WPA Wireless Security for Home Networks
Editor's Note: Past articles by members of the online community are archived for your use. The information may become outdated as technology changes. For the most current information, please search the Web site or post a question in the newsgroups.
It's no secret that the biggest challenge for home Wi-Fi users is securing their wireless LAN. In fact, home and soho wireless networks are rarely secured because the average home user finds it too difficult.
Until recently, wired equivalent privacy (WEP) was the premier 128-bit optional encryption standard used to protect a home wireless network. Although wireless routers, access points, and wireless computer adapters for residential use shipped with WEP capabilities, most manufacturers turned WEP off by default. Many home wireless users never bothered to turn it on, so they had no security and no protection from intruders. And those who sorted through the challenges of configuring WEP on home networks often failed to ever change the WEP key. But now there is good news, especially for Microsoft Windows XP users. Prior weaknesses in wireless security and tricky configuration issues for the home user have been eliminated thanks to a new security specification called Wi-Fi Protected Access(WPA).
WPA and Windows XP Service Pack 1 (including Windows XP Home Edition, Windows XP Professional, Tablet PC Edition, and Media Center Edition) coupled with a downloadable update now provide the home user with easier to configure and stronger security than was previously available. Now you don't need to hire a network consultant or find a friendly neighborhood geek to set up wireless security.
In this column, I'll show you how I configured my home network with a special WPA mode, called WPA-PSK (Pre Shared Key) and I'll explain how WPA-PSK works. I'll share some of the solutions I'm using to include older non-WPA capable 802.11b equipment on a WPA-enabled network. I'll also provide a brief update on the additional security procedures you can use to secure your wireless network.
How Do WPA and WPA-PSK Work?
WPA resolves the issue of weak WEP headers, which are called initialization vectors (IV), and provides a way of insuring the integrity of the messages passed through MIC (called Michael or message integrity check) using TKIP (the Temporal Key Integrity Protocol) to enhance data encryption. WPA-PSK is a special mode of WPA for home users without an enterprise authentication server and provides the same strong encryption protection.
In simple terms, WPA-PSK is extra-strong encryption where encryption keys are automatically changed (called rekeying) and authenticated between devices after a specified period of time, or after a specified number of packets has been transmitted. This is called the rekey interval. WPA-PSK is far superior to WEP and provides stronger protection for the home/SOHO user for two reasons. The process used to generate the encryption key is very rigorous and the rekeying (or key changing) is done very quickly. This stops even the most determined hacker from gathering enough data to break the encryption.
WEP was confusing to home users because of the various types of keys vendors used (HEX, ASCII, or passphrase) and because home users mix and match equipment from multiple vendors, all using different types of keys. But WPA-PSK employs a consistent, easy to use method to secure your network. This method uses a passphrase (also called a shared secret) that must be entered in both the wireless access point/router and the WPA clients. This shared secret can technically be between 8 and 63 characters and can include special characters and spaces. The WPA preshared key should be a random sequence of either keyboard characters (upper and lowercase letters, numbers, and punctuation) at least 20 characters long or hexadecimal digits (numbers 0-9 and letters A-F) at least 24 hexadecimal digits long. The more random your WPA preshared key, the safer it is to use.
The Temporal Key Integrity Protocol (TKIP) takes over after the initial shared secret is entered in your wireless devices and handles the encryption and automatic rekeying.
WPA is not an official IEEE standard, but is based on and is expected to be compatible with the upcoming 802.11i security standard, sometimes referred to as WPA2. WPA is designed to be a software upgrade. The 802.11i standard will likely require a hardware upgrade. However, wireless vendors and security professionals expect today's WPA and WPA-PSK to be useful for a very long time.
Note: If you own a Smart Display, the current setup program does not run if the WPA update is installed because of a compatibility issue with a tool called wzctool.exe. For more information and workarounds, see Smart Display Setup Is Incompatible with Wi-Fi Protected Access Update. This issue also impacts the setup program for the Microsoft Wireless Broadband Networking software. The work around is to use a manual setup.
Wireless Zero Configuration Supports WPA
An update for Windows XP Service Pack 1 users provides operating system support for WPA. If you haven't received this update automatically:
1. | Open Internet Explorer, and on the Tools menu, click Windows Update. |
2. | Look for Recommended Update 815485 under Windows XP. |
You find more information in the Knowledge Base article, Overview of the WPA Wireless Security Update in Windows XP. You'll need to install this update and use wireless adapters and an access point or router that supports WPA.
Buffalo Technology provided me with their new 802.11g WPA capable WBR-G54 Wireless Router Base Station and WLI-CB-G54A PC Card. The router supports WPA-PSK as well as the more complex enterprise WPA mode that, like the older WEP standard, requires an authentication server. I've been using this hardware on my home network in WPA-PSK mode and much of this column is based on my experience with this equipment. These Buffalo Technology products use Broadcom's 802.l1g chipset. WPA upgrades are being posted by vendors for some Broadcom 802.11g chipset based equipment that did not initially ship with WPA capabilities.
