WIRELESS SECURITY ISSUES | Home Networking Annoyances: How to Fix the Most Annoying Things about Your Home Network

WIRELESS SECURITY LIMITATIONS

The Annoyance:

I'm a total security freak. In fact, I approach paranoia when I configure security for my computers and network. For my wireless network...

The Fix:

STOP RIGHT THERE! If you're that serious about security, you don't want wireless technology on your network. A wireless network has an "intrusion possibility" factor that's much higher than any wired network (Ethernet, phoneline, or powerline). To get into a wired network, an intruder needs to come into your house and connect to the wired network. You'd probably notice that. Getting into a wireless network is much easier because it can be accomplished without anyone noticing. The security features available for wireless networks don't overcome that security gap. Keep your network hardwired or you'll probably have a nervous breakdown!

WIRELESS TRANSMISSION ENCRYPTION SCHEMES

Encryption is an essential tool for wireless communications because without it, any intruder can intercept and read your transmissions. For wireless home networks, two encryption schemes are available: Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA).

All wireless network equipment manufacturers offer WEP. To use WEP, you enter a key of 10 or 26 characters into all the devices involved in the wireless network (each computer, access point, and wireless router), following the instructions from the manufacturer. The devices use the WEP key to identify each other (it's essentially a password). They also use the key to encrypt and decode the data they send and receive. The key isn't "friendly," which means it's not words or plain characters. It's a complicated series of hex characters, which means you have to enter text such as 64B7XACAC9104B0X98841R9545 on every device without any typos (if one character is wrong or missing, the key doesn't match the other devices).

A newer encryption system called WPA is more secure and easier to use. The key you enter can be regular text. In addition, the key you enter is only the starting point of encryption and password protection. The devices use that key to create a series of extremely complex keys. All the wireless devices generate new keys periodically, secretly exchanging the information among themselves automatically.

WEP DISABLED BY DEFAULT

The Annoyance:

I want to set up my WEP key, but I can't figure out where or how to perform this chore. Why is it so hard to find?

The Fix:

By default, wireless device manufacturers disable (hide) WEP. To turn it on, you need to read the instructions that came with the device. Isn't this annoying? I asked representatives of two manufacturers about this decision and received similar answers from both of them: "Configuring WEP is complicated and prone to errors, so we decided to disable it as the default mode." Right, I see, so it's better to let your customers send data that can be intercepted by anyone in the vicinity who has a wireless adapter.

Warning: Most manufacturers with devices that support WPA encryption hide it (just like they hide the WEP feature). Currently, only Linksys (not Belkin, D-Link, or Netgear) lets you enable WPA during the setup wizard. Hopefully, the others will change their approach soon.

WPA SUPPORT IN WINDOWS XP

The Annoyance:

I want to use wireless technology for my Windows XP laptop. I'm interested in using WPA encryption, but Windows XP doesn't appear to support it. I'm really annoyed because I was told that Windows XP provided the best support for wireless security.

The Fix:

You haven't been keeping up with Windows updates. WEP support was introduced in Service Pack 1. Service Pack 2 is now available, which incorporates all the enhancements in SP1, and adds even more robust support for wireless communications and wireless security.

WIRELESS DEVICES DON'T SUPPORT WPA

The Annoyance:

I installed a wireless network about six months ago, but the adapters and router don't support WPA. It's really annoying to have to replace practically brand-new equipment just to have better security.

The Fix:

You don't have to replace the equipment because most (probably all) manufacturers provide free hardware upgrades. A hardware upgrade is called a firmware upgrade, and the file is downloaded to the device. Go to the support section of the manufacturer's web site and look for a link to "downloads." You'll be asked for your model number and operating system. The downloaded file is compressed (it's usually a zip file). If the file package doesn't include installation instructions, look on the web site.

Warning: Manufacturers offer firmware downloads to enhance many hardware features in most versions of Windows. For firmware that includes WPA support, you'll probably find that only Windows XP is supported.

Tip: The Wi-Fi Alliance web site (www.wi-fi.org) has a list of the equipment certified for WPA support.

