Introduction

Please see How to Crack WEP...Reloaded for the most up-to-date WEP cracking how to.

After demonstrating in How To Crack WEP - Part 1 and Part 2 that WEP cracking is easier than you may
have thought, I will now switch gears. In this last part of the WEP Crack How To, I will show you how to take a
common sense approach to protecting your wireless network.

As any security professional knows, there is no such thing as perfect security. A good security plan takes into
account the value of what needs to be protected, the cost of implementing the protection and the nature and
skillset of the potential intruder in order to formulate an effective security plan. In other words, rather than
implementing every defensive measure known to man, a more prudent (and cost-effective) approach may be to
tailor your defense to the threats that you most likely face.

For example, wireless networks located in cities generally face more possible intrusions than those located in
sparsely-populated areas. During the course of a day in a city, dozens, maybe hundreds of people may pass by
your wireless LAN. And a car could also be parked outside your home for hours, without attracting notice. But a
wireless AP located in a home on a ten-acre farm would be unlikely to see any client but its owner's and any
unfamiliar vehicles would be noticed and investigated in short order.

Why Bother?

For some people, setting up a secure wireless network is so daunting, they give up and run it wide open, ie.
unsecured. I also hear people say, "I just surf the web and have nothing valuable on my computer. Why should I
bother with security?" Good question, but here are some equally good answers.

Running your WLAN wide open entails three major risks:

1) Your network resources are exposed to unknown users

Once someone wirelessly connects to your LAN, they have the same access as users directly connected into
your LAN's Ethernet switch. Unless you have taken precautions to limit access to network resources and shares,
intruders can do anything trusted, known users can do.
Files, directories, or entire hard drives can be copied, changed or entirely deleted. Or worse, keystroke loggers,
Trojans, zombie clients or other programs can be installed and left to work for their unknown masters.

2) All of your network traffic can be captured and examined

With the right tools, web pages can be reconstructed in real-time, URLs of websites you are visiting captured,
and most importantly passwords you enter stolen and logged for future mis-use, most notably identify theft.
3) Your Internet connection can be used for illegal, immoral or objectionable activities

If your open WLAN is used to transfer bootleg movies or music, you could possibly be the recipient of a
lawsuit notice from the RIAA. In a more extreme case, if your Internet connection were used to upload child
pornography to an FTP site, or used to host the server itself, you could face more serious trouble. Your Internet
connection could also be used by spammers, DoS extortionists and purveyors of malware, viruses and their like.

It may be a noble sentiment to give free Internet access to anyone within range of your wireless LAN. But
unless you put some serious protection between your "open" LAN and the one you use, you are exposing your
data, and perhaps more, to serious risk.

The approach I'll take in formulating WLAN security recommendations is based on the expected skill level of
potential wireless intruders. I'll then provide recommended security countermeasures for each skill level.

NOTE: I will generally use "AP" (Access Point) throughout this article, but this should be read as meaning
"Access Point or wireless router".

Skill Level 0: Anyone with a wireless computer

It doesn't take special skills to "hack" an unprotected wireless LAN - anyone with a wireless-enabled computer
and the ability to turn it on is a potential intruder. Ease of use is often touted as a selling point of wireless
networking products, but this often is a double-edged sword. In many cases, people innocently turning on their
wireless computers will either automatically connect to your access point or see it in a list of "available" access
points.

The following countermeasures should help in securing your network against casual access, but offer no real
protection against more skilled intruders. These are listed in relative order of importance. But most of them
are so easy to do that I recommend doing them all if your equipment allows.

Countermeasure 1: Change Your Default Settings

At minimum, change the administration password (and username if your equipment allows), and default
SSID on your AP or wireless router. Admin passwords for most consumer wireless gear are widely available.
So if you don't change yours, you could find yourself locked out of being able to control your own WLAN
(until you regain control via a factory reset)!

