WPA To Whip Wireless Security into Shape

Yes, the new WPA encryption should plug the biggest holes in today's wireless protocol encryption. But in the meantime, be sure to take best advantage of the security you've got, warns Security Supersite Editor Larry Seltzer.

Wired Equivalent Privacy, better known as WEP, has been one of the security industrys laughingstocks for years. However, a fix is in the works—again. Still, this time, the results look promising. While the WEP encryption standard is installed in zillions of Wi-Fi devices out on the market, its been common knowledge that cracking keys and breaking WEP encryption is not all that difficult. Theres even been a growing trade in tools to help you do this, not that I would approve of such things. Whats worse, the problems are at the protocol level, not in the implementations, meaning that WEP has been just plain broken

The good news is that after some fits and starts, the standards and industry people in the Wi-Fi Alliance finally agreed on a solution, and so far nobodys come up with a serious flaw in it. Wi-Fi Protected Access (WPA) can be implemented on all Wi-Fi devices with just a software upgrade (assuming the device is software-upgradable, as any decent should be). It uses a far stronger encryption protocol called Temporal Key Integrity Protocol (TKIP), and includes a protocol for changing keys periodically just to make things even harder for attackers. Throw in the Message Integrity Code (MIC or "Michael") and WPA packets also become hard to tamper with in the air.

WPA is a subset 802.11i, a more ambitious standard that has been in the works for a while and given the new marketing moniker WPA2. 802.11i, or WPA2, will add support for a far stronger encryption method called Advanced Encryption Standard (AES), which has been adopted as an official government standard by the Department of Commerce and National Institute of Standards and Technology. Since AES may require hardware assistance, WPA2 may not run on all current hardware. But it will simultaneously support the current WPA subset, and will ease the migration to WPA2. This plan stands in contrast to the initial WPA standard which does not guarantee WEP support, at least not for simultaneous usage, although some vendors will support both encryption standards through proprietary means.

On the enterprise side WPA also adds authentication support through RADIUS servers and Extensible Authentication Protocol (EAP). Doubtless administrators will be thankful for a standard capability to interoperate with their existing infrastructure. Smaller networks without RADIUS servers can manually share an ASCII "Pre-Shared Key" (PSK) instead of the infuriating hex nonsense that WEP users have grown used to.

At the same time, its important to note that many, if not all, older products have other security-related features and that there are precautions users can implement now to mitigate the problems in WEP. Sadly, many users never implement all the security available in their devices. If you have a wireless network and you care, look into these:

• If your access point allows you to disable SSID broadcast, disable it. SSID is the name of the wireless LAN that shows up when you browse. Youll have to know the SSID and enter it manually when you connect, but strangers wont know it. Actually Ive read that there are tools that can sniff out wireless LANs with unbroadcast SSIDs, but I havent seen them in action. In any event, not broadcasting SSIDs drastically lowers the profile of your LAN, reducing the probability of an attack.
• Another good idea is to change your WEP password periodically. This is more a roadblock than a real barrier to attackers, but theres no sense in making things easy for them.
• For heavens sake, change the default administrator password on your access point and refresh it periodically. If someone penetrates your network you dont want them to lock you out of it.
• Place your access point at the physical center of the building. This will maximize the broadcast quality inside, but has the added security benefit of minimizing it outside. Many access points, such as many Linksys products, have the ability for the administrator to lower the broadcast signal in their advanced settings. You can use this feature to tune the signal so that it covers your building and as little else as possible.
• Finally, and most importantly, use MAC address filtering on your network to prevent use by any network adapters other than your own. This, especially in combination with the other measures above, will make it difficult for an outsider to make their way onto your network.

Of course, even the most elegant network encryption system has a proven weakness: its users. Unless you want to get into 007 stuff like biometrics, in order for your network to be completely secure, you have to trust your users not to betray their own secrets. Sadly, theres little that the Wi-Fi Alliance can do about that.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983. He is co-author of Linksys Networks: The Official Guide from Osborne.