Common concerns about wireless LAN security

Common concerns about wireless LAN security

Summary: I received a letter from one of my readers named Peter. Peter asks some good questions about wireless LAN security and wonders if I can answer some of his questions.

SHARE:
TOPICS: Networking
11

I received a letter from one of my readers named Peter. Peter asks some good questions about wireless LAN security and wonders if I can answer some of his questions. Since these were all common questions that I hear all the time, I thought I would share with you my responses.

Peter:
If you are a home user in a residential rather than a apartment or college complex do you believe you can get away with any form of WEP considering the short range of the actual network. Or to put it another way; Its one thing for somebody in an apt building to crack all the WEP keys around them without moving from the spot, its quite another for somebody wandering in a neighborhood with equipment looking for a network to crack. The least of nosey neighbors will spot such a person pretty quick. Or am I just doing wishful thinking?

Answer:
It's wishful thinking. You usually can't spot a Wi-Fi hacker since wireless hacking can usually be done passively. Sometimes the hacking is done actively but it takes vigilance, software, and location tracking capability to be able to track an active attack. A hacker can passively spend 20 minutes collecting all WEP traffic from nearby neighborhoods from a single laptop. After that, he can crack all of the busy networks. Then the hacker can crack the non-busy networks by targeted active attacks using packet injection techniques. Remember, hackers love a challenge especially if they can pull it off in less than 10 minutes which all WEP networks will succumb to.


Peter:
It is my personal opinion that any code made can eventually be cracked if somebody puts their mind to it. Would you say that even the current advanced systems that you now recommend would have to be swapped out or upgraded every few year to assure their security?

Answer:
Wrong, there is no known entity that can crack 3DES or AES encryption. Check my blog out about cryptography. Good encryption and authentication algorithms are usually good for decades. Just look at DES and SSL for example. If you implement the best practice recommendations on using WPA-PSK with TKIP encryption for the home, and a minimum of PEAP authentication with WPA TKIP encryption for businesses, you will probably be good for at least a year or more. Once you swap TKIP encryption out with AES encryption, it will last many times longer. You will note that AES has a superb pedigree while TKIP is considered a temporary Band-Aid. It's true that there will be some maintenance on any computer system you implement and wireless LANs are no different. It's not only wrong to categorize all wireless LANs as breakable, but it's dangerous because it tends to lead people to just throw up their hands and say "why bother with it" and stick with their old broken schemes. There is a massive difference between being secure and doing a little maintenance once every few years to being wide open by default when using WEP or any of these myths on wireless LAN security.


Peter:
Is it possible to purchase a device designed with a very limited range on purpose (say 10 yards) so that a person in a residential home could basically operate without fear of anybody not directly outside the door?

Answer:
See my myths on wireless LAN security under "antenna placement" and power reduction. A good rule of thumb is that if you can see it from 10 feet away using your off-the-shelf omni directional antenna, the hacker can see it from 1000 feet using his high-powered directional antenna. Any kind of signal suppression technique hurts you a lot more than the hacker so don't even try it.


Peter:
Is it fair to say that the professional hacker is like the professional car thief, if he wants into your wireless system he is going to get in so the best you can do is to put up some security (even WEP) to keep out the casual lazy browser.

Answer:
Read this blog on simple recommendations for the home. If you follow the advice, a determined hacker cannot break in wirelessly. It would be infinitely easier for them to physically break in to your home and plug in to your network. In this case, wireless security is better than wired security which makes fear of a wireless hacker moot. Securing your car is very expensive and ineffective, securing your wireless LAN is simple and cheap.


Peter:
Say I have a 4 port linksys wireless router. If I configure it for only 4 IPs say 100-105 (with 100 being the router itself) when I have only 4 machines will that cancel out the issue since the person grabbing the code will not have the free IP to connect or is there software that will mask that too.

Answer:
See my myths on wireless LAN security again under the DHCP section. It takes less than a minute to figure out your IP scheme and then manually assign a static IP. It doesn't matter what your DHCP scope is. The subnet supports 250 plus hosts. Even if you used a micro-subnet like 192.168.1.0 to 192.168.1.7 using a special subnet mask of 255.255.255.248 which only allows you to use host IPs 2 through 6, and you had 5 active machines on your network using all 5 IP addresses, I can easily use an existing IP address even if it conflicts with an existing IP. At the very least, I can passively listen in on all of your unencrypted traffic if I don't steal one of your IP addresses.


Peter:
What is the hacker profile? To what degree should the regular non business Joe be afraid that he will be the target, or is that unlikely unless he lives next to a college where this stuff is done and the best software for it available?

Answer:
Wireless hacking is done for the same reasons other hacking is done. Some of the examples are, spam platform, hacking platform to attack other networks, information theft, bandwidth theft, and even just plain fun. Some of these can even bring you a visit from the FBI with accompanying handcuffs. I hope you have a good alibi when the Feds come cracking down on you for cyber terrorism.


Peter:
If systems using wireless are not using file sharing between system would the breaking in of the network just be a question of stealing an Internet connection?

Answer:
See answer #6 for other examples. Additionally, just because you're not running file shares doesn't mean I can't attack you once I break in to your wireless LAN. In fact, the vast majority of internal networks are open season for hackers. It's like the soft underbelly of the beast and is ripe for the picking regardless of the presence of file shares.

Peter, many people who have implemented my recommendations are really happy they did it and they realized that a secure wireless LAN for the home was relatively simple after they downloaded some software and firmware updates. It's a little harder for the enterprise because of the additional PEAP (EAP-TLS or EAP-TTLS are good alternatives) requirements which require a RADIUS server and some level of PKI deployment. However, even the challenges for the Enterprise can be conquered with the right knowledge.

Topic: Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • Consumer-grade Wireless

    I'm finding a lot of the manufacturers of consumer-grade wireless products just don't care about providing decent security to SOHO users. A lot of prodcts out there are only capable of WEP (64-bit or 128-bit) and even then there are hints that there will be performance issues if you dare to use WEP.

    Granted, there are products that claim to use WPA, but a number of them are just updated versions of the older products - making purchasing such a device without actually touching it first a game of Russian Roulette. I'm not interested in such games nor am I interested in being satisfied with the manufacturer's idea of a secure network. (Which in the grand scheme of things, is really secure at all.)

    So what am I left with? Business-grade products that cost considerably more or wait until the consumer-grade stuff is up at a level that is really should be. (Ideally, I'd like to see the firmware in my current gear upgraded to the point where is supports WPA, but I think I'll see pigs fly first.)
    Chad Strunk
    • Not that bad

      Almost all new SOHO gear being sold today has WPA-PSK support.

      For example, this D-Link Router/AP has WPA-PSK TKIP support and costs as little as $48.
      http://www.nextag.com/serv/main/buyer/productm.jsp?product=62100609&pdir=0&page=1&node=&category=&lgsearch=DI-524&lgnode=&units=1&shipping=Ground&sort=subtotal,#abc
      george_ou
      • Better Vendor?

        Okay...that's certainly better than what I was looking at. (I currently have Netgear.) My wife won't hang me if I spend that much. ;-)

        So, in your professional opinion, is one vendor better than others when adhering to standards and providing consumers with an acceptable level of security?
        Chad Strunk
        • Both vendors are about even

          Both D-Link and Netgear mainly use Atheros as their chipset provider. Atheros is very good at providing modern security in their chipset reference designs. Unfortunately, it's not always implemented by the manufacturers.

          You should check with Netgear or Deja news groups if they provide a WPA update for your existing device.
          george_ou
          • Wireless Bridge

            Unfortunately, my problem is with my Wireless bridge. Rather than run a CAT5 cable from my entertainment center to the office, I installed a wireless bridge. (Netgear WGE101, to be exact.) Silly me, I assumed that a 802.11g device would also have WPA and Netgear has specifically stated that they would not implement WPA in the WGE101.

            If it weren't for the bridge, I could implement WPA in a heartbeat.

            So, my available solution is to use an access point in bridge mode BUT the Netgear WG602 only supports bridging and WPA in version 2. Online vendors can't (won't) tell you which version you're buying and Brick-and-Mortar stores can't beat the prices of online vendors. I think I'll be looking at D-Link APs since it looks like they're not pulling these version games.

            So to summarize, my gripes with wireless manufacturers and vendors are 1. they don't put WPA on all of their wireless products (even those currently being sold) 2. they create multiple versions of of the same products, but don't have the same featureset on all versions and 3. vendors are blissfully ignorant about the multiple versions.
            Chad Strunk
          • Vendors are slow

            It is frustrating that so many vendors are still selling some non-WPA devices. They should all be on WPA2 by now and they're still on WEP for some devices.

            By the way, bridges are horribly slow. Stick to the CAT5 cable if you can.
            george_ou
      • My D-Link Network Dies in WPA Mode

        i have the di-624 router in an all d-link network. the moment i turn on wpa the network dies. wep, it works fine. while i'd turn on wpa and use it if it would just work (now **there's** concept!), i'm not going to lose sleep because someone sees a hacker behind every desk targeting every network.

        mark d.
        markdoiron
        • How do you know it's the router/AP?

          Have you tried getting WPA to work on any other client? How do you know it's not the client that doesn't support WPA mode? You have to have updated drivers and you have to have updated software such as Windows XP SP2 or SP1+WPA patch at the minimum. Also, have you tried to get a newer firmware for that unit?
          george_ou
  • OH NO! I

    Its attack of super hackers! I beeter have lead plate put in my wall, someone might steal my stolen MP3's!!!!
    allforcarrie
    • No PII?

      So you're saying that you'd be perfectly comfortable with a complete stranger using your Internet connection and you have absolutely no personally identifiable information on your computer? No Quicken (or Money)? What if one of the local bored teenagers decided to use YOUR Internet connection to release the not-so-skillfully-modified WORM using your computer as the first victim?

      The point of all of this is you need to take responsibility for your network.
      Chad Strunk
    • Brother, if you have that

      attitude about security, you can rest assured that your SSID and GPS coordinates are already on a wardriving site somewhere. You've likely been hacked (or at least hijacked).

      If you live in my area, I'd gladly clean up the mess left on your system. I bill out at $115/hour.
      Real World