<<

. 32
( 61 .)



>>

That™s the theory behind WEP, anyway. WEP has been a part of Wi-Fi net-
works from the beginning. (The developers of Wi-Fi were initially focused on
the business market, where data security has always been a big priority.) The
name itself belies the intentions of the system™s developers; they wanted to
make wireless networks as secure as wired networks.

In order for WEP to work, you must activate WEP on all the Wi-Fi devices in
your network via the client software or configuration program that came with
the hardware. And every device on your network must use the same WEP key
to gain access to the network. (We talk a bit more about how to turn on WEP
in the “Clamping Down on Your Wireless Home Network™s Security” section of
this chapter.)

For the most part, WEP is WEP is WEP. In other words, it doesn™t matter
which vendor made your access point or which vendor made your laptop™s
PC card network adapter ” the implementation of WEP is standardized
across vendors. Keep this one difference in mind, however: WEP key length.
Encryption keys are categorized by the number of bits (1s or 0s) used to
create the key. Most Wi-Fi equipment these days uses 128-bit WEP keys, but
some early gear (like the first generation of the Apple AirPort equipment)
supported only a 64-bit WEP key.

A few access points and network adapters on the market even support longer
keys, such as equipment from D-Link, which can support a 256-bit key. Keep in
mind that the longest standard (and common) key is 128 bits. Most equipment
enables you to decide how long to make your WEP key; you can often choose
189
Chapter 10: Securing Your Wireless Home Network

between 64 and 128 bits. Generally, for security purposes, you should pick the
longest key available. If, however, you have some older gear that can™t support
longer WEP key lengths, you can use a shorter key. If you have one network
adapter that can handle only 64-bit keys but you™ve got an access point that
can handle 128-bit keys, you need to set up the access point to use the shorter,
64-bit key length.

You can almost always use a shorter-than-maximum key length (like using a
64-bit key in a 128-bit-capable system), but you can™t go the other way. So if
you set your access point up to use a 128-bit key, your older 64-bit network
adapter won™t be able to connect to it.



What™s wrong with WEP?
WEP sounds like a pretty good deal, doesn™t it? It keeps your data safe while
it™s floating through the ether by encrypting it, and it keeps others off your
access point by not authenticating them. In fact, it™s pretty good. Notice that
we didn™t say that WEP is great or superb or awesome. Just pretty good.

We™re actually being somewhat generous. With the proper tools and enough
network traffic to analyze, a dedicated network cracker can break WEP (or
independently figure out the WEP key by using some mathematical techniques)
in a relatively short time. In the business environment, where a ton of traffic is
traveling over the wireless network and valuable business secrets are part of
this traffic, this is a pretty big deal. The math to break WEP is pretty hard
(you™re not going to do it in your head), but plenty of freely available tools
are on the Web that let a computer do it relatively quickly.

We™re being generous with WEP because we strongly believe that in the home
environment ” particularly in the suburbs and other less-than-densely popu-
lated areas ” the chances of you having someone who can pick up your sig-
nals AND be motivated to go through all the trouble of breaking your WEP
code are pretty darn slim. No one™s ever tried to do it to us, and we don™t
know any folks who have had this happen to them at home. So we don™t
sweat it all that much.

But we do think that WEP needs to be improved. We use wireless networks at
work too, and we™d like additional security. The final section of this chapter,
“Looking into the Crystal Ball,” talks about some newer systems that are on
the way which will complement or supplant WEP entirely and offer greater
security.

We™re writing Wireless Home Networking For Dummies here, not Secure Office
Wireless Networks For Dummies. More sophisticated security systems are
available now for business networks that can improve upon the security of a
wireless LAN. Many of these systems rely upon using stronger encryption
190 Part III: Installing a Wireless Network

systems called Virtual Private Networks (VPNs), which encrypt all data leav-
ing the PC (not just wireless data) with very strong encryption. You might
even have a VPN system on that work laptop that you bring home with you
every night. VPN is great, and as long as your router supports VPN tunneling,
you should be able to connect to the office network from your home LAN
using your VPN client. But VPN technology is not anywhere close to being
cheap, simple, and user-friendly enough to be something that we™d ever rec-
ommend that you install in your house to secure your wireless LAN.




