| One issue with wireless networks in | | | | schemes, any client in the network that |
| general, and WLANs in particular, | | | | knows the keys can read all the traffic. |
| involves the need for security. Many | | | | Restricted access networks |
| early access points could not discern | | | | Solutions include a newer system for |
| whether or not a particular user had | | | | authentication, IEEE 802.1x, that |
| authorization to access the network. | | | | promises to enhance security on both |
| Although this problem reflects issues | | | | wired and wireless networks. Wireless |
| that have long troubled many types of | | | | access points that incorporate |
| wired networks (it has been possible in | | | | technologies like these often also have |
| the past for individuals to plug | | | | routers built in, thus becoming wireless |
| computers into randomly available | | | | gateways. |
| Ethernet jacks and get access to a local | | | | End-to-End encryption |
| network), this did not usually pose a | | | | One can argue that neither encryption in |
| significant problem, since many | | | | the router level nor VPN is good enough |
| organizations had reasonably good | | | | for protecting valuable data like |
| physical security. However, the fact | | | | passwords and personal emails; those |
| that radio signals bleed outside of | | | | technologies add encryption only to |
| buildings and across property lines | | | | parts of the communication path, still |
| makes physical security largely | | | | allowing people to spy on the traffic if |
| irrelevant to wardrivers. | | | | they have gained access to the wired |
| Concerns | | | | network somehow. The solution may be to |
| Anyone within the geographical network | | | | get the encryption and authorization |
| range of an open, unencrypted wireless | | | | done in the software layer using |
| network can sniff on all the traffic, | | | | technologies like SSL, SSH, GnuPG, PGP |
| gain unauthorized access to internal | | | | and similar. |
| network resources as well as to the | | | | The disadvantage with this approach is |
| Internet, possibly sending spam or doing | | | | that it can be difficult to cover all |
| other illegal actions using the owner's | | | | the traffic - with encryption on the |
| IP address. | | | | router level, or VPN, it's just one |
| The lack of default security in wireless | | | | switch to get all traffic encrypted |
| connections is quickly becoming an | | | | (even UDP and DNS lookups), while with |
| issue, especially in the UK, US and | | | | end-to-end encryption, one has to "turn |
| other places where many Broadband (ADSL) | | | | on encryption" for each and every |
| connections are offered together with a | | | | service one wants to use, and quite |
| Wireless Basestation/ADSL Modem/firewall | | | | often also for each and every |
| Router access point. If router security | | | | connection. For sending emails, all the |
| is not activated, or if the owner | | | | recipients must support the encryption |
| deactivates it for convenience, it | | | | and keys have to be exchanged. For web, |
| creates a free hotspot. Further, many | | | | it's not all web sites offering https - |
| laptop PCs now have Wireless Networking | | | | and even if using end-to-end-encryption |
| built in (cf. Intel 'Centrino' | | | | on everything, the IP-addresses you |
| technology) thus eliminating the need | | | | communicate with will go in clear text. |
| for an additional plug-in (PCMCIA) card. | | | | Say, if you frequent the Playboy |
| These features might be enabled by | | | | Magazine, your mother-in-law may find it |
| default, without the owner ever | | | | out, even if using https. |
| realising it, thus broadcasting the | | | | Also, the most prized resource is often |
| laptop's accessibility to any computer | | | | access to Internet; it's not trivial to |
| nearby. | | | | enforce each user to authenticate |
| Modern operating systems such as Linux, | | | | himself for the router. |
| Mac OS, or Microsoft Windows XP as the | | | | Open Access Points |
| 'standard' in home PCs make it very easy | | | | Today, there is almost full wireless |
| to set up a PC as a Wireless LAN | | | | network coverage in many urban areas - |
| 'basestation' and using Internet | | | | the infrastructure for the wireless |
| Connection Sharing, thus allowwing all | | | | community network (which some people are |
| the PCs in the home to access the | | | | considering to be the future of the |
| Internet via the 'base' PC. However, | | | | internet) is already in place, and one |
| lack of knowledge about the security | | | | could roam around and always be |
| issues in setting up such systems often | | | | connected to Internet if all the nodes |
| means that someone nearby, such as a | | | | would be open to the public - but due to |
| next-door neighbor, may also use the | | | | security concerns, most of the nodes are |
| internet connection. This is typically | | | | encrypted. Many people consider it to be |
| done without the wireless network | | | | proper etiquette to leave access points |
| owner's knowledge; it may even be | | | | open to the public, allowing free access |
| without the knowledge of the intruding | | | | to Internet. |
| user if his computer automatically | | | | The density of access points can even be |
| selects a nearby unauthorized wireless | | | | a problem - there are a limited number |
| network to use as an access point. | | | | of channels available, and they partly |
| Security options | | | | overlap. In situations where there are a |
| There are three quite different ways to | | | | lot of private wireless networks near |
