8.4. Wireless Setup & Security [src] |
||||||||||||||||||
One issue with both home and corporate wireless networks is the need for security. Many early access points could not discern whether or not a particular user had authorization to access the network. Although this problem reflects issues that have long troubled many types of wired networks (it has been possible in the past for individuals to plug computers into randomly available Ethernet jacks and get access to a local network), this did not usually pose a significant problem, since many organizations had reasonably good physical security. However, the fact that radio signals leak outside of buildings and across property lines makes physical security largely irrelevant to Piggybackers – people that make unauthorized use of a WLAN. |
||||||||||||||||||
ConcernsAnyone within the geographical network range of an open, unencrypted wireless network can capture or record the traffic (called sniffing), gain unauthorized access to internal network resources as well as to the Internet, and then possibly send spam or do other illegal actions using the wireless network's IP address. All of these are significant concerns for any office network. For home networks the biggest problems are the potential loss of personal privacy and unauthorized use of your network and ISP to gain Internet access – thus reducing your available bandwidth. How big the problem is for home or office depends largely on who lives nearby and how likely "war driving" (searching for open WLANs) is in your area. |
Wi-Fi leakage By Paul Mullins: constructed |
|||||||||||||||||
If router security is not activated or if the owner deactivates it for convenience, it creates a free hotspot. Most current laptop PCs have wireless networking built in and it may be enabled by default. Depending on settings, the laptop may automatically connect to open wireless networks (as well as broadcast the laptop's accessibility to any computer nearby) without the owner's knowledge, i.e., they may not even know they are using your network. Modern operating systems such as Mac OS, or Microsoft Windows make it fairly easy to set up a PC as a wireless LAN 'base station' using Internet Connection Sharing, thus allowing all the PCs in the home to access the Internet via the 'base' PC – your PC acts as a gateway/router. However, lack of knowledge about the security issues in setting up such systems often means that someone nearby may also use the connection. Such "piggybacking" is usually achieved without the wireless network operators knowledge; again, it may even be without the knowledge of the intruding user if their computer automatically selects a nearby unsecured wireless network to use as an access point. |
A related problem is that hackers not only use free, open WiFi hotspots to harvest your private data... they create them for you to use. Hackers can easily setup a free WiFi hotspot and be pretty certain that people will start to use it — just by giving it a place-appropriate name. (Previous information on hotspots.)
|
|||||||||||||||||
Security optionsAccess Control at the Access Point levelHome users, businesses and organizations typically use access control at the access point level. The intention is to provide a "closed network". The most common method is to configure various access restrictions in all of the access points. Most of these are quite simple to accomplish and all can be used in combination. The simplest option is to disable ESSID broadcasting — that's the "name" of the network. This will prevent automatic connection by unaware users and make the access point difficult for casual outsiders to detect. However, anyone with the proper tools – we're thinking of hackers here – will be able to detect the network anyway. And, your friends will be able to "add" then network when you tell them the SSID. Another fairly simple technique is to enable wireless encryption. Client devices have to authenticate (logon) and the encryption prevents spying. Once a client device is setup and given the pass phrase, it usually remembers it and reconnects automatically as needed. Wi-Fi Protected Access (WPA2) is quite secure when a reasonable pass phrase is chosen — use at least 14 randomly selected characters, or a lengthy phrase (up to 64 characters). The primary differences between a pass phrase and a password is that passwords have to be remembered and typed in often. Example: (don't use it) Alice's Right Foot! Esq@Hearthrug, Near the fender - good book Note that although this is based on a quote from Alice in Wonderland – mangle your own quote – the capitalization is different, with punctuation added, and it ends with a short phrase not in the book. At 62 characters, it is long. But, you usually only have to type in the password once for each device — and, for home use, you can post the pass phrase on the fridge (or if you're more security-minded, leave it in a desk drawer). A final note on encryption: Wired Equivalent Privacy (WEP) should not be used. The U.S. FBI has demonstrated the ability to break WEP protection in only three minutes using tools available to the general public (see aircrack). The least simple, but most restrictive, technique is to only allow access from known, approved MAC addresses – recall that each wireless NIC has a "unique" MAC address – making this equivalent to specifying the devices that are allowed access your network. By itself, however, this approach gives no security against sniffing (spying), and client devices can easily spoof a MAC address, so this should be used in combination with the measures described above. For businesses, Wireless Intrusion Prevention Systems can be used to provide additional wireless LAN security. Commercial hotspots, such as coffee shops, want to broadcast the ESSID and can't readily manage MAC address restrictions, so they tend to be either completely open, or use encryption alone. With any encryption scheme, all clients in the network know the pass phrase and can read all the traffic. This makes a "secure" hotspot open to spying by anyone else that is using the hotspot. You should never use a hotspot for secure communication, like banking or, for that matter, Facebook, Twitter or email. Commercial Providers and large organizationsFor these larger organizations, the preferred solution is often to have an open and unencrypted, but completely isolated wireless network. The users will at first have no access to the Internet nor to any local network resources. Commercial providers usually forward all web traffic to a captive portal which provides for payment and/or authorization. Another solution is to require the users to connect securely to a privileged network using VPN. (At SRU, you need to authenticate or login to use wireless.) For complete securityWireless networks are inherently less secure than wired ones because of the lack of physical security (leakage). However, in many offices, intruders can easily visit and hook up their own computer to the wired network without problems, gaining access to the network; and it's also often possible for remote intruders to gain access to the network through backdoors like Back Orifice. One general solution (for wired & wireless) may be end-to-end encryption, with independent authentication on all resources that shouldn't be available to