Changing the default SSID is especially necessary when you are operating in proximity of other APs. If
multiple APs from the same manufacturer are in the area, they will have the same SSID and client PCs will
have a good chance of "accidentally" connecting to APs other than their own. When you change the SSID,
don't use personal information in your SSID! During my Netstumbler sessions, I have seen the following as
SSIDs:

• First and Last names

• Street Addresses with apartment numbers
• Social Security Numbers
• Phone Numbers

Changing the default channel of your AP might help you avoid interference from nearby wireless LANs, but it
has little value as a security precaution since wireless clients generally automatically scan all available channels
for potential connections.

Countermeasure 2: Upgrade Your Firmware, and maybe Hardware

Having the most current firmware installed on your AP can sometimes help improve security. Updated
firmware often includes security bug fixes and sometimes adds new security features. With some newer
consumer APs, a single click will check for and install new firmware. This is in contrast to older APs which
required the user to look up, download and install the latest firmware from a sometimes difficult-to-navigate
support site.

APs that are more than a few years old have often reached their end of support lifecycle, meaning that no new
firmware upgrades will be made available. If you find that your AP's latest firmware doesn't support at least the
improved security of WPA (Wi-Fi Protected Access), and preferably the latest version called WPA2, you
should seriously consider upgrading to new gear. The same goes for your wireless clients!

Virtually all currently-available 802.11g gear supports at least WPA and is technically capable of being
upgraded to WPA2. But manufacturers are not always diligent in their support of older products, so if you want
to be sure that your gear supports WPA2, either check the Wi-Fi Alliance's certification database, or do some
Googling in both the Web and Groups.

Countermeasure 3: Disable SSID broadcast

Most APs allow users to disable SSID broadcasting, which will thwart a Netstumbler scan. This will also stop
Windows XP users using XP's built-in Wireless Zero Configuration utility and other client applications from
initially seeing the wireless network. Figure 1 shows the control labeled "Hide ESSID" that will do the trick on a
ParkerVision access point. ("SSID" and "ESSID" both refer to the same thing.)

Figure 1: Disabling SSID Broadcast on a Parkervision AP

(click image to enlarge)

NOTE: Disabling SSID broadcast will not prevent a potential intruder using Kismet or other wireless
survey tools such as AirMagnet from seeing your wireless network. These tools don't rely on SSID broadcast
for available network detection.

Skill Level 0 Countermeasures - more

Countermeasure 4: Turn it off!

People commonly overlook the simplest way of securing their wireless network - turning off the AP! A simple
lamp timer can be used to turn off your AP during the overnight hours when you're not using it. If you have a
wireless router, this will mean that your Internet connection will also be disabled, which also isn't such a bad
thing.

If you can't or don't want to periodically shut down your Internet connection, you'll have to remember to disable
your wireless router's radio manually - if it has this feature. Figure 2 shows a typical wireless disable control.
This manual method is more prone to error, however, since it's just one more thing to forget. Perhaps at some
point manufacturers will add radio disable to the features that can be scheduled on wireless routers.

Figure 2: Shutting off the radio

Countermeasure 5: MAC Address Filtering

MAC Address filtering is used to control access to your AP by allowing (or denying) access to a list of
wireless client MAC addresses you enter. It will prevent an unskilled intruder from connecting to your WLAN,
but MAC addresses are easily captured by more skilled attackers and wireless adapter MAC addresses easily
changed to match a captured address.

Figure 3: MAC Address filtering on an older USR 8011 AP

(click image to enlarge)

Countermeasure 6: Lower the transmit power

While only a few consumer APs have this feature, lowering your transmit power can help limit intentional and
accidental unauthorized connections. But with the increased sensitivity of wireless cards that even unskilled
users can purchase, it may not be worth the bother - especially if you're trying to prevent unwanted connections
in an apartment building or dorm.

Most skilled attackers typically use high-gain antennas, which allow them to detect very low signal levels and
effectively offset this countermeasure.

