Chief among these is the ESSID (Extended Service Set ID), or name of the WLAN. By default it’s often “101” but it can be any string of up to 256 characters. Don’t be obvious and pick the house or road name. Instead, think of it as a password and use a long name with both letters and numbers, making it harder to hack. Then configure the AP so that it does not broadcast the ESSID. In this way, only authorised clients can connect to your AP.
MAC address filters
Hackers don’t have to be particularly determined to find out what WLANs are operational in their immediate vicinity and can often determine the ESSID. So there’s a second layer of security you can adopt, the MAC (Media Access Control) address filter. A MAC address is a unique identity burned into every network adapter during manufacture, with no way of changing it. Using this filter, the AP maintains a list of MAC addresses and only permits those on the list to connect. No connection means no access to the rest of the network, such as the data on servers and client PCs. The main drawback to MAC address filtering is the need to discover the MAC address of every client’s adapter and enter it into the AP’s settings fields. As a one-off task, it might take you half an hour from start to finish for say, half a dozen client machines. However, if a PC Card gets lost, you buy new ones, or you add or upgrade an AP, it can make for a lot of extra tedious typing. That said, for a small WLAN where such changes are infrequent, this might be almost all the security you need.
Even if hackers can’t get past your AP, they may still be able to access data that’s traversing your WLAN. The way to protect data in transit is encryption, the WLAN encryption standard being WEP (Wired Equivalence Privacy).
WEP works by encrypting traffic – scrambling it – as it leaves the AP or client PC and decrypting it on arrival. Any encryption method, whether used by the ancient Greeks, the Nazis with their Enigma machine, or today’s WLANs, needs a common key at both ends of the link or the result is gobbledegook. The longer the key, the lower the likelihood of someone breaking it through guesswork or, with the huge computing power available today, by brute force by running through all the possibilities. What this means in practice is that a WEP key must be at least 128 bits long to have a chance of defeating a potential interceptor, with 256 bits being many times more secure.
Just as an example of how adding bits to encryption keys makes a real difference, consider this. Under WEP, all encrypted packets use the first 24 bits for initialisation, the rest for data. This means that 64-bit encryption – actually 40 bits of which are data – provides just over one trillion combinations which, given today’s computing power, would not take too long to crack. However, double the size of the encryption key and the number of combinations jumps exponentially to over 20 million trillion combinations. Double it again to 256 and the number is astronomical – 1.E+69 in scientific notation, a 69-digit number. If you have a spreadsheet handy, enter the number 2^256 – that’s two to the power of 256 – and that’s roughly the number of combinations a hacker would need to check to be sure of breaking the encryption. The chances of anyone doing so are remote since they’d need to capture lots of data over a long period of time. Given WLANs’ relatively short range, they would be highly visible for days if not weeks.
An extremely determined individual might feel it was worth the effort though, at which point, the WLAN’s security is compromised and a change of key is required. This means tediously typing new keys into every client and AP. Far better to ensure things don’t get that far by changing the key frequently, preferably for every packet that’s sent over the WLAN. This is where future standards are headed and is the area we’ll be exploring in the next section.
The next step is to lock down the AP. You’ll notice that you can change the AP’s settings over the WLAN. This is not a good idea. If a hacker gets into your network, they can also access your AP, altering the settings to suit them, not you. If they’re clever, you might not even notice, even though someone else is accessing your connection. If they’re not, your WLAN might even stop working. Either way, make sure you only configure the AP over a wired connection. If you’ve got Ethernet use that or, better still, use the serial port connection if it’s got one. Don’t forget to change the default password where possible.
The final layer of protection is individual authentication. The standard method of WLAN authentication uses the 802.1X protocol. If the protocol is enabled, unauthenticated users cannot get past the AP to access the rest of the network. It’s built into Windows XP already and is embedded in the next-generation WLAN security standard – there’s more on this in the Future Standards section below.
Future security standards
If the security technology we’ve got in WLANs isn’t broken, why fix it? Basically, there are two main problems with the current standard. Firstly, with a powerful enough computer and enough traffic to analyse, a hacker can determine what your WEP key is and break it, rendering your wireless data stream vulnerable. Secondly, while MAC address filtering is not a bad way of rejecting unwanted intruders, it identifies the computer’s WLAN adapter rather than the individual – what happens if someone steals your computer?
So the next generation of security standards, known as the WPA (Wi-Fi Protected Access), improves on what we’ve got now. Unlike today’s static encryption keys, it uses a master password from which the system generates keys that change continuously using a protocol known as TKIP. Keys are never re-used, cutting the risk that a hacker will discover them. WPA also includes 802.1X, discussed earlier, which allows the system to check who’s logging in against a central database of known users.
The good news is that you may be able to upgrade to WPA today, as it’s designed to be a firmware upgrade. Upload the software into all your AP and client WLAN cards, reboot the AP and you’re done!