of data Outsiders who successfully connect to your network can browse shared folders and printers. Depending on the permissions assigned to these resources, they can change, rename, or delete existing files, or add new ones .
• Network takeover An intruder who manages to log on to the network and exploit an unpatched vulnerability can install a Trojan horse program or tamper with permissions, potentially exposing computers on the LAN to attacks from over the internet.
To prevent any of these dire possibilities, you can and should configure the best available security for your access point and all wireless devices on your network. Depending on your hardware, you should have a choice of one or more of the following options:
• Wired Equivalent Privacy (WEP) WEP is a first-generation scheme for protecting authorized users of a wireless network from eavesdroppers by encrypting the data flow between the networked computer and the access point. WEP suffers from some known security flaws that make it extremely easy for an attacker to "crack" the key using off-the-shelf hardware. As a result, WEP is inappropriate for use on any network that contains sensitive data. Most modern Wi-Fi equipment supports WEP for backward compatibility with older hardware, but we strongly advise against using it unless no other options are available. To enter a WEP key, you supply a string of ASCII or hex characters (5 ASCII or 10 hex characters for a 64-bit key; 13 ASCII or 26 hex characters for a 128-bit key). The key you provide when setting up your wireless adapter must match the key on your access point, and all devices on the network must use the same encryption strength—either 64 or 128 bits .
• Wi-Fi Protected Access (WPA) WPA is a newer, stronger encryption scheme that was specifically designed to overcome weaknesses of WEP. On a small network that uses WPA, clients and access points use a shared network password (called a pre-shared key, or PSK) that consists of a 256-bit number or a passphrase that is from 8 to 63 bytes long. (A longer passphrase produces a stronger key.) With a sufficiently strong key based on a truly random sequence, the likelihood of an outside attack is very, very slim . Most network hardware that supports the 802.11g standard also supports WPA. With older hardware, you might be able to add WPA compatibility via a firmware upgrade.
Wi-Fi Protected Access 2 (WPA2) Based on the 802,11i standard, WPA2 provides the strongest protection yet for wireless networks . It uses 802.1x-based authentication and Advanced Encryption Standard (AES) encryption; combined, these technologies ensure that only authorized users can access the network, and that any intercepted data cannot be deciphered. WPA2 comes in two flavors: WPA2-Personal and WPA2-Enterprise. WPA2-Personal uses a passphrase to create its encryption keys and is currently the best available security for wireless networks in homes and small offices. WPA2-Enterprise requires a server to verify network users . WPA2 can work with all flavors of Wi-Fi, including 802. 11b, 802,11g, and 802,11a. (WPA2 support is also included in all devices that use the 802. 11n [draft] standard and is currently scheduled to be part of the final specification .) All wireless products sold since early 2006 must support WPA2 to bear the Wi-Fi CERTIFIED label.
You must use the same encryption option on all wireless devices on your network—access points, routers, network adapters, print servers, cameras, and so on—so choose the best option that is supported by all your devices . If you have an older device that supports only
WEP (and it can't be upgraded with a firmware update) consider retiring or replacing that device
The alternative to these encryption methods is to use no security at all, an option that produces an "open" network. If you own a coffee shop or bookstore and your goal is to provide free internet access for your customers, this option is acceptable as long as you make sure to protect other computers on your network from unauthorized access. (The primary tools for doing so are a firewall, sharing permissions, and folder permissions .) But for most people, the risks of running an open network are unacceptable.
Was this article helpful?