Skill Level 1: Anyone with commonly available wardriving tools

Now let's move up a notch on skill level to that of your common "wardriver", who actively cruises around
looking for wireless LANs. Some people wardrive for kicks to see how many wireless networks they can detect
and never attempt to use the vulnerable networks they find. But others are not so benign in their intent and do
connect, use and sometimes abuse unsuspecting wireless LAN owners.

At Skill Level 1, I'll assume that all the countermeasures suggested for Skill Level 0 do not work and the
potential intruder can see your wireless network. The only effective countermeasures at this point involve
encryption and authentication. I'll save authentication for later and focus on encryption.

NOTE: While forcing all wireless traffic to use a VPN (Virtual Private Network) is one solution, VPN's are
notoriously difficult to set up and beyond the scope of this article.

Countermeasure 7: Encryption

Wireless LAN owners should run the strongest type of encryption available to them. Your choices will be
dictated by the capabilities of your WLAN hardware and your options are WEP, WPA and WPA2.

WEP (Wireless Equivalent Privacy) is the weakest wireless security technology, but currently the most widely
deployed due to its availability on virtually all 802.11 wireless products. You may have to use it because many
consumer wireless product manufacturers have opted to not provide upgrades from WEP to WPA for 802.11b
products. And others are still creating new products such as some VoIP wireless phones that support only WEP,
forcing some WLAN owners to downgrade their security to accomodate the lowest common level of security.

Either WPA (Wi-Fi Protected Access) or WPA2 provide adequate wireless security, due to their stronger
encryption technology and improved key management. The main difference between the two is that WPA2
supports stronger AES (Advanced Encryption Standard) encryption. But to further confuse users, there are
some WPA-labeled products that allow the selection of AES vs. the WPA-standard TKIP encryption.

Most 802.11g products support WPA (but there are exceptions), but upgrades to WPA2 for older products are
still in the process of being rolled out - even though the 802.11i standard that WPA2 is based on was ratified in
June 2004.

I recommend that you use WPA as a minimum. It is as effective as WPA2 and, at least as I write this, more
widely supported. Implementing this recommendation, however, may require purchasing new equipment,
especially if you currently are using 802.11b in your WLAN. But standard 11g gear is relatively inexpensive
and could be the best security investment you make.

Most consumer APs support only the "Personal" version of WPA or WPA2, which is also referred to as WPA-
PSK (Pre-Shared Key) (see Figure 4). WPA2 or WPA "Enterprise" (also known as WPA "RADIUS") is also
supported by some consumer wireless gear, but is of little use without the additional RADIUS server required to
implement it.
 Figure 4: Encrypting traffic on a Netgear AP

For most personal WLANs, using WPA-PSK will provide adequate protection, but it is essential to use a key
that is sufficiently long and random. Do not use a number, or a word from the dictionary, since programs
such as cowpatty are already available to perform dictionary-based attacks against WPA-PSK.

Robert Moskowitz, Senior Technical Director ICSA Labs, recommended in this article using an 128 bit PSK.
Fortunately, all WPA implementations accept alphanumeric PSKs, which would require only 16 characters to
implement Mr. Moskowitz' recommendation.

There are many password generators available on the Internet that can be found by a quick search. This one
has lots of bells and whistles and even provides an estimation of how long it would take to crack the password
it generates.

As a final note, some manufacturers have started selling APs and wireless cards that promise "one touch" easy
setup of secured wireless connections. Buffalo Technology had the first products based on their AOSS
(AirStation One-Touch Secure Station) technology. Linksys has recently starting selling products based on
similar technology from Broadcom dubbed SecureEasySetup. You can read a comparative review of these two
technolgies here.

Skill Level 2: Anyone with WEP / WPA-PSK Cracking Skills

While WPA and WPA2 eliminate many of the problems associated with WEP, they are still vulnerable to attack,
particularly in their PSK form. Many people have already cracked WEP and Parts 1 and 2 of this series
provided a step-by-step procedure.

Breaking the pre-shared key of WPA and WPA2 "Personal" is much harder and time consuming - especially if
you are using AES encryption - but it is possible.

