Sample Administrative Article

Secure That Wireless Network

Michael Rhodes, Director of Technology
High Meadows School
Roswell, Georgia

At the November 2005 GaETC Conference I attended three different presentations, all by Brent Williams, regarding wireless networks. Brent took us through the need for wireless networks, the future of wireless networks, and the ease at which they can be cracked. Schools are going wireless and if you are a network administrator, or just plan to set up a wireless network in your home, there are a few things you should know. Wireless networking appears to be easy, and truth be told, it is - maybe too easy. With Windows XP SP2’s sophisticated wireless client software, you can purchase a SOHO (Small Office/Home Office) AP (Access Point) and a wireless card or USB device, plug them in, and they will probably work right out of the box. Problem is, some of those default settings you just accepted can make your systems and your data very vulnerable.

Wireless traffic is flying through the air and can be easily received and read by anyone interested. All it takes is someone with a wireless card that has a promiscuous mode driver (i.e. the driver looks for all traffic not just traffic directed at it – and there are many of these) running programs like Netstumbler and Ethereal to be in range of your AP and they can detect, grab, and read everything being passed between your workstations and your AP. Data such as student IDs, passwords, credit card numbers, grades, teacher emails can be easily read. And with a unidirectional gain antenna this can be done from half a mile away.

Maybe you’re thinking, “Sounds like CIA, Secret Service, Mission Impossible kind of stuff, who would care to do that to my school or home?”. The most common crackers are teenage boys trying out programs they downloaded off the internet. The computer and the wireless card is something their parents (or the school) bought them for learning. The software is free. Even that long range antenna can be purchased for about $40 (or home built with a Pringles can and less than $10 worth of stuff from Radio Shack).

Does this mean wireless networks cannot be secured, and therefore, should not be used? Not at all, but you need to take certain steps to secure your wireless network. Turn off broadcasting of the SSID. This will keep someone (including you) from just coming in range (remember the antenna I mentioned) and “seeing” your AP. Instead they will first have to configure their wireless client with the “secret” SSID so it can look for it. This will help a great deal in a home network. However, in a school setting, you are probably going to give your SSID to your users (i.e. students) who often turn out to be your biggest cracking threat.

Turn on encryption, but don’t bother using WEP. WEP is broken, anyone who has the knowledge to run the above programs will also download the readily available free programs like Aircrack that crack WEP. Also WEP does not use per session keys so once someone does crack or know the WEP key ALL data can be read by them. Instead use WPA or even better WPA2. WPA2 just came out in late 2004 and is not as widely available as WPA. If your AP does not support either, try getting a firmware update from the manufacture’s website. If that does not work, obtain a new AP that supports WPA2. When you turn on WPA or WPA2 you assign a passcode to the AP and give it toclients you want to connect to your network. When the client connects with the accepted passcode the AP and client agree on an encryption key good just for that session so even if someone does crack or know the passcode they cannot read other users data. Note: WPA has been cracked, WPA2 as of Oct. 2005 has not been cracked. But don’t worry if all you have is WPA. The only way to crack it is a brute force dictionary crack. So if you make your passcode long (at least 16 characters) and have it contain upper case, lowercase, and symbols you should not have anything to worry about.
Another method, that is extremely secured but not usually plausible in a home network environment, is setting up 802.1x EAP. In this case the AP looks to a backend server for user authentication, if the client is not authenticated the AP refuses to “talk” to the client. This uses the same encryption as WPA so easy passwords could still be cracked. Using 802.1x EAP requires a radius server (the backend authenticating server) which MS Server 2000/2003 as built in (called IAS – you have to turn the service on and set it up), but MS XP pro does not.

Do not use MAC address lists, which can be set up on almost any AP. MAC address lists are broken just like WEP. When a legitimate workstation (i.e. their “unique” MAC address is registered in the AP) connects to an AP the MAC address is visible to anyone running a “sniffer” program. With the right client software (which is free), they can make their wireless card appear to have that MAC address so they can connect to your AP.

In short, if you are going to have wireless networking, be sure to enable WPA (with a long passcode) or WPA2.

Return to Technical Articles