WPA To Whip Wireless Security into Shape
Yes, the new WPA encryption should plug the biggest holes in today's wireless protocol encryption. But in the meantime, be sure to take best advantage of the security you've got, warns Security Supersite Editor Larry Seltzer.
Wired Equivalent Privacy, better known as WEP, has been one of the security industrys laughingstocks for years. However, a fix is in the worksagain. Still, this time, the results look promising. While the WEP encryption standard is installed in zillions of Wi-Fi devices out on the market, its been common knowledge that cracking keys and breaking WEP encryption is not all that difficult. Theres even been a growing trade in tools to help you do this, not that I would approve of such things. Whats worse, the problems are at the protocol level, not in the implementations, meaning that WEP has been just plain broken The good news is that after some fits and starts, the standards and industry people in the Wi-Fi Alliance finally agreed on a solution, and so far nobodys come up with a serious flaw in it.
Wi-Fi Protected Access (WPA) can be implemented on all Wi-Fi devices with just a software upgrade (assuming the device is software-upgradable, as any decent should be). It uses a far stronger encryption protocol called Temporal Key Integrity Protocol (TKIP), and includes a protocol for changing keys periodically just to make things even harder for attackers. Throw in the Message Integrity Code (MIC or "Michael") and WPA packets also become hard to tamper with in the air.
- If your access point allows you to disable SSID broadcast, disable it. SSID is the name of the wireless LAN that shows up when you browse. Youll have to know the SSID and enter it manually when you connect, but strangers wont know it. Actually Ive read that there are tools that can sniff out wireless LANs with unbroadcast SSIDs, but I havent seen them in action. In any event, not broadcasting SSIDs drastically lowers the profile of your LAN, reducing the probability of an attack.
- Another good idea is to change your WEP password periodically. This is more a roadblock than a real barrier to attackers, but theres no sense in making things easy for them.
- For heavens sake, change the default administrator password on your access point and refresh it periodically. If someone penetrates your network you dont want them to lock you out of it.
- Place your access point at the physical center of the building. This will maximize the broadcast quality inside, but has the added security benefit of minimizing it outside. Many access points, such as many Linksys products, have the ability for the administrator to lower the broadcast signal in their advanced settings. You can use this feature to tune the signal so that it covers your building and as little else as possible.
- Finally, and most importantly, use MAC address filtering on your network to prevent use by any network adapters other than your own. This, especially in combination with the other measures above, will make it difficult for an outsider to make their way onto your network.