Securing Wireless Network Traffic with Encryption

Although you can use a variety of different methods to improve the overall security of a wireless network, you cannot truly consider a wireless network secure until you implement encryption settings. In the wireless world, two primary methods are used to encrypt network communications:

• Wired Equivalent Privacy (WEP)

• Wi-Fi Protected Access (WPA)

Both of these wireless encryption techniques are explored in more detail in the following sections.

Wired Equivalent Privacy

As part of developing the original 802.11b wireless networking standard, the need for a way to protect and secure wireless networks was already well understood. The solution developed to address the problem is called Wired Equivalent Privacy (WEP). As its name suggests, the idea behind this security scheme is to implement protective measures that would make a wireless network just as secure as the wired alternatives.

WEP functions by individually encrypting each and every packet sent between devices across a wireless network. It does this using a 64- or 128-bit encryption key stored on all WEP-enabled wireless devices. In some cases, the access point generates the key value, but you can also configure it manually. Ultimately, each device on the WEP-enabled wireless network must have the same encryption key value configured to securely encrypt and decrypt packets sent and received.

Unfortunately, the technique used to secure WEP encryption keys has proven to be flawed. With the right tools (and enough time), hackers can use a number of popular utilities to capture wireless traffic protected by WEP, crack its encryption key (the same key is used to encrypt all traffic), and ultimately gain access to these secured wireless networks.

Assuming that WEP is the only encryption option for your wireless devices, use the steps outlined in the following section to configure it on your access point and Windows Vista system.

Implementing WEP Security

To implement WEP on your wireless network, start by configuring the required settings on your wireless access point, as outlined in the following steps:

1. Select Start → Internet Explorer, or open your preferred web browser.

2. In the Address box, type 192.168.1.1, or the correct address for your access point make and model. Press Enter.

3. On the logon screen, type your administrative access password. Click the Login button.

4. In the administrative interface, look for a section marked Wireless, Wireless Security, WPA, or similar. On the SMC access point used in this example, the WEP encryption settings are configured by selecting Wireless → WEP, as shown in Figure 17-11.

   
   Figure 17-11: Configure WEP security settings on an access point

5. In the WEP Mode section, select 128-bit.

6. In the Key 1 section, type a 26-character key value, using hexadecimal digits only. Valid hexadecimal characters include letters A through F and the numbers 0 to 9. Write this number down for reference purposes, because you'll need it to configure WEP settings on Windows Vista.

7. Click Save Settings.

8. As you configure WEP settings, look for a setting in the administrative interface that enables you to specify which types of wireless clients should be allowed to connect to the access point. On the SMC access point used in this example, wireless client types are specified from Wireless → Security, as shown in Figure 17-12.

   
   Figure 17-12: Configuring allowed client types on an access point

9. In the Allowed Client type list, select WEP Only, or WEP/WPA.

10. Click Save Settings. If you're using a wireless connection to configure your access point, you will probably lose wireless connectivity until you configure the necessary WEP settings on your Windows Vista system.

Follow these steps to configure Windows Vista to connect to a network that uses WEP encryption:

1. Select Start → Control Panel → Network Center.

2. Click Connect to

3. On the Connect To A Network window, select the name of your wireless network. A network protected by WEP is listed as a security-enabled network, as shown in Figure 17-13. Click Connect.

   
   Figure 17-13: Connecting to a wireless network that uses WEP security

4. On the Type The Network Security Key Or Passphrase screen, enter the WEP key that you configured on your access point and click Connect.

5. When the Successfully connected window appears, click Close.

Wi-Fi Protected Access

Based on WEP's shortcomings, the Wi-Fi Alliance (the wireless manufacturer's industry group) developed an alternative solution to secure wireless network traffic known as Wi-Fi Protected Access (WPA). Designed as an interim solution while the IEEE's 802.11 working group developed a new wireless security standard, WPA became the de facto standard for securely encrypting traffic on wireless networks.

One of the main benefits of WPA is that it was designed with existing wireless users in mind. Manufacturers of wireless networking equipment could add WPA support to existing devices by supplying new driver files for wireless network cards, and firmware upgrades for access points. As such, you can update almost any wireless device that lacks WPA support to include it, without the need for users to purchase new hardware. For details on upgrading wireless devices to include WPA support, see the sidebar later in this chapter.

