Wireless is great because it gives you mobility – you can get your work done just about anywhere these days (which is both a good and a bad thing)! But there is an inherent drawback to mobility as wireless traffic is unbounded. It flows in all directions and eavesdropping on private conversations is both easy and undetectable. If you don’t have encryption on your wireless network in place and you have expectations of privacy, well… that’s about the equivalent of shouting intimately personal details in a crowded restaurant and getting upset when people hear you and take notes.
There are many different ways to encrypt your wireless network, but some methods are better than others, and of course they are all obfuscated by IT’s love of acronyms. In this blogpost, I’ll try to outline all the common wireless security options and help you select an encryption method that will secure your network without adding an undue amount of complication.
Wired Equivalent Privacy (WEP):
WEP was the first wireless encryption method, defined in the original IEEE 802.11 standard in 1997. This encryption standard requires the use of matching transmission keys on both the client and the access point. It’s important to note that the standard WEP implementation does not create dynamic encryption keys for each security association, and that WEP can easily be cracked. WEP has two primary weaknesses – a portion of the seeding material used for encryption is sent in cleartext and can be intercepted, and WEP packets can be tampered with due to the weak data integrity check implemented.
To be blunt, don’t use WEP if you can help it. Beyond the obvious security issues, networks that use WEP can’t transmit above 54Mbps – so not only are your communications insecure, they’ll be slow too! If you are forced to use WEP because you have legacy clients require it, you should add additional security through MAC filtering, SSID cloaking, and heavily restricted internal network access.
Wi-Fi Protected Access (WPA):
After WEP was found to have significant security flaws, there was a scramble to shore up the security gap. TKIP encryption was introduced as a result and it was rolled up into the WPA security standard. TKIP addresses many of the issues that WEP had – dynamic encryption keys are generated and significant changes were made to reduce the possibility of tampering. HOWEVER, WPA still uses the weaker ARC4 algorithm that WEP implemented.
As a result, WPA does offer increased security over WEP, but it is still not considered a robust security option. And much like WEP, WPA networks are stuck at 802.11g data rates.
Wi-Fi Protected Access 2 (WPA2) Personal:
WPA2 was introduced in the 802.11i security amendment in 2004. WPA2 uses Counter Mode with Cipher-Block Chaining Message Authentication Code Protocol (CCMP) as the security protocol, and it provides encryption that is considerably stronger than WEP or WPA. We highly recommend that enterprises use either WPA2 Personal or WPA2 Enterprise security for wireless networks.
WPA2 Personal uses a shared passphrase that can range from 8 to 63 characters as the authentication method. If a user knows the passphrase, they will be able to join the WPA2 Personal network. This passphrase is then seeded with the SSID and hashed into a full 256-bit encryption key that serves as a master key for encryption.
WPA2 Personal is very easy to implement and it is widely supported. WPA2 Enterprise (which will be discussed next) offers a stronger level of security than WPA2 Personal… but WPA2 Enterprise requires additional infrastructure and configuration to work effectively, so WPA2 Personal is still commonly used by smaller businesses. Because WPA2 Personal uses a common seeding element (the passphrase) for the dynamic encryption sessions from AP to AP, it is susceptible to a dictionary attack and conversations can be decrypted if the passphrase is compromised and a client’s four-way handshake captured with a packet sniffer.
To shore up defenses against a dictionary attack, it’s important to choose a strong passphrase. The longer and more varied the passphrase chosen, the greater the inherent entropy, and the more difficult it is to crack through brute force. When using WPA2 Personal, be sure to set passphrases of at least 20 characters with upper case, lower case, numbers and symbols included. Try to avoid using common phrases or sequences and refresh these passphrases regularly. Most important of all, educate your users about the danger of social engineering attacks.
Wi-Fi Protected Access 2 (WPA2) Enterprise:
WPA2 Enterprise uses the same strong level of encryption that WPA2 Personal uses, but it does not use a passphrase for authentication. Rather, WPA2 Enterprise utilizes an EAP exchange via the 802.1X framework. There are many flavors of EAP available (and this is something that I’ll get into in a future blogpost) and all kinds of fun things you can do with RADIUS, but the key takeaway is this… on a WPA2 Enterprise network, each client connecting will have their own unique credential. This can take many forms – it can be a token, a username / password combination, or even a client certificate.
Because each authentication uses unique seeding material, the encryption used in WPA2 Enterprise is much more resilient against attacks than WPA2 Personal. WPA2 Enterprise does require some extra legwork to get up and going, but it is the best security method currently available and we highly recommend it for any large corporation.
Other Methods – SSID Cloaking, MAC filters, and VPNs.
There are other less “official” methods of securing your WLAN as well – I’ll review them briefly here.
SSID cloaking is the act of “hiding” the name of your network from users. Essentially, the SSID name is stripped out of the beacon and probe response frames. This can stop regular users from trying to connect, but this is not a strong security method… because the beacon frames are still broadcasting merrily along (just with null information in the SSID field), and anyone with a protocol analyzer will be able to find the name of the network by eavesdropping on someone else’s conversations, as the SSID is transmitted in cleartext. This adds another layer of security, but it is a very thin layer and it can cause erratic client behavior in rare situations.
MAC Filtering is the act of restricting clients by their MAC address. This can help shore up security on a network where the clients don’t support newer security measures – for example, you can have a network dedicated for warehouse scanners that uses WEP security combined with MAC Filtering. While this is an annoying roadblock for malicious hackers, this still isn’t a strong security mechanism. L2 information is sent out in cleartext on a wireless network and someone with a little know-how can spoof a MAC address that is on the whitelist. You should add this to your bag of tricks if you have to use WEP.
VPNs offer another layer of encryption to network traffic. When the weaknesses of WEP were first discovered, VPNs were commonly used as a stopgap to provide data encryption over a wireless network. Today VPNs are primarily used to protect wireless traffic that flows across an unencrypted guest network. If the wireless network doesn’t require a passphrase or credentials, your traffic is flowing in cleartext by default and it can be easily intercepted and rebuilt by a malicious eavesdropper. It’s a good corporate policy to require remote workers to use a VPN whenever they are connected to an open network, like at a coffee shop or in a hotel.