Final Wi-Fi Security Tips

Previous page
Table of content
Next page

Setting up Security-General Steps

Here are the steps you should first study to understand the general techniques for setting up security:

  1. Make sure your wireless network works without encryption first!

    Wi-Fi gear arrives on your doorstep with WEP disabled by default. You should install a new Wi-Fi network fully-and test it thoroughly-before you attempt to enable WEP.

  2. Change the Service Set Identifier (SSID) value to something other than the factory default.

    What you change this identifier to matters less than simply changing it from the defaults. Hackers will sometimes target a wireless access point that bears a default SSID because they assume that whoever left the default SSID in place will also be careless or simply clueless about passwords and other security measures. It's also wise to use a word or phrase that doesn't carry much information about you or your business. Some hacker may for reasons unclear want to break into a real estate office's network. Therefore, don't use an SSID like 'Uberhaus Realty.' At the other end of that scale, I've spoken with one security consultant who advises against using random character sequences like 'i190shl6k2u.' Why? That's what consultants always recommend to large corporate clients. A totally random SSID, in his opinion, screams out 'Big Organization With Something To Hide.'

    My advice? Use the name of a plant. Coriander. Hollyhock. Jacaranda. Sunflower. Plants are boring. In my later example I'll use 'Nutmeg.'

  3. Turn off all machines containing client adapters before you begin.

    This may be an unnecessary step, but I've heard that some access points get confused if clients are attempting to associate with them while you're setting up WEP. After WEP is enabled at the access point, you'll power the other machines up one at a time and configure WEP on their Wi-Fi client adapters to match the WEP keys you entered at the access point.

  4. Bring up the access point or residential gateway's configuration screen.

    Virtually all access points and gateways use a Web-based configuration system. In other words, you must run a Web browser on the machine connected via Ethernet CAT5 cable to the access point or gateway. Typically (and you'll have to check your vendor documentation here), you type in a nonroutable IP address in its 'raw' form, something like this:

    http://192.168.1.1

    (Your vendor documentation will give you the precise IP address to use.) This should bring up the configuration screen password dialog. Enter your user name and password to log in. (You didn't leave those on the defaults did you? If so, change them now!)

    Some access points have a second method to access the configuration system: Through a serial port on the back of the access point case. The older Cisco Aironet 340 line has this option, which can be useful if you forget your password, as the serial-port link is not password protected. Instead of a Web browser, you need to bring up a serial port window connected to the serial port into which the access point is plugged.

  5. Decide what size key you wish to use.

    Most Wi-Fi products will offer you the choice of two or sometimes three key lengths: 64, 128, or (very recently) 256 bits. Theoretically, the more key length bits, the more secure your Wi-Fi network will be against outside hackers. However, there is one really big gotcha:

    Only the 64-bit key length is fully defined in the Wi-Fi standard. This is a nasty problem that little has been written about. Because encryption using the longer key lengths is not part of the Wi-Fi standard, different manufacturers have used the longer keys in different ways, ways that sometimes make it impossible for Wi-Fi gear from different manufacturers to communicate when using 128 or 256 bit keys. If your access point/gateway and all your client adapters are from the same vendor, you can feel safe in using the largest key length that the vendor offers. If not, you'll have to experiment. First test your network using 64-bit keys all the way around. Once it looks like everything works, set up your access point/gateway with 128-bit keys, and then set your client adapters to 128 bits and see what happens. If the client adapters can't communicate at the higher key length, you may have to fall back to 64 bits. If there's any doubt in your mind about the compatibility of your Wi-Fi gear, set everything up at 64 bits first!

    If your network can only operate using 64-bit keys, don't despair. 64-bit WEP is better protection than most writers have indicated, and with all the completely unprotected networks out there, it's much more likely that a hacker will move on to a nearby unprotected network than attempt to crack yours. This problem will gradually vanish as new security improvements to Wi-Fi like Wi-Fi Protected Access (WPA) are rolled out by Wi-Fi manufacturers.

