Wireless network security is something often overlooked. Network is already complicated enough, most will simply bypass the complicated setups and go along with unprotected network access for years. But even if you go through the trouble, there’s a tone of ways to secure your router, some better than others, and sometimes choosing the correct solution is not easy. This is why I decided to create this short guide through which I’ll explain security solutions, what’s good about them, and what’s bad.
Unsecured Access
Although maybe not the best idea, unsecured access guarantees compatibility, speed and ease of use. No complicated key to enter, your network is always available no matter what. This is the worst solution of course, but something to consider if you live in a remote farm area.
SSID (Service Set IDentifier) Broadcast Hiding
Your SSID is your network name. Through your router’s setup, you can choose anything you like. This facilitates recognizing which network is yours when having to connect between multiple networks. It’s also how Windows or other OSes will be able to remember your network settings and automatically connect you. Your SSID is always broadcast over the air so that devices scanning for your network can find it. One easy technique to augment network security has been to stop broadcasting your SSID. This is an easy thing to do. What it does is it hides your router from scanning. That way, only people knowing what your SSID is can access your network.
SSID hiding is however flawed. Each time a user connects to your network, be it you turning on your laptop or a gaming console, your SSID is transferred in the clear, even on an encrypted connection. Widely available software allows to sniff network connections and easily retrieve the SSID. Additionally, most of the time your network isn’t even hidden, it simply comes up as a blank wireless entry, which, however requiring to enter an SSID to connect to, allows a cracker to trick your connection into reconnecting you, broadcasting your SSID in the clear when you connect.
In my opinion, SSID hiding more of a bother than a useful thing. I never hide my SSID, it would just make my already long connection setup longer, and for no real security benefit.
Mac Address Filtering
Every network device in the world has a unique identifier called a Mac Address, something like this: 00-0A-5E-54-59-BF. The theory is, if every adapter has a unique ID, is it possible to enable only the desired network devices to access your network. Fortunately, it is, every single router has that feature, or at least it should. Unfortunately, it’s no means of real protection and again, more a bother than a useful thing. The problem is Mac addresses can be easily spoofed, easier than SSID hiding, and detecting what Mac addresses work on a given network is also pie if you’re the least resourceful as they are transferred in the clear (without encryption).
WEP (Wired Equivalent Privacy)
This deprecated protection scheme for networks (yup, deprecated) is a very flawed but highly compatible security solution for wireless networks. WEP uses the stream cipher RC4, which is unfortunately an old and completely insecure encryption algorithm, so much that WEP’s been delcared deprecated since 2004. In fact, with software mentionned on Wikipedia, I can crack any of your WEP connection under a minute. There’s even step by step articles, not shady and very easy to find, on how to operate the tool that performs Klein’s attack on WEP secured networks. Why isn’t this being pulled down the web? Simply because WEP is deprecated. Such tools are widely available as a proof of concept as to how you should not use WEP protection.
WPA (WiFi Protected Access)
WPA is sort of a half solution. It still uses the RC4 cipher, but unlike its cousin WEP, it implements a different security protocol called TKIP which includes a countermeasure mechanism that makes it impossible to get your network key. However, in 2008, a TKIP vulnerability has been discovered but it only allows an attacker to play with packets on your network (the form in which data is sent out and in). This makes it possible for the attacker to perform ARP spoofing on your network and incidentally sniff data over the air, compromising that data’s security and privacy, and also a DoS attack or denial of service attack (blocking all network traffic, essentially bringing down a server). While a DoS attack may not be of concern for a home network (who would want to DoS attack you, seriously), it certainly is a potential threat for a business.
In other words, WPA remains a perfectly fine solution for home networks and its use of the RC4 cipher makes it compatible with legacy WEP hardware.
WPA2
However similar the name may be, if anything WPA2 is not is similar to WPA. Version 2 is the correctly implemented 802.11i standard. Yes, WPA was made in a hurry before the standard was even finalized so that router makers could address the issues with WEP. This is why WPA support is sketchy, and some routers may offer varients of WPA not intercompatible with other devices. Conversely, WPA2 compliant routers all use the exact same standard, but you have to have recent hardware/firmware for that. Getting WPA2 protection on a computer or router is as simple as having an update firmware, but even recent gaming devices like the PSP 3000, especially due to WPA2′s increased overhead, often do not support it (The Nintendo DSi supports it).
Unlike WPA, WPA2 uses a completely different protocol and cipher, respectively CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code) and AES (Advanced Encryption Standard — AES certification winner Rijndael cipher). Unlike RC4, AES is an extremely sophisticated encryption algorithm used today to encrypt everything from US Government Secret Information to TLS (SSL) secure connections when you shop online.
AES is uncrackable. No one has ever find a way to crack this encryption scheme for the exception of brute-forcing. Brute-forcing a connection involves trying every password possible until you can access the network. However, brute-forcing often implies dictionary attacks, where common words are used against the network’s authentication to find the password. This can be easily avoided with a complete 63 ASCII character key you can make here: https://www.grc.com/passwords.htm
A brute-force on such a key is estimated to take a trillion years, and counter-brute-force mechanisms can slow that down several times. In other words, WPA2 is uncrackable if you use a good key.
The Perfection Solution
Unfortunately, WPA2 is not widely supported on all hardware possible, and making use of combined WPA/WPA2 for increased compatibility breaks your perfect uncrackable unsniffable protection. Fortunately for home users, routers such as the D-Link DIR-655 can handle two networks at the same time. Yup, you can setup a main network in WPA2, and a separate guest network any protection scheme desired for incompatible devices. You can even prevent routing between the two networks so that your secure WPA2 network remains completely isolated from the less secure network.
I use this technique at home to enable compatibility with my PSP, which only supports WPA. My main network is WPA2-only, and my guest network is isolated (not routable) with a WPA-only scheme. This makes my main network, for credit card transactions over the Internet for example, completely secure, while still leaving gaming access for older machines. Since WPA can only be sniffed, it makes also makes it impossible for anyone not authorized to use my own bandwidth, which could happen by leaving the Guest Connection open or on WEP security.
