Securing Wireless Network Traffic (Part 4)

Introduction

In my previous article, I discussed the importance of a wireless access point’s SSID and I also talked about MAC address filtering. In this article, I want to continue the discussion by showing you some more security features that are commonly built into wireless access points. As I do, keep in mind that not every access point offers every feature that I will be talking about.

Encryption

When it comes to securing wireless networks, the one security feature that seems to attract the most attention is encryption. That being the case, I wanted to start out by providing you with some basic information on some of the more common encryption options. As I do, keep in mind that right now I am only discussing the encryption mechanisms that are built into the wireless hardware. I will be talking about operating system level encryption features later on in this series.

No Encryption

At the beginning of this series, I posed the question of what would happen if a wireless network were not encrypted at all. That’s because the default behavior for most access points is to leave all connections unencrypted.

If you are going to be using an operating system level encryption feature such as IPSec or if you are going to be using the access point as a public Wi-Fi hot spot then leaving encryption disabled may be an option. Otherwise, I would recommend using one of the encryption options that I will be discussing in a moment.

WEP

Wired Equivalent Privacy (WEP) was a first generation encryption algorithm for wireless networks. Today, most wireless access points still offer WEP encryption, but only for backward compatibility purposes. WEP encryption was broken many years ago, and today it is considered to be insecure.

WPA-PSK [TKIP]

Wi-Fi Protected Access (WPA) was designed as a mechanism for overcoming the shortcomings of WEP encryption. There are several different flavors of WPA, but the most common is probably WPA-PSK. WPA-PSK simply means that encryption is based on the use of a pre-shared key.

Some WPA implementations make use of a protocol called TKIP, which stands for Temporal Key Integrity Protocol. TKIP generates a 128-bit key for each packet.

WPA2-PSK

WPA2-PSK is a next generation version of WPA. Although WPA2 still uses pre-shared keys, it does away with TKIP in favor of the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). CCMP was optionally available in some WPA implementations, but is mandatory for use in WPA2. CCMP is based on the Advanced Encryption Standard (AES) algorithm which uses ten rounds of encoding to produce a 128-bit key. Presently, WPA2 is the preferred wireless encryption mechanism.

One More Thing to Consider

Although encryption is the primary security mechanism on any wireless access point, it is important to remember that encryption alone does not guarantee the security of your wireless network. Comprehensive security can only be achieved by practicing defense in depth, which means that you must take advantage of other security mechanisms that may be available to you. I will spend the remainder of this article discussing a few additional security mechanisms which are found on some wireless access points.

Logs

Although it isn’t usually a feature that you can configure, many wireless access points have rather rich logging capabilities. For example, the access point that I use has a built in logging mechanism that creates a log entry every time that a connection is attempted. More importantly though, the access point tells you where the connection originated from (wired network, wireless network, or Internet), the IP address of the device attempting the connection, and the port number through which the connection was attempted.

The logs on my access point also keep track of any attempted logins to the access point’s administrative console. This feature makes it easy to spot any unauthorized access attempts.

Blacklists

Some access points include various types of blacklists. For example, many wireless access points offer a blacklist that you can use to block access to certain Web sites. Although this feature was probably designed as a way of blocking access to inappropriate content, you can use such a blacklist as a way of preventing accidental access to Web sites that are known to be malicious. In fact, there are several Web sites that provide downloadable lists of malicious Web sites, and you could use such a list in conjunction with an access point’s blacklist feature as a way of decreasing the chances that a user will visit such a site.

Of course not all blacklists deal with URLs. Some wireless access points also give you the ability to blacklist ports and services. For example, if your corporate security policy restricted the use of instant messaging software then you might use an access point’s blacklist to block instant messaging traffic. That way, even if a user were somehow able to install an instant messaging client onto their workstation, the client would be ineffective.

If you do decide to use blacklists to prevent certain types of traffic from traversing your network, then it is a good idea to take advantage of both port lists and service lists if they are available.

Alerts

Some of the higher end wireless access points contain various alerting mechanisms. When properly used, such mechanisms can be a tremendous asset to your wireless network’s overall security.

The basic idea behind alerting is that as an administrator you can define certain conditions that you want to know about. These conditions could be anything. For example, you might want to know when a user attempts to visit a restricted Web site, or you might want to know any time someone attempts to log into the administrative console. Some wireless access points can even be configured to alert an administrator if a user attempts to connect to an access point outside of normal business hours.

Once you have defined the conditions for which an alert will be generated, you must configure the alert itself. The alerting options vary from one wireless access point to another, but generally you can configure the access point to send you an E-mail message or an SMS text message whenever designated events occur.

Wireless Signal

One last aspect of wireless security that I want to mention involves the signal produced by the wireless access point. Some access points will allow you to adjust the signal strength. If your access points offer such a feature then it is a good idea to decrease the signal strength so that the signal only travels as far as you need it to. Think about it for a moment. Do your employees really have a legitimate business need to log on to your wireless network from three blocks away? Of course not.

While there are certainly business situations that require high powered wireless networks, you should try to take steps to prevent your wireless signal from traveling beyond your organization’s physical boundaries. Doing so makes it more difficult for someone out on the street to sniff your wireless network.

Conclusion

So far in this series, I have limited my discussion solely to talking about security features that are built into the wireless hardware. However, you may be surprised to learn that the Windows operating system also contains a number of built in wireless security features. I will begin discussing those features in Part 5.