Clamping Down on Your Wireless
Home Network™s Security
Well, enough of the theory and background. Time to get down to business. In
this section, we discuss some of the key steps that you should take to secure
your wireless network from intruders. None of these steps are difficult, will
drive you crazy, or make your network hard to use. All that™s really required
is the motivation to spend a few extra minutes (after you™ve got everything
up and working) battening down the hatches and getting ready for sea. (Can
you tell that Pat used to be in the Navy?)

The key steps in securing your wireless network, as we see them, are the
following:

1. Change all the default values on your network.
2. Enable WEP.
3. Close your network to outsiders (if your access point supports this).

Hundreds of different access points and network adapters are available on
the market. Each has its own unique configuration software. (At least each
vendor does; and often, different models from the same vendor have different
configuration systems.) You need to RTFM (Read the Fine Manual!). We™re
going to give you some generic advice on what to do here, but you really,
really, really need to pick up the manual and read it before you do this to
your network. Every vendor has slightly different terminology and different
ways of doing things. If you mess up, you might temporarily lose wireless
access to your access point. (You should still be able to plug a computer in
with an Ethernet cable to gain access to the configuration system.) You might
even have to reset your access point and start over from scratch. So follow
the vendor™s directions (as painful at that may be ” there™s a reason why
people buy For Dummies books). We tell you the main steps that you need to
take to secure your network; your manual will give you the exact line-by-line
directions on how to implement these steps on your equipment.
191
Chapter 10: Securing Your Wireless Home Network




WEP key length: Do the math
If you™re being picky, you might notice that WEP math), you™ll see that there are only 26 alphanu-
keys aren™t really as long as their names say meric characters (or digits) for you to enter in
the key (4 bits per digit — 26 = 104 bits). This isn™t
that they are. The first 24 bits of the key are actu-
ally something called an initialization vector, something that you really need to know
and the remaining bits comprise the key itself. because everyone adds the 24 initialization
Therefore, 128-bit keys are really only 104 bits vector bits to the WEP key length number, but
long, and 64-bit keys are really only 40 bits long. just in case you were curious. . . .
So when you enter a 128-bit key (and you do the



Most access points also have some wired connections available ” Ethernet
ports that you can use to connect your computer to the access point. You can
almost always use this wired connection to run the access point configuration
software. When you™re setting up security, we recommend making a wired con-
nection and doing all your access point configuration in this manner. That way,
you can avoid accidentally blocking yourself from the access point when your
settings begin to take effect.



Getting rid of the defaults
It™s incredibly common to go to a Web site like Netstumbler.com, look at the
results of someone™s Wi-Fi reconnoitering trip around their neighborhood, and
see dozens of access points with the same exact Service Set Identifier (SSID,
or network name; see Chapter 2). And it™s usually Linksys because Linksys is
the most popular vendor out there. Many folks bring home an access point,
plug it in, turn it on, and then do nothing. They leave everything as it was set
up from the factory. They don™t change any of the default settings.

Well, if you want people to be able to find your access point, there™s
nothing better (short of a sign on the front door; check out our discussion of
warchalking ” the practice of leaving marks on sidewalks to point out open
APs ” in Chapter 16) than leaving your default SSID broadcasting out there
for the world to see. In some cities, you could probably drive all the way
across town with a laptop set to Linksys as an SSID and stay connected the
entire time. (We don™t mean to just pick on Linksys here. You could probably
do the same thing with an SSID set to default, D-Link™s default, or any of the
top vendor™s default settings.)
192 Part III: Installing a Wireless Network

When you begin your security crusade, the first thing that you should do is
to change all the defaults on your access point. At a minimum, you should
change the following:

Your default SSID
Your default administrative password

You want to change this password because if you don™t, someone who gains
access to your network can guess at your password and end up changing all
the settings in your access point without you knowing. Heck, if they wanted
to teach you a security lesson ” the tough love approach, we guess ” they
could even block you out of the network until you reset the access point.
These default passwords are well known and well publicized. Just look on the
Web page of your vendor, and we bet that you™ll find a copy of the user™s
guide for your access point available for download. Anyone who wants to
know them does know them.

