Protect Your Network

Even the smallest of businesses often see the value in wireless networks and remote access. But securing these technologies can appear difficult; how can any small business expect to enjoy the benefits while avoiding attacks? A few basic precautions are really all that are important.

We've already discussed firewalls. To simplify any remote access deployments, use a product that's not only a good firewall but also includes VPN functionality. Conveniently, ISA Server in SBS Premium Edition helps you configure Windows Routing and Remote Access Services (RRAS) for most popular client-to-server VPN scenarios. PPTP is more than adequateit's easier to maintain than L2TP+IPsec since you don't need a certificate authority and it works over pretty much all network address translation devices without any configuration, which some of your employees probably have at home. So long as you use good passwords, PPTP as configured by the wizards (MS CHAPv2 authentication, 128-bit RC4 encryption) is safe from cryptographic attacks.

Securing Your Wireless LAN

When we first started writing this book, we knew that in this chapter we'd stake the controversial position that plain old 128-bit WEP was good enough. After all, using the tools available at the time (early 2004), an attacker needed to collect a few gigabytes of data from the air before WEP cracking tools could do their thing. Just changing your key once a monthsay on the first Monday of each month as an easy-to-establish habit you can put in your calendarwas enough to foil an attacker. To brute force the key, an attacker needed far more data than what a small network usually generated in that timemeaning that an attacker was unable to get enough data to brute force the key before your key-change interval approached. All you needed was a good strong random key created by a key generator. ^[13]

^[13] http://www.warewolflabs.com/portfolio/programming/wlanskg/wlanskg.html has one.

Wow, how things change. The cracking tools have gotten so good ^[14] that now an attacker needs only about 500,000 frames , which is about 715 megabyteseasily generated in a matter of minutes if you're transferring large amounts of data over your wireless network. Therefore, we urge you to move beyond WEP as soon as you can. Take our advice in the previous paragraph to make your existing WEP better, but plan to move to WPA quickly.

^[14] "WEP dead again, part 1" by Michael Ossman (http://securityfocus.com/infocus/1814). Part 2 wasn't published as of this writing.

Best for small businesses is WPA-PSK (preshared key). Regular WPA requires a RADIUS server, something generally beyond the needs of small businesses; WPA-PSK gives you all the benefits of WPA and allows you to get completely out of the key-management business without needing RADIUS. WPA uses a key-management mechanism called TKIP (Temporal Key Integrity Protocol). You program a preshared authentication key into each access point and client; WPA generates new encryption keys for every frame (packet) of data that passes between clients and access points. That's a lot of encryption, so it's better to use the AES encryption algorithm rather than WEP's RC-4 because AES is so much faster. Change your authentication key every six months. Note also that you need capable hardware. Devices manufactured after August 2003 are required to support WPA and WPA-PSK to receive the Wi-Fi Alliance logo. Older hardware might have firmware updates available; check the manufacturer's Web site.

Oh, and please change the default SSID name in your access point. We see far too many wireless networks called "default" and "linksys." This is nearly the equivalent of hanging out a sign that says "Hack me."

Choosing Good Passwords

Because of the intense debate swirling around passwords, we devoted an entire chapter to the topic earlier in the book. For small businesses, we have two easy recommendations: pass phrases or joined words. A pass phrase would be something like this:

My dog and I went out.

Pass phrases are easy to remember, simple to type quickly, and are complex: the example here has mixed case and a symbol. You can even vary the phrase so that you have a collection of easy-to-remember phrases that are unique for different locations you visit:

My dog and I went to the auction. (auction site)

My dog and I bought some books. (bookstore)

My dog and I got the mail. (Web mail)

My dog and I went gambling. (online casino)

My dog and I admired some art. (porn site)

Joined words also work very well as passwords, for example:

stuck + suppose ^[15]

^[15] This is the very first CompuServe password one of us had, back in 1987. Ah, CompuServe whatever happened to the good old days, eh?

Like pass phrases, joined words are easy to remember and simple to type. They also have a good amount of complexity because of the symbol.

No matter what you choose, the point is to select something that's both strong and easy to type and remember. Passwords such as dT54*x;j7\]2 are absolutely terrible: they have no associations with their uses, they take forever to type, and they are impossible to remember. Phrases and joined words satisfy all the requirements.