Security Short: Wireless ENCRYPTION…..ENCRYPTION!
Admin Note: This post is in response to a recent posting I made regarding Google’s wireless collection activities. This “Security Short” provides some brief information on improving the security of PRIVATE wireless systems and is not intended to be used where public access is allowed (i.e. coffee shops, libraries, etc.) unless of course you want to cause havoc for your users and your helpdesk. Consult your operator’s manual for particulars on how to implement these tips, as there are hundreds of manufacturers of wireless equipment. These security tips will not stop a determined attacker. They are meant only to reduce your risk, not eliminate it. A truly secure network is a network powered off. You assume any risk by following the information contained here. Your Mileage May Vary (YMMV), Void Where Prohibited.
One of the things that was mentioned in the Google Wi-Fi incident was the fact that emails and passwords were inadvertently captured. This has me a bit concerned and upset, not at Google, but at the folks who manufacture these wireless access points. I do not want to throw the manufactures under the bus entirely; I also want to pass the blame on to the end consumer too.
Folks, you need to read the manual and want to secure your data. If you do not want to secure your data and do not take the apporiate measures to do so, you have no right to complain. YOU are the one broadcasting your data to the world, YOU are the one responsible for your actions…although many will claim they are not, but that is a discussion for another day.
Many manufactures have made it rather simple to deploy encryption on a wireless network. From hand-holding in the instructions through “press this button” on the routers to enable security. I am not quite sure what more they can do short of sending a tech to your house to configure these things when you buy them.
This incident would not have even made it to page 6 of your favorite newspaper had everyone encrypted their wireless networks. Ok, enough of my soapbox speech. Let me chat a bit about wireless encryption.
Typically, wireless access points have several modes of encryption: WEP, WPA, WPA2. If you would like to read the technical differences of each, please consult the Wikipedia for fairly good coverage of these: WEP and WPA / WPA2
- WEP (Wired Equivalent Privacy): Old and broken. Do not use it unless you really need too and only if you take additional precautions to protect sensitive information. Some wireless equipment will only support WEP. WEP encryption has been cracked for years now and is obsolete given today’s new equipment. For the tech-savvy folks out there, if you need to use WEP, place your WEP encrypted devices in their own VLAN and limit the traffic going to or from them using a firewall. Additionally, WEP client machines should then use a VPN to encrypt and tunnel the traffic back into the network. For the home user though, use another form of encryption and insist on using nothing less than WPA2. Unfortunately, you may find devices in your home that do not support WPA or WPA2. Be aware data on these types of network connections could be intercepted and cracked. Decide if you accept this risk BEFORE using this encryption method.
- WPA (Wi-Fi Protected Access): This is more commonly found in wireless devices sold today. It provides an additional layer of security by changing the encryption keys every so often thereby making it a bit more difficult to crack. However, it too is broken. If you are tech-savvy and need to use WPA due to legacy equipment and/or cost constraints in upgrading, see my pointers above for mitigating the risk. Everyone else, use WPA2 with AES. Unfortunately, you may find devices in your home that do not support WPA or WPA2. Be aware data on these types of network connections could be intercepted and cracked. Decide if you accept this risk BEFORE using this encryption method.
- WPA2 (Wi-Fi Protected Access Version 2): WPA2 with AES encryption is the way to go. Please note the AES part. You can configure wireless devices to use WPA2 with TKIP, but you would still be vulnerable to attack. Without getting technical (consult the Wikipedia WPA link above for good information on the weaknesses of TKIP) you need to use WPA2 with AES. AES is the Advanced Encryption Standard that has been accepted by the U.S. Government for encrypting sensitive information.
When you are purchasing any wireless equipment, check to ensure that it supports WPA2 with AES. Since this is a newer standard, most new hardware would be expected to support this, but your mileage may vary.
Corporations may have a difficult time upgrading due to budgets, costs of replacing hardware, and the need to use legacy equipment. Use your risk management process (you do have one, right?) and decide what you need to do. High risk systems / data should be protected first. Just remember the weakest link in you security chain could bring your company to its knees. If your legacy systems are not further protected and encrypted though other means, then this is your weak spot. Having WEP and WPA2 w/AES in a mixed environment will do nothing for your security posture if all it takes is an intruder to crack your WEP keys.
For you home users out there, detailed instructions on securing your wireless router by make / model, can be found at this awesome site: http://portforward.com Click the OTHER GUIDES tab at the top then scroll down and find the link on the right labeled “Wireless Network Security Guides” or click here:
http://portforward.com/english/routers/wireless/routerindex.htm