Upgrades for 802.11g products based on Intersil, Atheros, Texas Instruments and other chipsets will hopefully be arriving soon and equipment from these vendors will be WPA interoperable. Vendors are focusing their efforts on newer 802.11g or multi-mode 802.11a/g equipment. Older 802.11b products may or may not be upgradeable, depending on the vendor. If you own 802.11b equipment, check with the vendor to see if upgrades will be offered for your particular product(s).
Configure WPA-PSK for Your Router or Access Point
The first step in constructing an ultra secure home network is to set up your WPA capable router or access point for WPA-PSK. Use a wired connection, if possible, to specify these settings since a wired connection will not be impacted if you make a mistake. Start by accessing the administrative internal Web page of your access point or router.
Note: The WPA configuration interface for WPA-enabled access points or routers may vary. Some may provide total configurability for both enterprise users with WPA configuration screens and menus and home users with WPA-PSK screens and menus. Some equipment targeted specifically at the residential market may provide only WPA-PSK capability and offer fewer configuration options.
The Buffalo Technologies Air Station offers a full implementation of WPA and WPA-PSK for both enterprise and home users. I've configured this router as a "g only" device to maximize performance. (I'll be writing more about 802.11g in a future column.)
Following are the steps I used to configure this equipment for WPA-PSK after accessing the Web administration interface. Note that other vendor's equipment may have a slightly different interface but the procedures should be very similar.
Figure 1
1. | Locate a menu labeled Security or Network Authentication. Choices for WEP, WPA, WPA-PSK, and NONE will be available from this menu. In Figure 1, this is labeled Network Authentication. (Buffalo Technology makes it simple to configure all wireless settings because they all are found on a single administrative page under LAN Setting, Wireless.) |
2. | Click WPA-PSK. |
3. | Enter a hard-to-guess passphrase (between 8 and 63 characters) in the WPA Pre Shared Key field. This is also known as a Shared Secret. |
4. | Enter a Rekey Interval (normally the unit is seconds). |
5. | Click Apply or Reset, depending on the vendor's implementation. |
Configure WPA-PSK on Windows XP
After you've set up your router or access point for WPA-PSK, you'll need to configure the wireless properties on each computer for WPA-PSK as follows:
1. | Right-click the wireless connection icon in the notification area, and then click View Available Wireless Networks. |
2. | Select the WPA-PSK capable network you want to attach to by clicking the SSID (Service Set Identifier). As shown in Figure 2, I am configuring the SSID buffalog. |
3. | Enter the Shared Secret (passphrase) in the Network Key field and again in the Confirm Network Key field as shown in Figure 2. Although the text refers to a network key, the passphrase can be entered here. |
4. | Click Connect. Figure 2 |
You can also configure WPA-PSK or edit an already configured Shared Secret by clicking the Advanced button shown in Figure 2. The Wireless Network Connection Properties dialog box opens.
• | If the Wireless Network is not already configured and does not appear in the lower window, select it, and then click Configure. |
• | If a Wireless Network is already a Preferred network and appears in the lower window, select it, and then click Properties. |
As shown in Figure 3, I am configuring SSID "gee2" which is another WPA-PSK capable wireless network.
Figure 3
The Network name (SSID) of the access point or router you are configuring is displayed, as shown in Figure 4.
1. | Select WPA-PSK from the Network Authentication box. |
2. | Use the default TKIP Data encryption method. |
3. | Enter the Shared Secret/Passphrase that you entered in the wireless router or access point under Network key. |
4. | Enter the Shared Secret/Passphrase a second time under Confirm network key, and then click OK. Figure 4 |
You should now be able to successfully connect to your extremely-secure WPA-PSK-enabled router or access point.
Tips to Strengthen Wireless Security
Are there any risks with WPA-PSK? It should be obvious that the shared secret should be closely guarded. Don't use something that is easily guessed. Use something that hackers employing dictionary attacks won't normally have in their dictionary. (If you've received SPAM that looks like it was addressed to every possible name and name plus numeric on the planet, then you know what a dictionary attack is).You can use something that only you can remember.
Check your wireless access point or router and see if there is a user configurable Rekey Interval and set it. I've been using 100 (seconds). Note that some residential WPA-PSK only routers or access points may not offer this configurability and use a hard-coded Rekey Interval.
