Wireless Security

Summary

Solutions Fast Track

Introduction

By the end of this chapter, the reader will be able to correctly, and securely, con- figure several different types of access points.The access points chosen are industry- leading brands and the most popular devices on the market today.The reader will also have a clear understanding of how to connect a wireless-capable workstation to any encrypted wireless network.

Enabling Security Features on a

Linksys WRT54G 802.11g Access Point

The most popular and best-selling 802.11g device on the market today is the Linksys WRT54G 802.11b/g access point/router.The WRT54G gained popularity in 2003 as 802.11g devices became more common and affordable.The 802.11g devices operate on the 2.4GHz band, like 802.11b, but offer speeds up to 54 megabits per second (Mbps). Additionally, 802.11g devices are compatible with 802.11b cards. Because this is such a popular product for Linksys, the company has released a Compact Version (WRT54GC) and a version with speed-boosting fea- tures (WRT54GS).

Linksys has since released version 5 of its WRT54G device, with the current firmware version being 1.00.9. Still popular among Linksys devices for its ability to be reflashed with a small Linux distribution is version 4 of the WRT54G device. This section focuses on a WRT54G version 4 device, with firmware version 4.30.5.

This section details the minimum steps you should take to securely configure the WRT54G. All the steps outlined in this section should be done from a computer that is connected to your wired network. Configuration of the device from a wire- lessly connected workstation should be disabled. If by chance your wireless network becomes compromised, you will want to limit the intruder’s ability to administer the device.

Setting a Unique SSID

The first security measure you should enable on the Linksys WRT54G is setting a unique SSID. When you log in to the WRT54G, by default the username is admin and the password is admin. Logging in brings up the initial setup screen (see Figure 2.1).

Figure 2.1The Linksys WRT54G Initial Setup Screen

Click the Wirelesstab. In the SSID text box, enter a unique SSID, as shown in Figure 2.2.

Figure 2.2Setting a Unique SSID on the WRT54G

Disabling SSID Broadcast

After you have set a unique SSID, disable the SSID broadcast. From the Wireless setup screen, select the Disableradio button from the SSID Broadcastoption, as shown in Figure 2.3.

Figure 2.3Disable SSID Broadcast

Then click the Save Settingsbutton to save your settings and disable SSID broadcast.

Enabling Wired Equivalent Privacy

Once you have set a unique SSID and have disabled SSID broadcast, you need to require the use of 128-bit Wired Equivalent Privacy (WEP) encryption. From the Wireless setup screen, choose the Wireless Securitytab. From the drop-down list, choose the WEPoption, to enable and configure WEP encryption, as shown in Figure 2.4.

Next select 128 bits 26 hex digits from the WEP Encryptiondrop-down box, to require 128-bit WEP.Type a strong passphrase in the Passphrasetext box. This is the passphrase that will be used as the basis for generating WEP keys. Click the Generatebutton to generate four WEP keys, as shown in Figure 2.5.

Figure 2.4Enable WEP on the WRT54G

Figure 2.5The WEP Keys Window

Next, select the key (1–4) that you will initially use by choosing the appropriate radio button next to Default Transmit Key. Finally, click Save Settingsin the Wireless Security tab to save your settings.

S

OME

I

NDEPENDENT

A

DVICE

Some people will argue that WEP is a “broken” standard and should not be used. Yes, WEP is an easy protocol to hack and allows intruders to gain the encryption key to your wireless network using tools included in the Aircrack suite. However, due to wireless connections by other devices (game consoles, PDAs, and the like), you may be forced to use WEP instead of the more secure WPA.

Remember that no security is bad security,and that something is always better than nothing. Enabling WEP encryption on your network may be the difference between your network or your unencrypted neighbor’s being hacked.

Enabling Wi-Fi Protected Access

An alternative and more secure approach to wireless security on an access point is to use Wi-Fi Protected Access, or WPA. WPA uses an improved encryption process based on the Temporal Key Integrity Protocol (TKIP).TKIP jumbles the keys and incor- porates an integrity-checking feature to ensure that the keys have not been tampered with.