AD HOC MODE VERSUS INFRASTRUCTURE MODE

Wireless networks can operate in either ad hoc mode (computer-to-computer) or infrastructure mode (all wireless devices connect to an access point).

In ad hoc mode, computers communicate directly with each other. The only configuration (and security) option you have is to select a communications channel.

In infrastructure mode, all the computers must be configured to connect to the access point. Wireless routers offer a built-in access point, but you can also buy standalone access points. (An access point can help strengthen the speed and distance of the wireless signal.) The access point is configured for a Service Set Identifier (SSID), which is a name you provide. All the computers that connect to the access point must use the same SSID. This is very much like naming your workgroupall the computers must have the same workgroup name to participate in the network.

USING DEFAULT SETTINGS IS A BAD IDEA

The Annoyance:

I added a wireless computer and an access point to my wired home network. I set up the computer for infrastructure mode. When I booted my computer, Windows XP announced it had found the wireless network, which is really nifty (and now I know why people say Windows XP has great built-in support for wireless networks). Unfortunately, the computers on the network aren't in my house. I finally found out I was accessing my neighbor's wireless network. How is this possible?

The Fix:

Scary, huh? Have you thought about the fact that your neighbor can get to your network, too? You and your neighbor are using the default network settings and Windows XP found your neighbor's signal first. Is your computer and access point near a window that faces your neighbor's window?

Your workgroup is probably still named MSHOME, your SSID is the default identification string, and you're using the default wireless channel for the signal. Each part of that statement represents a mistake you made. Reconfigure your network immediately! Create a unique setting for each network and security setting.

Warning: Wireless hackers go down streets and through buildings (apartment houses and business structures) with their wireless computers configured for default settings. That configuration gets them into more than half of the existing wireless networks. Change the default settings, people!

Tip: Access points and routers require passwords to enter the setup feature to change the settings. Don't forget to change the default password.

WIRELESS SECURITY SETUP ISN'T SECURE

The Annoyance:

To establish the connection between a wireless adapter and the access point for the first time, it's necessary to enable broadcasting of the access point's SSID, which is usually not broadcast for security purposes. In other words, to enable security, you first need to make the connection insecure. That makes no sense.

The Fix:

I agree, and I wish I had an easy workaround for this problem. All I can say is "work fast." Or, bring all the computers and access points (including the wireless router) into a room that has lead walls, and then set up your security.

SECURITY FOR LAPTOP COMPUTERS

The Annoyance:

I read an article about someone who lost his laptop at a convention. The computer was filled with secret information about his company's plans and financial situation. I take my laptop to client offices, meetings, airports, and so on. I have a lot of sensitive, private information in the documents, which I need to conduct business. Do I have to chain the laptop to my neck to make it secure?

The Fix:

Laptop security is an enormous problem because the risk of loss or theft is very high. In addition to sensitive documents, many laptops have cookies to web sites where you store credit card numbers and passwords. The trick is to make sure the information on the laptop can't be read by anyone except you. Here are some guidelines:

Don't save passwords on web sites.
Use a complicated logon name and a more complicated password to log on to the computer. The logon name and password should contain both numbers and letters.
If you have to step away from the computer, even for a couple of seconds, log off.
Laptops should be running Windows 2000 or Windows XP with the NTFS filesystem, so you can take advantage of the Windows Encrypted File System (EFS) feature.
Use EFS to encrypt all the documents in all the folders that hold documents.
Never take your laptop on the road until you've backed up the encrypted files and encryption key.

EFS encrypts files using a complicated, hard-to-break encryption algorithm. When a file is encrypted, all reads and writes to the file are decrypted and encrypted transparently to the user who encrypted the file (the logged-on user). If another user logs on to the computer and tries to open an encrypted file, an Access Denied error appears because the user does not possess a key to decrypt the file.

You can copy your EFS key to a floppy disk and keep it in your office or at home. If your laptop goes missing, you can use the key to work on the backup files you made before you took the laptop out. You can learn more about EFS on Microsoft's web sites.