| secure a wireless network. | | | | each other (for example, an apartment |
| * For closed networks (like home users | | | | complex), the limited amount of data |
| and organizations) the by far most | | | | channels on the Wi-Fi range might cause |
| common way is to configure access | | | | overlapping problems. |
| restrictions in the access points. Those | | | | According to the advocates of Open |
| restrictions may include checks on MAC | | | | Access Points, it shouldn't involve any |
| address and encryption. | | | | significant risks to open up wireless |
| * For commercial providers, hotspots and | | | | networks for the public: |
| large organizations, the preferred | | | | * The wireless network is after all |
| solution is often to have an open, | | | | confined to a small geographical area. |
| unencrypted but completely isolated | | | | When being connected to the Internet and |
| wireless network. The users will at | | | | having some security problems, anyone |
| first have no access to the internet nor | | | | from anywhere in the world can exploit |
| to any local network resources. | | | | it, while only clients in a small |
| Commercial providers usually forward all | | | | geographical range can exploit an open |
| web traffic to a captive portal with | | | | wireless access point. Thus the exposure |
| solutions for payment and/or | | | | is quite low with an open wireless |
| authorization. Another solution is to | | | | access point, and the risks with having |
| require the users to connect up securely | | | | an open wireless network are small. |
| to a privileged network using VPN. | | | | However, one should be aware that an |
| * Wireless networks are not so different | | | | open wireless router will give access to |
| from wired networks; in many office | | | | the local network, often including |
| situations intruders can easily visit | | | | access to file shares and printers. |
| and hook up their own computer to the | | | | * The only way to keep communication |
| wired network without problems, gaining | | | | truly secure is to use end-to-end |
| access to the network, and it's also | | | | encryption. For example, when accessing |
| often possible for remote intruders to | | | | an internet bank, one would almost |
| gain access to the network through | | | | always use strong encryption from the |
| backdoors like Back Orifice. One general | | | | web browser and all the way to the bank |
| solution may be to use end-to-end | | | | - thus it shouldn't be risky to do |
| encryption, and have independent | | | | banking over an unencrypted wireless |
| authentication on all resources that | | | | network. The argument is that anyone can |
| shouldn't be available to the public. | | | | sniff the traffic applies to wired |
| Access Control at the Access Point level | | | | networks too, there are lots of system |
| One of the simplest techniques is to | | | | administrators and possible crackers |
| only allow access from known, approved | | | | that have access to the links and can |
| MAC addresses. However, this approach | | | | read the traffic. Also, anyone knowing |
| gives no security against sniffing, and | | | | the keys for an encrypted wireless |
| client devices can easily spoof MAC | | | | network can gain access to the data |
| addresses, leading to the need for more | | | | being transferred over the network. |
| advanced security measures. | | | | * If having services like file shares, |
| Another very simple technique is to have | | | | access to printers etc on the local net, |
| a secret ESSID (id/name of the wireless | | | | it is adviceable to have authentication |
| network), though anyone who studies the | | | | (i.e. by password) for accessing it (one |
| method will be able to sniff the ESSID. | | | | should never assume that the private |
| Today all (or almost all) access points | | | | network is not accessible from the |
| incorporate Wired Equivalent Privacy | | | | outside). Correctly set up, it should be |
| (WEP) encryption, but security analysts | | | | safe to give access to the local network |
| have criticized WEP's inadequacies, and | | | | to outsiders. |
| the U.S. FBI has demonstrated the | | | | * With the most popular encryption |
| ability to break WEP protection in only | | | | algorithms today, a sniffer will usually |
| 3 minutes using tools available to the | | | | be able to compute the network key in a |
| general public (see aircrack). | | | | few minutes. |
| The Wi-Fi Protected Access (WPA and | | | | * It is very common to pay a fixed |
| WPA2) security protocols were later | | | | monthly fee for the Internet connection, |
| created to address these problems. If a | | | | and not for the traffic - thus extra |
| weak password, such as a dictionary word | | | | traffic will not hurt. |
| or short character string is used, WPA | | | | * Internet connections are plentiful and |
| and WPA2 can be cracked. Using a long | | | | cheap today. One will almost never risk |
| enough random password (e.g. 14 random | | | | to get the garden full of freeloaders |
| letters) or passphrase (e.g. 5 randomly | | | | when setting up an open Access Point. |
| chosen words) makes pre-shared key WPA | | | | * The risk of somebody doing illegal |
| virtually uncrackable. The second | | | | stuff over your internet connection is |
| generation of the WPA security protocol | | | | very small - and even if it should |
| (WPA2) is based on the final IEEE | | | | happen, according to most laws the owner |
| 802.11i amendment to the 802.11 standard | | | | of the Access Point will not be held |
| and is eligible for FIPS 140-2 | | | | liable. |
| compliance. With all those encryption | | | | |