WPA also includes client authentication via the Extensible Authentication Protocol (EAP). EAP uses a public key encryption mechanism to ensure that only authorized systems have access to the access point.

In late 2004, the Institute of Electrical and Electronics Engineers (IEEE) ratified the 802.11i specification, more commonly referred to as WPA2. WPA2 uses AES as the encryption standard, whereas WPA uses the TKIP standard.This is not to say that WPA is not secure but to acknowledge that wireless security is ever changing. WPA2 also supports a personal authentication implementation (PSK) and an enter- prise authentication implementation (RADIUS).This chapter focuses on the WPA standard.

Log in to the WRT54G and click the Wirelesstab. Click the Wireless secu- ritysubtab to enable WPA. From the drop-down list, choose WPA-Personal, as shown in Figure 2.6.

Figure 2.6The WRT54G WPA Setup Screen

Leave the WPA algorithm as TKIP. Enter a shared key of between 21 and 63 characters in the WPA Shared Key: text box. Leave the Group Key Renewalat its default of 3600 seconds (see Figure 2.7).

Figure 2.7WPA Shared Key

Click Save Settingsto save the WPA settings on the WRT54G. It is still a good idea to follow the previous security steps to enable wireless MAC filters and disable

the SSID broadcast. Be careful not to set the SSID to anything personal to you, such as your phone number, home address, or name.

Filtering by Media

Access Control (MAC) Address

After you have set a unique SSID, disabled SSID broadcast, and enabled WEP encryption, you need to filter access to the WRT54G by MAC address. Filtering access to the access point allows only those MAC addresses specified in the list the ability to access the wireless network.

First, from the main Wirelesstab, click the Wireless MAC Filtertab to display the option to enable or disable Wireless MAC filtering (see Figure 2.8).

Figure 2.8 The Wireless MAC Filter screen

Next select Enable from the Wireless MAC Filterradio buttons.This will reveal the MAC filter options, as shown in Figure 2.9.

Choose the Permit Only PCs listed to access the wireless network radio button, and click the Edit MAC Filter List button to display the MAC Address Filter Listwindow (see Figure 2.10).

Figure 2.10The MAC Address Filter List Window

In the provided text boxes, enter the MAC addresses of wireless clients that are allowed to access your wireless network, and then click Apply, as shown in Figure 2.11.

Finally, click Save Settingsin the Advanced Wirelesswindow to save your settings and enable filtering by MAC address. Keep in mind that this should not be the only security measure implemented. Using various tools in Windows and/or Linux, it is easy for an attacker to spoof his or her local MAC address to gain access to your wireless network.

S

OME

I

NDEPENDENT

A

DVICE

Finding your MAC address is a simple process with any operating system. Using Windows XP, from a command line, you can type:

ipconfig /all

to show the MAC address of the installed network devices. Linux makes the process just as simple. From a terminal window, type:

ifconfig –a

And find the HWaddrfor the requested network interface. This is the MAC address.

Enabling Security Features on a

D-Link DI-624 AirPlus 2.4GHz Xtreme G

Wireless Router with Four-Port Switch

Although Linksys has a sizable share of the home access point market, D-Link also has a large market share. D-Link products are sold at most big computer and elec- tronics stores such as Best Buy and CompUSA.This section details the steps you need to take to enable the security features on the D-Link 624 AirPlus 2.4GHz Xtreme G Wireless Router with Four-Port Switch.The DI-624 is an 802.11g access point with a built-in router and switch, similar in function to the Linksys WRT54G.

Setting a Unique SSID

The first security measure to enable on the D-Link DI-624 is setting a unique SSID. First you need to log into the access point. Configure your local workstation with a static IP in the 192.168.0.0/24 subnet and point your browser to 192.168.0.1. Use the username admin with a blank password to access the initial setup screen (see Figure 2.12).

Figure 2.12The D-Link DI-624 Initial Setup Screen

Next click the Wirelessbutton on the left side of the screen to bring up the

Wireless Settingsscreen, as shown in Figure 2.13. Figure 2.13 The Wireless Settings Screen

In the SSIDtextbox, enter a unique SSID, as shown in Figure 2.14, and click

Figure 2.14Set a Unique SSID

Disabling SSID Broadcast

After you have set a unique SSID, enabled 128-bit WEP, and filtered access by MAC address, you need to disable SSID broadcast.