Countermeasure 8: Add Authentication

To address this emerging threat, users should implement authentication. Authentication adds another layer of
security by requiring a client computer to "sign-in" to the network. Traditionally this has been done with a mix
of certificates, tokens, or hand-typed passwords (also called Pre-Shared-Keys) that are negotiated with an
authentication server.
802.1X provides the access control framework used by WEP, WPA and WPA2 and supports several EAP
(Extensible Authentication Protocol) types that do the actual authentication. George Ou's excellent article on
Authentication Protocols contains probably more than you'd ever want to know about EAP, WPA and WPA2!

Configuring authentication can be a daunting and expensive task for networking professionals, let alone home
networkers. At this year's RSA conference in San Francisco, for example, many attendees didn't bother to set up
their wireless connection because of the full page of instructions they had to follow to do it!

Thankfully, things are getting better, and you don't need to buy a full-blown RADIUS server, as there are a
number of easier-to-implement alternatives. McAfee's Wireless Security Suite is a subscription-based product
starting at $4.95 per user per month with discounts for volume purchases. A free 30 day trial download is
available here.

Another free option worth investigating for more experienced networkers is TinyPEAP, which adds a small
RADIUS server supporting PEAP-based authentication into Linksys WRT54G and GS wireless routers. Note
that since this firmware isn't officially supported by Linksys, you're on your own if you mess up your router
while installing TinyPEAP.

Skill Level 3: Expert Cracker

Up until this point, we have blocked an intruder from wirelessly doing the equivalent of plugging their laptop
into an Ethernet port on your LAN. But despite your best efforts, someone with expert cracking skills may
penetrate all of your wireless defenses. What do you do now?

There are wired and wireless LAN intrusion detection and prevention product available, but they are targeted at
enterprise applications and come priced accordingly. There are also open source solutions that are unfortunately
not user-friendly for networking novices. The most widely-used of these is Snort, which I hope to explore in a
future article.

But general network security practices have long dealt with traditional wired LAN intrusions, and can be used
to combat an expert wireless intruder.

Countermeasure 9: Implement general LAN security

Implement the following countermeasures to improve general LAN security:

1) Require authentication to access any network resource

Any server, network share, router, etc. should preferably require user-level authentication for access. Although
you won't be able to implement real user-level authentication without some sort of authentication server, you can
at least password-protect all shared folders and disable Guest logins if you're running Windows XP. And never
share the contents of entire hard drives!

2) Segment your network

In the extreme case, a computer not attached to a network is safe from network-based intrusion. But there are
other ways to keep network users away from where they shouldn't be. A few properly-connected Inexpensive
NAT-based routers can be used to establish firewalled LAN segments while still allowing Internet access. See
this How To for the details.

Switches or routers with VLAN capabilities can also be used to separate LAN users. VLAN features can be
found on most any "smart" or managed switch, but are harder to come by in consumer-priced routers and
unmanaged switches.

3) Bulk up your software-based protection

At minimum, you need to run current versions of good anti-virus applications that automatically update their
virus definition files. Personal firewalls such as ZoneAlarm, BlackICE, etc. can alert you to suspicious use of
your network. And, unfortunately, the latest generaton of malware and spyware threats make adding an anti-
spyware application also necessary. Webroot Software's Spy Sweeper seems to be getting good marks lately,
along with Sunbelt Software's CounterSpy.
Note that you must install protection on every machine on your LAN in order to have effective protection!

4) Encrypt your files

Encrypting your files with strong encryption should provide effective protection in the event unauthorized users
do gain access to them. Windows XP users can use Windows Encrypted File System (EFS). Mac OS X Tiger
users can use FileVault. The downside to encryption is that it takes time and computing power to encrypt and
de-crypt files, which could slow things down more than you'd like.

Conclusion

Wireless networking provides us with convenience, but we must take a common sense approach in securing it.
There is no single thing that will shield you from attack and complete protection is very difficult to achieve
against a determined intruder.

But if you take the time to understand the possible risks your wireless LAN is likely to encouter, you can
implement effective protection.