In the dark ages of wireless (about a year and a half ago) there was about an 80% chance that any given wireless network was completely unsecured. Now I would gauge it at around 70% of wireless networks having inadequate security and 40% remain completely unsecured. Yes, I pulled those numbers out of my proverbial ass; but if I count the number of wireless networks that I come into contact with daily (that are outside of my control), those numbers are just about dead on.
While 40% down from 80% shows that there has been a drastic improvement in wireless security awareness over the past couple years, it is still enough to keep a person up at night. As with all things security related, I blame a lack of knowledge and lack of caring as the reasons those numbers are not down to under 10%. So let's start with the reasons for not only securing your wireless network, but ensuring it is secured properly.
1) Illegal Activities - In today's world where everything can be tracked and traced in some manner or another, it just makes sense to not use your own Internet connection if you are going to perform some sort of illegal activity. Hackers know this. Pedophiles know this. My former IT Director who tried to bring down the company network after he was fired knew this. Instead of using their own Internet connections to perform these illegal activities, they connect to one of the many unsecured wireless networks and let their activities get traced back to some unsuspecting dupe (that would be you). Of course they would have to be smart enough to change their computer name and MAC address to not get caught, but that is another story.The list goes on, but these are some of the bigger reasons for properly securing your wireless network. The really nice thing is that securing a wireless network is about the easiest thing you can do. The bad thing is all the oddball circumstances that crop up in the course of normal business that have kept many companies from securing their wireless access. Being a heck of a nice guy I will cover both sides: the straight forward secured wireless network and securing a wireless network under oddball requirements. But first up, let's take a look at the various methods available to secure a wireless network.
2) All Your Base Are - Continuing the thoughts from reason #1 above into why adequate security is necessary; if someone is going to attempt to break into a network illegally using the Internet and they are smart enough to use someone else's Internet connection to do so, I am willing to bet the farm that they are smart enough to hack a WEP secured wireless network. Although saying "WEP" and "secured" really is an oxymoron.
3) Easy Network Access - The easiest method to gain unauthorized access to a company network is through social engineering. The second easiest method, and easiest method for a home network, is through unsecured wireless. Why not just start asking people driving past if they would like to come inside and use your computer?
4) Internet Bandwidth - The speed you access the Internet is not unlimited, despite how much faster your cable modem is versus your previous AOL dialup. The more traffic running across that connection, the slower your web surfing is going to be. There are also plenty of Internet service providers who are looking at changing their billing model to include over-bandwidth pricing; meaning if you use more than what they consider your fair share of the Internet, you pay more. Now why would I want to jack up my Internet bill downloading all those adult movies when I can just attach to your wireless and make you pay the bill?
Turn Wireless Off - I would like to say I am surprised at the number of people and companies who have a wireless network and do not even know it. Rogue Wireless Networks. I am not really surprised because I know the sheer number of devices that arrive from the manufacturer with wireless turned on. Purchase a new router for your home network? Probably has wireless built in and turned on. Have a DSL Internet connection? The new DSL modems have built in firewalls, switches AND wireless; and wireless is turned on by default. Basically, turn off wireless on each device you have if it is not needed. If you are not positive beyond any reasonable doubt that it is needed, turn it off. Something will either stop working or someone will complain if it really was needed.Wireless security is constantly changing and improving, as well as having previous methods become weakened or obsolete. A few years ago you would probably have been told an eight (8) character password was sufficient to protect against a brute force attack, two years ago it would have been 13 characters, now I personally recommend 16 character complex passphrases (thanks in part to GPU offloading). There are also newer features put forward by the Wi-Fi Alliance that will automatically configure wireless security between devices using various methods. All that being said, let's actually cover the concrete security methods that should be put in place.
Segment Wireless Networks - Hopefully you have read my previous entry entitled Computer Security 101 - Part 4 - LAN. If you haven't, go read it now. Very few businesses use wireless networks for daily operations. Very few homes do for that matter. Wireless is either accidentally left on or is put into place to meet some need or another. Usually that need is Internet access for someone with a laptop who has enough pull to make your life miserable. The beauty here is that they do not need access to your entire network, just a small section of it. Through network segmentation (you did read the article I just listed, right?) you can limit the access that particular wireless network has to your overall network and effectively mitigate many security threats in doing so.
Disable SSID Broadcast - According to some silly 802.11 standard or another, wireless devices send out a broadcast beacon. Part of this broadcast beacon is the SSID (also the channel number, but if you see the broadcast you already know the channel number because, well, you see the broadcast. See how silly 802.11 standards can be?). In order to connect to that wireless device, you need to know the SSID. If you turn off the broadcasting of that SSID you require anyone who wants to connect to your wireless network to already know the SSID. Ingenious, right? Of course you also need to set the SSID to something not easily guessed, but we'll get to that in a minute.
MAC Address Filtering - A MAC (Media Access Control) address is a hardcoded 12 character hexadecimal code set into all Ethernet devices by the manufacturer that are required to be unique for each device (another one of those IEEE standards). Most wireless devices have the ability to limit which MAC addresses are allowed to talk to it. If a device connects with a MAC address not on the list, it ignores the device. Pretty simple. Except MAC addresses are easy to spoof (pretend to be). MAC Address Filtering is a pain to setup because it needs to be maintained and is lacking on its own. In combination with other methods of wireless security it will help to protect your network, but it is still an administrative nightmare to maintain for a business and rarely worth the extra protection provided.
WEP Security - Wired Equivalent Privacy. Useless security option. Really. Most of the new DSL modems I have seen recently have WEP turned on by default (along with wireless) so the company can pretend to have cared about your network security and not get sued. Of course any computer security person would shred that argument in court, so they are depending on people's ignorance to save them from a lawsuit when someone hacks the wireless network they left on by default. WEP is useless.
WPA and WPA2 - Wi-Fi Protected Access. Another set of those 802.11 standards. WPA is the old standard that made use of TKIP (Temporal Key Integrity Protocol); and was designed to replace WEP without much fuss. Unfortunately, people were able to crack the WPA-TKIP standard in 2008. Luckily, the Wi-Fi Alliance people adopted a new 802.11 standard in 2006 that became known as WPA2-AES (Advanced Encryption Standard). The difference between the two standards really is in the encryption algorithms used. Basically, use WPA2.
Pre-Shared Key (PSK) or Personal Mode - Pre-Shared Keys were introduced with WEP and carried forward into WPA and WPA2. It is a passphrase set on any wireless access point that is used to partially encrypt the data sent wirelessly. I say partially, because the encryption actually changes once the connection is established. You can read up on the entire 802.11 IEEE standards if you really care about useless information, or just want to hit that homerun during your next technical interview. Anyway, all wireless devices are supposed to support PSK and it is more than adequate for personal home networks (hence the Personal Mode pseudonym) and even most businesses; assuming the passphrase is sufficiently complex (getting to that in just another moment).
RADIUS Server or Enterprise Mode - Sometimes mistakenly called EAP or Extensible Authentication Protocol (PSK above is a flavor of EAP, hence the mistakenly part). Enterprise mode uses a RADIUS server like Microsoft IAS or Cisco ACS to provide the authentication methods for wireless connections. A pre-shared key still exists between the RADIUS server and the wireless device, but it expires after a preset period of time and is changed out automatically. This is the mode to use for any business with a RADIUS server.
Strong Passphrases - Every wireless device has at least three passphrases that can be set. The first is the one used to access the wireless device in order to make configuration changes. The second is the SSID. The third is the Pre-Shared Key (may not be used though). Treat each of these as a secure passphrase. Each of these passphrases should be unique from one another. Each of these passphrases should be exactly that, a passphrase instead of a password. Each of these passphrases should be complex in nature, meaning include at least one upper case letter, one lower case letter and one number or symbol. Each of these passphrases should be at least 16 characters long. Do not use your name or your company's name for any of these passphrases. Read my entry entitled Computer Security 101 - Part 2 - Passwords if you have not done so already.
