Lesson 2: Securing Wireless Networks

Lesson 2: Securing Wireless Networks

To combat the obvious security problem associated with allowing unencrypted, unauthenticated communications with the network, the IEEE designed the Wired Equivalent Privacy (WEP) encryption protocol for use in 802.11 networks. This lesson discusses WEP and its appropriate use, and teaches you how to configure it in Windows XP clients.

Windows XP is the first operating system to include support for wireless networks and protocols such as WEP and 802.1x. To use these protocols in earlier operating systems, you must use vendor-supplied drivers.

To complete this lesson, you will need

  • A wireless access point

  • A laptop computer running Windows XP with a wireless network adapter


After this lesson, you will be able to

  • Understand the capabilities and limitations of WEP

  • Configure WEP to prevent illicit attachment to your wireless networks

Estimated lesson time: 20 minutes


Understanding Wired Equivalent Privacy

Wired Equivalent Privacy (WEP) is the original security protocol for 802.11b WLANs. There are two components to WEP:

  • Authentication, which can be Open (all clients accepted) or Shared Key (only clients possessing a valid key can attach to the WLAN).

  • Encryption, which uses RC4 stream encryption to encrypt the data portion of the packets.

Authentication in WEP is simple to configure:

  • If you want to allow any client to attach, select Open authentication.

  • If you want to control which clients can attach, select Shared Key authentication.

    In Shared Key authentication mode, the WAP and the client go through a challenge response cycle very similar to NTLM authentication using the WEP encryption key as the shared secret key.

    WEP is simply secret key based RC4 stream encryption at the data-link layer using a fixed key length of 40, 128, 154, or 256 bits. (Supported key lengths vary somewhat among manufacturers, but these are the most common).

To establish WEP, you need to install the same secret key in each WAP throughout your enterprise, either individually or by using some manufacturer-supplied management software, and then install that key in each client. There is no standard mechanism for distributing secret WEP keys to clients or WAPs.

When you configure WEP for shared secret key authentication, WAPs automatically deny access to any client that does not have the correct secret key. This prevents unauthorized users from connecting to the wireless network.

Security Problems with WEP

WEP is vulnerable to brute-force attacks at shorter key lengths, and it is also vulnerable to differential cryptanalysis attacks. Differential cryptanalysis is the process of comparing an encrypted text with a known portion of the plaintext and deriving the key by computing the difference between them. This isn't as easy as it sounds, and it requires an attacker to know that an encrypted text matches a specific portion of a plaintext. Because WEP encrypts TCP headers, hackers know what the headers should contain in many cases, and they can attempt to find patterns in a large body of collected WEP communications in order to decrypt the key. The attack is complex and difficult to automate, so it is unlikely to occur for most networks, especially at key lengths greater than 128 bits.

A new WEP protocol is in development that will support automatic re-keying, which limits the lifetime of a WEP key, thus defeating brute-force attacks.

Nothing about WEP prevents someone from attaching a hidden WAP on the network somewhere and using it to exploit the network. While it's unlikely that an intruder would do this, it's likely that an employee might do it without understanding the security implications. To defeat this attack requires 802.1x, which is discussed in Lesson 3.

There's nothing technically complicated about establishing WEP on small networks. However, you must individually key most WAP devices and clients with WEP keys. Keeping shared secret keys private in a large enterprise requires rigorous IT procedures and can dramatically increase the workload on IT workers. Managing WEP encryption on a device-by-device basis can be daunting.

Wide-scale deployment of WEP encryption can be made simple only by selecting wireless equipment designed for enterprise environments, which includes management utilities to automatically deploy WEP secret keys. These utilities are proprietary and vary widely from one vendor to another.

Managing WEP on the Client

Prior to Windows XP, modifying the wireless adapter's driver configuration configured WEP encryption. Windows XP allows these properties to be managed directly by the operating system through the Network Connections control panel.

The device's driver must conform to the operating system's requirements to be properly managed. A number of devices do not conform and can be configured only by setting driver properties directly, or by making the required configuration settings both in the driver configuration and in the Wireless Networks tab of the Network Connections Properties dialog box. If you find you have problems getting WEP encryption working correctly using Windows configuration, and you know you've set the shared key correctly, follow the manufacturer's instructions to configure driver settings directly.

Practice: Establishing WEP Encryption

In this practice, you configure WEP encryption and authentication on the WAP and in a Windows XP client. In this example, a Proxim Harmony 802.11a CardBus adapter is used, but the same procedure should work with any wireless adapter that has passed Windows XP logo requirements.

Exercise 1: Configuring Security on the Wireless Access Point

The first step towards securing wireless access is controlling administrative access to the WAP. This is normally done on a device-by-device basis using a Web-based management console.