When you change the default SSID on your access point to one of your own
making, you™ll also need to change the SSID setting of any computers (or
other devices) that you want to connect to your LAN. To do this, follow the
steps that we discuss in this part™s earlier chapters.

This tip really falls under the category of Internet security (rather than airlink
security), but here goes: Make sure that you turn off the Allow/Enable Remote
Management function (it might not be called this exactly but something like
that). This function is designed to allow people to connect to your access point
over the Internet (if they know your IP address) and do any or all the configura-
tion stuff from a distant location. If you need this turned on (perhaps you have
a home office, and your IT gal wants to be able to configure your access point
remotely), you™ll know it. Otherwise, it™s just a security flaw waiting to happen,
particularly if you haven™t changed your default password. Luckily, most access
points have this set to Off by default, but take the time to make sure that
yours does.



Enabling WEP
After you eliminate the security threats caused by leaving all the defaults in
place (see the preceding section), it™s time to get some encryption going. Get
your WEP on, as the kids say.

We™ve already warned you once, but we™ll do it again, just for kicks: Every
access point has its own system for setting up WEP, and you need to follow
those directions. We can only give generic advice because we have no idea
which access point you™re using.
193
Chapter 10: Securing Your Wireless Home Network

To enable WEP on your wireless network, we suggest that you perform the
following generic steps:

1. Open your access point™s configuration screen.
2. Go to the Wireless, Security, or Encryption tab or section.
We™re being purposely vague here; bear with us.
3. Select the radio button or check box labeled Enable WEP or Enable
Encryption or Configure WEP.
You should see a menu similar to the one shown in Figure 10-1. (This is
for a Siemens SpeedStream access point/router.)
4. Select the check box or the pull-down menu to the appropriate WEP
key length for your network.
We recommend 128-bit keys if all the gear on your network can support
it. (See the earlier section, “How about a bit more about WEP?,” for the
lowdown on WEP keys.)
5. Create your own key if you prefer (we prefer to let the program create
one for us):
a. Type a pass phrase into the Passphrase text box.
b. Click the Generate Keys button.




Figure 10-1:
Setting up
WEP on
a Speed-
Stream
access
point.
194 Part III: Installing a Wireless Network

Remember the pass phrase. Write it down somewhere, and put it some
place where you won™t accidentally throw it away or forget where you
put it. Danny likes to tape his pass phrase note to the box that his Wi-Fi
gear came in so he™ll always be able to track it down.
Whether you created your own key or let the program do it for you, a
key should now have magically appeared in the key text box. Note: Some
systems allow you to set more than one key (usually up to four keys),
such as the system in Figure 10-1. In this case, use Key 1 and set this as
your default key by using the pull-down menu.
Remember this key! Write it down. You™ll need it again when you config-
ure your computers to connect to this access point.
Some access point™s configuration software won™t necessarily show you
the WEP key that you™ve generated ” just the pass phrase that you™ve
used to generate it. You™ll need to dig around in the manual and menus
to find a command to display the WEP key itself. (For example, Apple™s
AirPort software shows just the pass phrase; you need to find the
Network Equivalent Password in the Airport Admin Utility to display the
WEP key ” in OS X, this is in the Base Station Menu.)
The built-in wireless LAN client software on Windows XP numbers its

<<

. 32
( 61 .)



>>