the public. The solution may be encryption and authorization in the application layer, using technologies like HTTPS (using TLS/SSL), PGP and similar techniques, as discussed earlier. As a user, you can restrict your own use of a hotspot to applications that allow you to use secure HTTP (https) for all transactions. Note that these can be used in addition to the WLAN security measures discussed above. (If you use HTTPS in an wireless hotspot, others can only spy on IP addresses – that is, they know where you are connecting to, but not the content of the messages.) The problem with encryption on the router level (IPsec) or VPN is that a switch encrypts all traffic as it leaves the LAN. Others on the LAN can still see the traffic. The disadvantage with the end to end method is, it may fail to cover all traffic. End-to-end encryption requires each service/device to have its encryption "turned on". (If it is difficult, it may not be used.) For sending emails, every recipient must support the encryption method. For Web browsing, not all web sites offer HTTPS, and even if they do, the browser sends out IP addresses in clear text. What should you do?Home WLANsYou should be using WPA2 encryption with a good pass phrase. Other will be able to "see" the network, but not able to connect without cracking it. That is, only a successful cracker will be able to spy on your activities, access your Internet connection, or gain access to your computer or other network resources. (Obviously this excludes anyone you have given the pass phrase to.) You will have prevented casual and accidental access, as well as most nosey neighbors. Your traffic on the Internet is not protected, though you can use HTTPS for browsing and PGP for email. (Or, an anonymizing service.) Small OfficeIn addition to the home security methods,
OthersLarger organizations and those with more strict security needs, like health care providers, should consult an IT security professional. |
||||||||||||||||||
The Argument for Open Access PointsToday, there is almost full wireless network coverage in many urban areas — the infrastructure for the wireless community network, which some consider to be the future of the Internet, is already in place. One could roam around and always be connected to the Internet if the nodes were open to the public, but due to security concerns, most nodes are encrypted. Many people consider it proper etiquette to leave access points open to the public, allowing free access to Internet, although some users don't know how to disable encryption. Others think encryption provides substantial protection, at small inconvenience, against dangers of open access that they fear may be substantial, even on a home router. The density of access points can even be a problem — there are a limited number of radio channels available, and they partly overlap. Each channel can handle multiple networks, but in places with many private wireless networks (for example, an apartment complex), the limited number of Wi-Fi radio channels might cause slowness and other problems. According to the advocates of Open Access Points, it shouldn't involve any significant risks to open up wireless networks for the public:
In some countries including Germany, persons providing an open access point may be made (partially) liable for any illegal activity conducted via this access point. Also, many contracts with ISPs specify that the connection may not be shared with other persons. |
||||||||||||||||||
Net neutralityThe argument for net neutrality is that once a contract with an ISP that specifies (up to) 8 Mbps is signed, the home user should be able to use that bandwidth for whatever they want, including using services that compete with the ISP. For example, watching Netflix movies online and Skype for phone calls rather than the cable provider's video on demand or VoIP phone service. One current non-neutral scheme is for an ISP to make a deal with a service provider, like a particular search engine, to make traffic to and from that site faster than any other search provider — essentially creating a fast lane that you can only get into if you use the service that is paying your ISP for the privilege. For the past several years net neutrality (in the US) has been in the news a lot, with the FCC attempting to control what actions an ISP is allowed to take in terms of blocking services or throttling customer bandwidth and informing customers of billing structures. They did this by categorizing ISPs as "common carriers", and (like telephones and other utilities) subjected them to basic rules. The FCC imposed different rules for home or stationary ISPs (DSL and cable) and cellular or mobile ISPs. The Republicans in Congress have pledged to reverse those rules through legislation. The counter argument is essentially that there have yet to be any major abuses and that an open, free market will prevent abuse. (Of course, this argument assumes that the consumer has multiple choices for Internet service.) The rest of the argument is big business vs. government regulation. Opponents characterize rules that all traffic be treated equally as government intervention and "controlling the Internet". This is a good area for you to watch or even become involved in — it's happening now. One thing to watch is the services provided by smartphone carriers; almost all have gone to "tiered" data plans that charge different amounts based on the amount of data you use per month. (Inherent in the open WLAN argument above that extra traffic will not impact the network owner's bill, is that most ISPs currently limit bandwidth, but not total data usage.) |
||||||||||||||||||
net neutrality in the US | news "net neutrality" | net neutrality | ||||||||||||||||
Setting up a wireless home networkMost new wireless routers come with wi-fi protected setup that makes setting up a protected (encrypted) network easy, although you still have to take additional steps to fully secure the network. Almost all routers come with simple set up instructions, but in the past they often defaulted to open, unsecured access. Here are some steps that may help you in setting up a wireless network once you have secured access through an ISP. If you have a setup guide, follow the instructions there. Preliminary StepsIf you are using DSL, you will need your account ID and password. Contact your service provider. Occasionally, you will also need other information such as the IP address of your primary gateway and DNS servers. These are also given to you by your ISP, but are usually automatically detected. If you are using an old router, you may have to reset the modem to factory settings and/or determine the IP address the router uses. Instructions for doing this should be in the documentation or you can search for your modem online (perhaps using your smartphone). Generic Instructions |
||||||||||||||||||
|
Wireless Networking has been a hot topic for the Lab Rats#70 Home Network Security 101 #65 Home Network Basics #6 Home network primer #7 Setup a Wireless Home Network #1 Wireless router security #167 WPA2 revisited - setting up wireless security on your router #185 Router Maintenance 101 #14 MAC Address Filtering |
|||||||||||||||||
#9 Network File Sharing | #177 Network Attached Storage Demystified | #172 Printing to the network | ||||||||||||||||