From the Advanced Featuresscreen, click the Performance button, as shown in Figure 2.15.

Select the Disabled radio button next to SSID Broadcast, and click Applyto save your settings, as shown in Figure 2.16.

Figure 2.16Disabling SSID Broadcast

Enabling Wired Equivalent Privacy

After you have set a unique SSID, you will need to enable 128-bit WEP encryption. First, choose the Enabled radio button next to WEP, as shown in Figure 2.17. Figure 2.17Enable WEP

Next choose 128Bitfrom the WEP Encryptiondrop-down box, as shown in Figure 2.18.

Figure 2.18Require 128-Bit WEP Encryption

Then you need to assign a 26-character hexadecimal number to at least Key1 (see Figure 2.19). A 26-digit hexadecimal number can contain the letters A–F and the numbers 0–9.

Finally, after you have assigned your WEP keys, click Apply to save your set- tings. Any wireless clients that connect to the DI-624 must be configured to use this WEP key.

Enable Wi-Fi Protected Access

To enable WPA on the access point, on the left side of the screen click the Wireless

button.To enable WPA, click the radio button labeled WPA-PSKnext to the

Authenticationoption (see Figure 2.20). Figure 2.20Enabling WPA

Enter a passphrase into the Passphrase text box, and retype the passphrase in the Confirmed Passphrase text box to verify it, as shown in Figure 2.21.

Click Apply to confirm the settings and enjoy added wireless security protection!

Figure 2.21WPA Passphrase

Filtering by Media Access Control Address

After you have set a unique SSID and enabled 128-bit WEP encryption, you should filter access to the wireless network by Media Access Control (MAC) address.

First click the Advancedtab, as shown in Figure 2.22. Figure 2.22The Advanced Options Screen

Next click the Filtersbutton on the left side of the screen, as shown in Figure 2.23.

Figure 2.23The Advanced Filters Options

Then choose the MAC Filtersradio button.This makes the MAC filtering options visible, as shown in Figure 2.24.

Finally, select the Only allow computers with MAC address listed below to access the network radio button and enter the MAC address of each client card that is allowed to access the network.You must also enter a descriptive name of your choice for each client in the Nametext box (see Figure 2.25). Note that you must click Apply after each MAC address entered.

Figure 2.25Filter by MAC Address

Enabling Security Features on Apple’s

Airport Extreme 802.11g Access Point

In early 2003, Apple released the Airport Extreme base station to the masses, sup- porting the 802.11b and 802.11g protocols. Even though this access point was released as an Apple product, it fully supports Apple, Windows, and Linux clients running WEP or WPA encryption.

Configuring the Airport Extreme is usually done from an Apple, whether a Powerbook, iBook, or MacBook. Apple provided applications for configuring the Airport for Windows-based operating systems, but it is a much easier process from an Apple workstation.This section focuses on configuring the Airport Extreme from a Apple Powerbook G4.

Connecting to the AirPort

Extreme and Setting a Unique SSID

The easiest way to connect to the Airport is via the wireless connection. Ensure that your wireless card is enabled by clicking the wireless symbol at the top right of the screen and clicking Turn AirPort On, as shown in Figure 2.26.

Figure 2.26Enabling the AirPort Card on the Apple PowerBook

Once you enable the Airport card, you can reclick the wireless symbol and see any access points broadcasting in your area. We want to click the Apple Network ######listing to connect to our AirPort (see Figure 2.27).

N

OTE

To ensure that you are connecting to the correct access point, verify that the network number listed in the drop-down list matches the last six characters of your Airport ID, located on the access point itself.

Once you have connected to the Airport, you will use the AirPort Admin Utility in Mac OS X to configure the Airport. Launch the AirPort Admin Utility by clicking the Finder, then Applications | Utilities | AirPort Admin Utility

(see Figure 2.28).This series of clicks will open the AirPort Admin Utility. Click

Rescan to locate the Airport if it does not automatically populate the window after a few seconds.