Ultimately, the new protocols and security enhancements implemented by WPA make it the best option for securely encrypting traffic sent over a wireless network. For more details on the exact processes that WPA uses to perform its encryption process, see http://www.microsoft.com/technet/community/columns/cableguy/cg1104.mspx.

Use the steps outlined in the following section to configure WPA security on your access point and Windows Vista system.

Implementing WPA encryption on a wireless network isn't terribly difficult, but you must meet a few prerequisites to take advantage of the security it provides:

• The wireless access point must include WPA support.

• The wireless network cards in your Windows Vista systems must use drivers that include WPA support.

To check whether your wireless access point includes WPA support, log on to its administrative interface and review the settings in its wireless security configuration area. If WPA is listed, support is built-in. If WEP is the only wireless security option displayed, you need to download and install a firmware update for your access point, as outlined in the next sidebar.

Although most wireless network card manufacturers now ship their products with driver installation packages that already include WPA support, you often need to update existing drivers. If you find that WPA configuration options do not appear on your Windows Vista system, then you almost certainly need to update the drivers for your wireless network card.

Begin by determining the exact make and model of your wireless network card. You can find this information in Device Manager, accessible from the Computer Management MMC. To open Computer Management, click Start, right-click Computer, and then select Manage. Expand Device Manager → Network adapters, and then right-click your wireless network card and select Properties. If you click the Driver tab, the make and model of your wireless network card is listed, along with its current driver version as shown in the following figure.

With the necessary information in hand, visit the manufacturer's web site and search for an updated driver for your model that includes WPA support. Download the file, and then follow the instructions for installing it as outlined by the manufacturer.

Implementing WPA Security

To implement WPA on your wireless network, start by configuring the required settings on your wireless access point, as outlined in the steps below:

1. Select Start → Internet Explorer, or open your preferred web browser.

2. In the Address box, type 192.168.1.1, or the correct address for your access point make and model. Press Enter.

3. On the logon screen, type your administrative access password and click the Login button.

4. In the administrative interface, look for a section marked Wireless, Wireless Security, WPA, or similar. On the SMC access point used in this example, the WPA encryption settings are configured from Wireless → WPA, as shown in Figure 17-14.

   
   Figure 17-14: Configuring WPA security settings on an access point

5. In the Cipher suite or protocol drop-down menu, select TKIP.

6. In the Authentication section, select Pre-shared Key.

7. In the Pre-shared Key Type section, select Passphase.

8. In the Pre-shared Key text box, type your passphrase. Follow the same best practices as you would when configuring any strong password. You can find out more about what constitutes a strong password in Chapter 3.

9. Click Save Settings.

10. As you configure the WPA settings, look for a setting in the administrative interface that allows you to specify which types of wireless clients should be allowed to connection to the access point. On the SMC access point used in this example, wireless client types are specified from Wireless → Security.

11. In the Allowed client types list, select WPA Only.

12. Click Save Settings. If you're using a wireless connection to configure your access point, you will probably lose wireless connectivity until you configure the necessary WPA settings on your Windows Vista system.

If your wireless access point doesn't currently include WPA support, chances are that you can add it at no cost via a firmware upgrade. Firmware is the code (similar to an operating system) stored on a router that determines its features and capabilities. Manufacturers regularly post updated firmware files on their web sites for their various access point models.

In some cases, you must download a dedicated utility to perform the upgrade. However, many access points include a built-in tool for updating to the latest firmware version. For example, the SMC access point used in this chapter includes such a tool under Tools → Firmware Upgrade, as shown in the following figure.

In this case, you would download the latest firmware version from the manufacturer's web site, and then use this tool to upload it to your access point.

Prior to upgrading your access point's firmware, it's important to ensure that you have its correct make and model number handy, as well as details about its current firmware version. You can usually find this information in the access point's administrative interface in a section named System.

Beyond adding new features, firmware updates are also released for the purpose of addressing known security issues. As a general rule, you should check for firmware updates to your wireless access point at least once every 2–3 months.

Follow these steps to configure Windows Vista to connect to your WPA-protected wireless network:

1. Select Start → Control Panel → Network Center.

2. Click Connect To.

3. On the Connect To A Network window, select the name of your wireless network. A network protected by WPA is listed as a Security-enabled Network. Click Connect.

4. On the Type The Network Security Key Or Passphrase screen, enter the WPA passphrase that you configured on your access point as shown in Figure 17-15 and click Connect.

   
   Figure 17-15: Connecting to a wireless network using WPA security

5. When the Successfully Connected window appears, click Close.