Author: George Ou
Revision 2.0 – Jan 3, 2005
Introduction
One of the most common questions that people ask me about Wireless LANs is “are Wireless LANs really safe?” immediately followed up by “what kind of security do I need for my Wireless LAN?” The answer to the first question is “yes, if you implement good security measures” but the second question forces me to resort to the old “it depends”. It depends on what level of risk is acceptable to your home or organization. It depends on what level of management and cost you are willing to bear. To simplify this extremely complex topic, I’ve come up with four arbitrary levels of WLAN (Wireless LAN) security as a general guideline that is designed to suit everyone’s needs from the home to the military.
* Level 1: Home and SOHO WLAN security
* Level 2: Small Business WLAN security
* Level 3: Medium to large Enterprise WLAN security
* Level 4: Military grade maximum level WLAN security
Level 1: Home and SOHO WLAN security
Unfortunately, many home users are either using some old equipment, old drivers, or older operating systems that don’t natively support WPA so they are still using WEP if anything at all. WEP encryption was thought to be good for a week for most light traffic home wireless networks because the older WEP cracking tools needed 5 to 10 million packets to recover a WEP key, but the newest WEP cracking techniques can break WEP in minutes. Even if there isn’t that much traffic, the attacker now has ways to artificially generate traffic and accelerate WEP cracking. Because of this, consumers should avoid any product that doesn’t support WPA TKIP mode at a minimum but preferably WPA AES capable or WPA2 certified devices. If they have WEP only devices, check with the vendor to see if there are any firmware and/or driver updates that will upgrade the device to WPA mode. If not, anyone who cares about privacy should throw out those devices. As harsh as that may sound, it is comforting to know that newer Access Points and Client Adapters that do support WPA can be purchased for as little as $30. Client side Wireless LAN software (officially known as Supplicants) also need to be updated to support WPA or WPA2. Windows XP SP1 with the WPA patch can suffice, but Windows XP SP2 is highly recommended.
The home or SOHO (Small Office Home Office) environment is very unlikely to have any kind of Authentication and PKI in place. This may change when TinyPEAP gets launched, but that is currently in BETA phase and is not ready for prime time yet. TinyPEAP puts a PEAP authentication server and PKI Certificate Authority in your home’s Wi-Fi enabled Linksys Router which was once the exclusive domain of large organizations with dedicated authentication servers. For the time being, the only viable option for this environment is WPA PSK (Wi-Fi Protected Access Pre-Shared Key) mode. WPA mode mandates TKIP at a minimum but also has an optional AES encryption mode. AES mode is highly recommended because it has a rock solid pedigree in cryptanalytic resistance whereas TKIP may be under attack in the near future. Note that AES in WPA2 (fully ratified version of 802.11i) is no longer optional and is mandated today. Since most home users would be lucky if all of their equipment and software was TKIP capable, most homes will have to be content with TKIP mode for now.
WPA PSK mode can be an effective security mechanism but leaves a lot to be desired in terms of usability. This is because WPA PSK can be cracked with offline dictionary attacks so it relies on a strong random passphrase to be effective. Unfortunately, humans are very bad at memorizing long random strings of characters and will almost always use simple to remember words and phrases or some slight variation of that. This lends itself to dictionary attacks where a hacker will try every variation of every combination of words in the dictionary. To make this very difficult to hack, use a 10 digit string of random characters comprised of a-z, A-Z, 0-9 or use a very long word phrase made up of 20 or more characters. Unfortunately, this will force many users to write down their passphrases which in itself may lead to passphrase theft. WPA PSK is not a good long term security solution and leaves Level 1 security with much to be desired, but it can be safe when used correctly.