Figure 2.28Launching the Admin Utility and Finding the Airport Base Station

Click the appropriate base station, and click Configureto enter the base station properties (see Figure 2.29).

Setting a Unique SSID

At the main properties screen, we will set the SSID by changing the Name text box, under the AirPort Network heading.Type in the SSID, remembering not to include any personal information such as address as part of the SSID. At this point, it would also be a good idea to change the Nameof the Airport under the Base Stationheading, to obfuscate the fact that this is an Apple Airport product (see Figure 2.30). Click Update to save the SSID.

Figure 2.29Airport Default Properties

Figure 2.30Setting the SSID

Disabling SSID Broadcast

To disable the broadcast of the Airport’s SSID, click the Create a closed network

check box.This will not allow the SSID to be broadcast to clients.You will be prompted on whether or not to disable the broadcast. Click OK.However, any

client authorized to connect to the Airport must know the SSID beforehand to make the connection (see Figure 2.31).

Figure 2.31Disabling the SSID Broadcast

Setting a Password on the Airport

Because the Airport is in a default configuration, it is wise to set a password on the Airport to disable the ability of anyone making unauthorized changes. From the main base station properties windows, click the Change Password…button and enter and confirm a password for the Airport. Click OK to set the password. Click

Updateto save the changes to the Airport (see Figure 2.32). Figure 2.32Setting a Password on the Airport

Enabling Wired Equivalent Privacy

To enable WEP on the Airport, click the Change Wireless Security…button to open the Properties dialog box (see Figure 2.33).

Figure 2.33WEP Default Setting

Click WEPfrom the drop-down menu.You will be presented with the options to add your encryption key.Type in an encryption key that is not easily guessable, and retype the key to confirm. Ensure that the Encryption Type:is set to 128 bit WEP, and click OK to enable WEP encryption (see Figure 2.34).

Figure 2.34Configuring a WEP Encryption Key

Anyone who attempts to this access point will now be required to enter the encryption key to make the connection.

Enabling Wi-Fi Protected Access

Enabling WPA on the Airport is just as simple as enabling WEP encryption. From the main setup screen, click the Change Wireless Security… button to open the Wireless Security dialog box. Change the Wireless Security:drop-down list to

Figure 2.35WPA Settings

Ensure that the Passwordoption is set, and enter a password or passphrase of between 8 and 63 ASCII characters.The Encryption Type:may be left at the default WPA and WPA2 option to allow both WPA and WPA2 connections. If only WPA clients or only WPA2 clients will be connecting, you may change this option to reflect that fact. Leave the Group Key Timeout:at its default of 60 minutes. Click OK to save the settings and enable WPA (see Figure 2.36).

Figure 2.36Entering the WPA Password

Filtering by Media Access Control Address

To prevent connections to the Airport by workstations not authorized to do so, enable filtering by the MAC address.The MAC address of the connecting wireless

network card will need to be entered manually. From the main options screen, click

Access Controlto view the settings (see Figure 2.37). Figure 2.37The Access Control Options

Click the + (plus)sign next to the main dialog box to enter the MAC address of the client. A dialog box will open, requesting the Airport ID (MAC address) and the Description (see Figure 2.38).

Figure 2.38Default MAC Address Filter Window

Enter the 12-character MAC address and provide a description if needed. Click

Figure 2.39Entering the MAC Address

Figure 2.40Confirming the List

Click Updateto save the settings to the Airport.

Enabling Security Features

on a Cisco 1100 Series Access Point

The Cisco Aironet series of access points are used largely by businesses and local hotspots that need the robustness of a Cisco product and the ease of use of a small office/home office (SOHO) product.The Cisco 1100 Series Access Point provides 802.11b/g services, operating on the 2.4GHz band. Unlike most SOHO router/AP products, the Cisco 1100 does not include a built-in switch and can only be used as a standalone wireless access point.

The easiest way to configure the Cisco 1100 is to connect via the Web interface. You will need to assign your local host a static IP between 10.0.0.2 and 10.0.0.10,

with a subnet mask of 255.255.255.0 and a default gateway of 10.0.0.1.You may use

In document How to Cheat at Securing a Wireless Network pdf (Page 45-127)