Once access to the WAP has been secured, you can enable WAP encryption. In this exercise, you use Shared Key authentication and configure WAP for 128-bit encryption, the largest size supported by both the card and the WAP in this case.

To change the user name and password

  1. On the wireless client computer, open Internet Explorer and browse to http://192.168.241.254 or the IP address of your WAP. The WAP management page appears.

  2. Expand Access Point and Security.

  3. Click Change Logon Info. The logon prompt appears.

  4. Type Intel as the Name and Password. The Change Login Info page appears, as shown in Figure 10.8.

    figure 10-8 changing the default account name and password on the wap

    Figure 10-8. Changing the default account name and password on the WAP

  5. Type Admin as the User Name, and type the same password in the System Password and Confirm System Password boxes.

  6. Click Apply.

To configure WEP settings

  1. Click WEP Settings 802.11a. The logon prompt appears.

  2. Type Admin and your password, and click OK. The WEP Settings 802.11a page appears, as shown in Figure 10.9.

    figure 10-9 configuring wired equivalent privacy in a wap

    Figure 10-9. Configuring Wired Equivalent Privacy in a WAP

  3. For the Authentication Type, select Shared.

  4. Select Enabled in the WEP (Privacy) list box.

  5. In the WEP Key 1 list box, type a 26-character random key that's hexadecimal (0..9, a..f).

  6. Click Apply.

  7. When the approval message box appears, click OK.

  8. Click Restart AP.

  9. When a Restart Access Point message appears, click OK.

    You will find that you are unable to reload the management page. Why?

  10. Close Internet Explorer.

Exercise 2: Configuring WEP on the Client

A Wireless Network Unavailable balloon should appear in the system tray. This exercise walks you through configuring the WEP.

To configure WEP on the client

  1. Right-click My Network Places, and click Properties. The Network Connections window appears, as shown in Figure 10.10.

    figure 10-10 the network connections window in windows xp

    Figure 10-10. The Network Connections window in Windows XP

  2. Right-click Wireless Network Connection 3, and click Properties. The Wireless Network Connections 3 Properties dialog box appears.

  3. Click the Wireless Networks tab as shown in Figure 10.11.

    figure 10-11 the windows xp wireless network connection 3 properties 
dialog box

    Figure 10-11. The Windows XP Wireless Network Connection 3 Properties dialog box

  4. Click Configure. The Wireless Network Properties dialog box appears as shown in Figure 10.12.

    figure 10-12 enabling wep in the wireless network properties dialog box

    Figure 10-12. Enabling WEP in the Wireless Network Properties dialog box

  5. Select the Data Encryption (WEP Enabled) and Network Authentication (Shared Mode) check boxes.

  6. Type the same WEP encryption key into both the Network Key box and the Confirm Network Key box as you typed into the WAP in step 5 of the previous procedure.

  7. Click OK to close the Wireless Network Properties dialog box.

  8. Click OK to close the Wireless Network Connection 3 Properties dialog box. A balloon appears indicating the TestWLAN network is available and showing the signal strength, as previously shown in Figure 10.7.

  9. If the balloon appears indicating that wireless networks are available, in the Network Connections window, right-click the Wireless Network Connection 3, and click Disabled. After the connection is disabled, right-click it again, and click Enabled. If you do not see a balloon indicating that the network is available, you need to re-type your WEP encryption key and ensure that shared authentication is enabled.

Lesson Review

The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.

  1. What does WEP stand for, and why was that name chosen?

  2. What types of authentication are supported?

  3. What encryption algorithm is used to encrypt WEP payloads?

  4. What common key lengths are available for use with WEP?

  5. Is there a standard protocol used to establish WEP secret keys among all WAPs in an enterprise?

Lesson Summary

  • WEP provides security for wireless connections through data payload encryption and optional authentication using RC4 stream encryption in 40-bit, 128-bit, 154-bit, 256-bit, and various other less common bit key lengths.

  • WEP has a number of security vulnerabilities, especially at shorter key lengths where brute force attacks are useful. WEP validates only the computer, not the user, and has no support for automatic re-keying.

  • In Windows XP, wireless client settings can be managed by Windows rather than requiring the user to directly modify variables in the driver configuration. This allows the operating system to control security for the client.



MCSA(s)MCSE Self-Paced Training Kit Exam 70-214(c) Implementing and Administering in a Microsoft Windows 2[.  .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-214): Implementing and Administering Security in a Microsoft Windows 2000 Network (Pro-Certification)
ISBN: 073561878X
EAN: 2147483647
Year: 2003
Pages: 82

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net