First thing is first. Shutdown all wireless access points and routers that are absolutely not needed. Move onto the next step if you are doing all this for your home or a small office (two paragraphs down); otherwise grab yourself a laptop with a wireless card and start walking your perimeter. You will want a wireless card that supports at least 802.11 b and 802.11 g network standards; 802.11 n is currently an added bonus, but is increasingly becoming a requirement. As you walk around refresh the available wireless network screen and see what you see. Write down each and every wireless network you find and the locations you find it in. Write down the SSID if it is available. Write down the security level (WPA2-AES, WPA-TKIP, etc) that each wireless network lists as being used. Connect to unsecured wireless networks and see if it is part of your network or perhaps something from the Starbucks next door. There are free tools available on the Internet to help in all this (mostly for Linux, but still plenty for Windows), just don't spend any money.
Now that you have identified all the Rogue airwaves (not necessarily Rogue Networks) in your company space, see what you can identify. Use a little common sense in this practice. If a wireless network is strongest in the eastern region of your building, talk to the departments in that area. If there are other companies in the Eastern region, see if they are running wireless. Pretty simple stuff. Once you identify all that you can identify, the rest is considered a Rogue Network and needs to be found. Again, there are freely available software applications and instructions elsewhere on the Internet (like making a focused antenna with a Pringles can). Find these Rogue Networks (assuming they are actually on your company’s network) and eliminate them.
Assuming you need a wireless network to not be shutoff, the next thing to do is setup an actual secured wireless network. The best possible combination of security layers available is to segment the wireless network (at work, probably not home), use WPA2-AES protocols, disable SSID broadcast, and use strong passphrases (complex and 16 characters or longer). A company that has a RADIUS server should make use of Enterprise mode WPA2. Discuss with whoever handles your RADIUS server as to which EAP types are available. Everyone else has to use EAP-PSK, or Personal mode; again with a strong passphrase. MAC Address filtering provides very little added benefit at this point, so ignore it. It would be like putting an umbrella over a submarine to protect against the rain.
There. Done. That is currently the best configuration available for an active wireless network setup. The problem is each device (laptop, PDA, tablet, etc) that is going to connect to the wireless network must be setup now. This is generally not a big deal as it requires each device to only be setup once (set-and-forget). The real problem comes from C-level executives who believe they are tech-savvy and, worse still, salespeople (regardless of their tech level).
Both of these groups of people generally have no idea why they need an IT department to begin with. All those damn geeks do is make things more complicated than it needs to be. They do not want to call IT when their 4 year old is using mommy's laptop in the office and needs wireless access, or when a salesperson has a client in who needs to check their email. This is where wireless becomes unsecure once again. Ideally there is a strong CIO (CSO would be even better) who will insist that policy is policy and the wireless has to remain secure. Even without that CIO you still have a few things you can do to keep your network secure.
The first thing to do in the above scenario is to pick a good location for the "open" wireless. Conference rooms near the center of a building between floors two and five are excellent choices (first floor gets the most non-work traffic. Too high up in a building and, because of signal bounce, you can become a radio station broadcasting to the world). Picking locations like this for open wireless access points will reduce the likelihood of outside persons gaining access to your wireless network. Some wireless routers and access points offer further assistance here by allowing the signal broadcast strength to be reduced, thus decreasing the distance available to connect to the wireless network. Almost every sales person or C-level exec will be satisfied with someone telling them "There is wireless available in the third floor conference room," as opposed to not at all.
The next step is to segment the open wireless network from the rest of the network. As much as is possible that is. A little guided research is required to discover what the use of the wireless network will be. Leading questions are great here such as, "I can setup the third floor conference room for wireless Internet access. Will that work for your sales team?" The answer will be "yes" and you can segment that wireless network from everything but Internet access.
The last step is to turn off the wireless. A good majority of commercially available wireless routers have some sort of scheduling built-in. This can range from allowing wireless access during certain times on certain days, to perhaps blocking certain Internet protocols (block any any) during certain times of the day. These functions can be used to restrict the wireless access to business hours only, which increase the wireless security level slightly (only the truly bold are going to connect illegally to a wireless network when the IT staff is there and alert).
Under normal circumstances the obvious choice is to put into place the most secure wireless settings possible. Failing that, virtually ever business scenario for not having restricted wireless access can be mitigated by combining the various methods of securing a wireless network listed above. A little thought process combined with a few leading questions and you can once again sleep soundly at night.