  6. Determine how to generate the WEP keys you'll need to enter.

    Here we run into an important difference in the way all the various manufacturers implement WEP. The Wi-Fi standard specifies that you need four different keys for WEP. These keys are 10-digit hexadecimal numbers. Hexadecimal (base 16) numbers use the digits from 0 to 9, and for the values 'after' 9 up to 15, the letters A through F. You don't need to know anything more about hexadecimal numbers to turn WEP on. A typical WEP key would thus look something like this: 670DF5BA16.

    You need four of these. You can make them up 'from whole cloth' by jotting down four strings of ten symbols (0 to 9 and A to F), or if your access point has a 'key generator' you can type in a more memorable 'pass phrase' and the key generator will generate a group of four keys from that pass phrase.

    Thankfully, most of the newer Wi-Fi access points have built-in key generators. Some of the older ones do not.

    To tell what system your access point has, go to the WEP screen or tab and see if there is an entry field marked 'password' or 'pass phrase.' If there is, you don't have to manually generate keys. If all you see are entry fields for four keys, get out your pencil and paper and start jotting down four sequences of ten random digits.

  7. Enter the pass phrase or hexadecimal key values.

    Once you find the WEP screen or tab, this will be easy. (I'll show you the screen for the Linksys BEFW11S4 wireless residential gateway in the next section, when we go through it with screen shots.) The main thing to do is be absolutely sure that the pass phrase you enter is the same one you decided to use. In other words, don't misspell your pass phrase when typing it in! Most access points do not force you to type a pass phrase in a second time for verification, even though that would be a good idea. If you type in 'lollapaloosa' instead of 'lollapalooza' the access point will take you at your word. If you later type 'lollapalooza' into the key generators on your client adapters, nothing will work. In encryption keys, a bit is as good as a mile, to murder the old chestnut.

    This goes double (or quadruple, actually!) if you must enter the four hexadecimal key values manually. Write your keys down clearly, then type them in character by character and check each one twice. All four keys in your client adapters must match all four keys in the access point. Get even one digit wrong and things won't work.

    Once everything has been entered, check it character-by-character one last time. Then click either the OK or Apply button (or whatever it is on your particular access point) to store the key values.

  8. Power up your first client computer and enter the keys or pass phrase.

    At this point, your access point is ready to go. Now you need to get everybody else set up with their WEP keys. Power up your first client computer, wait for it to boot, and then bring up its Wi-Fi configuration utility. This utility was installed when you installed the Wi-Fi client adapter. (I'll show you some real screens in the next section.)

    Find the WEP configuration screen or tab, and enter the pass phrase or keys precisely as you entered them into the access point. The one possible snag here is one that I faced long ago: My old Linksys WAP11 access point had a key generator, and the Orinoco Gold PCMCIA card in my laptop did not. So although I easily generated the four keys on the access point by entering a pass phrase, I had to enter the four keys manually into the Orinoco Gold's configuration screen. Again, be careful when typing and check what you type twice.

    Theoretically, when you get them all entered and click the OK or Apply button, your client computer should be in (encrypted) communication with your access point.

  9. Test the connection and repeat for any other clients.

    See if your connection still works. If there are shared drives or printers, copy or print a file. See if you can access the Internet through the wireless link. If you can, go to the next client computer and repeat the process until everybody has the keys and WEP is functioning for all the clients.


Previous page
Table of content
Next page
Jeff Duntemann's Drive-By Wi-Fi Guide
Jeff Duntemanns Drive-By Wi-Fi Guide
ISBN: 1932111743
EAN: 2147483647
Year: 2005
Pages: 181
Authors: Jeff Duntemann
BUY ON AMAZON
Qshell for iSeries
Beginning Cryptography with Java
Lotus Notes and Domino 6 Development (2nd Edition)
Oracle Developer Forms Techniques
Visual C# 2005 How to Program (2nd Edition)
Sap Bw: a Step By Step Guide for Bw 2.0
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy