Securing Wi-Fi Networks Doesn’t Have To Be PainfulMarch 8, 2008 – 4:10 PM
Years ago, in a strip drawn by the great cartoonist Walt Kelly, the characters were following a set of mysterious footprints through the swamp in which they lived. Finally, one of the characters, Pogo, a little opossum, realized that the footprints were their own. That’s when he made his much quoted statement, “We have met the enemy,” he declared, “and he is us.” To a great extent, it’s the same scenario with wireless security today. The problem isn’t exactly the technology?the problem is us. We want to be conveniently safe.
Finding the middle ground between security and convenience can be tricky. You can design a wireless network to be quite secure, but doing so can make it hard to use. On the other hand, you can design it so that it’s really easy to use, but then it’s not completely safe. This conundrum has been acknowledged by the industry, of course, and that’s why wireless security issues are big topics with vendors at recent trade shows including Interop and RSA.
Fortunately though you don’t have to pick ease of use over security, or vice versa. The right balance depends on what you’re trying to accomplish. I was reminded of this recently when visiting two people. One, my daughter, is a teacher who (like teachers everywhere) does a lot of her work at home. She has to protect the information about her students from prying eyes. The other is a friend who runs a small business from her home. She has a server that holds client information, business records and accounting information. This information needs to be protected carefully.
The thing is, both want to use wireless networks. When they asked me about protecting things, I led them through some steps that I’ll share with you. These steps will be a little less convenient than just using plain ol’ naked wireless. But they won’t be all that bad.
Secure the assets
The first thing you should remember about the current state of wireless security is that despite what the vendors would have you believe, there are holes. Maybe not big holes, but holes nonetheless. WEP encryption, you probably know, has been compromised. VPN passwords may be transmitted in the clear. While there have been no reports of the stronger WPA encryption being compromised, not everyone can use it.
So the first step is to attach important network assets, such as your server, to the hard-wired Ethernet ports on the back of your wireless router. And if you’re doing something really important on your laptop, you might want to think about attaching that with a cable instead of using wireless. While you’re at it, make sure that anything you have connected to the network is running a personal firewall, such as the one Microsoft includes with Windows XP. Or use something better such as ZoneAlarm from Zone Labs.
The second thing to keep in mind is that if you can see your neighbors, they can see you. So before you start using wireless, it pays to use the search feature that comes with most wireless products. It might be called “Site Survey” or “Search for Wireless Networks” on your computer. Click on that, and see what networks are out there. If you see quite a few, you should be paying close attention to making sure you use a secure connection on your wireless network.
Get WPA or WEP at least
Once you’ve done all of that, you need to make sure that the computers on your wireless network will understand WPA encryption. Not all will. Users with technology older than 802.11b may not be able to use WPA, and may not be able to update their products sufficiently, so they may need to replace it if they have to use WPA. If there are only a few PCs/laptops to deal with, consider upgrading. While your business activities might not be confidential, you likely have customer records (at least) that must be kept private. If you just can’t accomplish WPA encryption, then until you upgrade, WEP is better than nothing as it does provide some encryption protection.
When you set up your wireless network, make sure you use non-obvious keys to enable it. If you enter the key directly, a string of zeros followed by a one isn’t going to do. If you enter a passphrase, your company name probably isn’t the best choice.
Once you decide where you want your wireless router or your wireless access point (the main office room, the living room), you need to pick a good location to ensure a good strong signal. This is important not only because people are annoyed by unreliable connections, but also because a computer connected to a weak connection can find itself associated (that’s wireless talk for “connected to”) a stronger signal, frequently with little warning. That stronger signal could be from someone who wants to gather information about you or your company.
If you find a few weak spots, the best solution is probably to use a Wi-Fi repeater. Some access points can perform this function, or you can buy a device specifically designed for that purpose (D-Link calls them “Range Extenders.”) You should use a repeater that’s from the same manufacturer as your wireless router. While they all should work with each other’s products, the fact is that they frequently don’t.
Ensuring the perimeter is secure
Once you’re satisfied that you’ve taken care of everything inside, take your wireless laptop outside and walk around to make sure you’re not sending signals too far from your building or home office. You don’t want bad guys parked on the street sniffing your signals and trying to break in. If you do find strong signals outside and away from areas that you control, consider relocating the wireless routers. They should be away from exterior windows, for example. You might need to check for weak spots and outside coverage several times before you get it right.
Once you’ve done all that, it’s time to add users to your wireless network. Just have them discover your network, tell their computers to connect, and give them the encryption key. Once you have everyone connected, you’ll find that their computers will always connect first to your wireless device because it’s secure and they have the key.
At first look, these various steps may seem like a lot of trouble, but in reality, each of these tasks is fairly simple. What’s good is that you and every user will have a better wireless experience with less security worries. What’s more important is that once you’ve set up the network so it’s secure, it adds no inconvenience. Users will connect just as they always did. And you’ll be able to avoid being your own worst enemy.