Here is a summary of the additional steps you can take, in addition to using WPA, to secure your wireless home network:
• | Never use the default SSID provided by the manufacturer. You can optionally turn off the broadcast of the SSID name, but this won't stop determined hackers from finding it. |
• | Set up an access control list by Mac address of all devices you want to associate with the access point or wireless router. |
• | Change the default password provided by the manufacturer on the access point or wireless router. |
• | Place the access point or router in the center of your home and not near a window. |
• | Turn off administrative access over wireless if possible. |
Hardware Considerations
Before you can implement WPA on a home network, you'll need to start with a wireless router or access point that supports WPA. Additionally, you'll need wireless client cards that have firmware support and drivers to support this new standard. As of June 2003, most vendors are in the process of bringing new 802.11g wireless routers, access points, and client adapters to market and implementing WPA in newly-released wireless devices. Most will be implementing WPA on the newly-approved 802.11g wireless hardware and then subsequently retrofitting some older 802.11b with firmware and drivers for Windows XP that support WPA.
I've recently learned that some vendors may not be providing updates for wireless devices that use the older Intersil Prism 2.0 version chipsets. This means that some of the first generation 802.11b adapters may not upgradeable to WPA encryption. The Wi-Fi Alliance will soon be requiring WPA certification as a condition for certifying Wi-Fi compatibility. In most of the cases with older client adapters, there just isn't enough room in the firmware to implement the WPA functionality.
Many first generation 802.11b access points and routers also use the older Prism chipset and a number of these may not be WPA firmware upgradeable. This means that if you want to upgrade to WPA, you'll need to purchase newer hardware. Check with the manufacturer of your 802.11b wireless equipment to determine whether or not a WPA upgrade will be offered for your existing hardware.
Don't throw out your legacy, non-upgradeable access points yet and routers yet if the answer is no. As you'll see a little later, you may be able to use them in access point mode for non-upgradeable 802.11b clients. As for 802.11a only products, Atheros (the vendor for all first generation 802.11a only hardware) will not be providing upgrades for 802.11a only devices.
Home Networks, WPA-PSK, and Mixed Operating Systems and Devices
It's important to note that Windows XP SP1 with the WPA 815485 update provides the ability to configure either WEP or WPA/WPA-PSK within the operating system using Wireless Zero Configuration. No additional utility or software is needed.
If some computers on your home network are using an operating system other than Windows XP, and if the manufacturer of your wireless card does not provide a utility to configure and provide WPA-PSK support (called a supplicant), you may be able to use third-party software, such as Funk Software's Odyssey Client for Windows.
Note: As of this writing, I've not been able to successfully use the Odyssey client in WPA-PSK mode using a Windows Millennium test laptop, but Funk has been working with me on this issue. This appears to be an issue with the Broadcom base drivers that are used for the Buffalo Technology client card and other Broadcom based cards that I tried.
Funk also is readying a WPA client for Pocket PCs, although it is unknown if this will operate in WPA-PSK mode. Macintosh users will need to wait for the release of Mac OS 10.3 (Panther) for WPA functionality. For gamers using Xbox Live with an 802.11b wireless to Ethernet bridge, it's unknown if WPA updates for these older devices will emerge. The answer to these problems for now is to use a WEP-only network segment in conjunction with WPA-PSK.
Recycle Old Equipment for a WEP-Only Segment
If you find yourself with a wireless access point or router that is not upgradeable to WPA functionality and decide to replace it with new hardware, there are two things you can do with your old hardware.
If you're like most home users, you'll want to upgrade and replace your equipment gradually. If you've purchased a new 802.11g or 802.11a/g router that supports WPA-PSK, you can simply take your old 802.11b access point (or router, if it supports turning off DHCP and NAT and can run in access point mode) and plug it into your new router to handle all of the non-WPA capable connections on your network. Here are the steps and procedures:
1. | Set the SSID to something different than what you are using in your new WPA-capable access point or router. Never use the default SSID provided by the manufacturer. You can optionally turn off the broadcast of the SSID name, but this won't stop determined hackers from find it. |
2. | Use a channel at least five channels away from the channel you've set on the new access point or router. |
3. | Set up WEP encryption, the strongest supported by all the non-WPA-capable computers and devices on your home network. |
4. | Set up an access control list by Mac address of all devices you want to associate with the 802.11b access point. |
5. | Change the default password provided by the manufacturer on the access point. |
6. | If required by the device, set a static IP address in the correct range (follow vendor's directions). |
7. | Plug the reconfigured device into an existing Ethernet port on your router. |
8. | Configure each of your non-WPA-capable 802.11b computers and devices to attach to this access point by using the SSID of this device. |
Build a Honeypot with Old Equipment
If you've elected to upgrade all of your equipment and do not have devices on your network that do not support WPA functionality, you can set up a honeypot to distract would-be intruders if you are in an environment prone to war drivers or neighborhood snoops. A honeypot is a fake target that deters hackers from locating your real network. Take an old 802.11b access point and:
1. | Set the SSID to something different than what you are using in your new WPA capable access point or router. |
2. | Use a channel at least 5 channels away from the channel you've set on the new access point or router to avoid interference. |
3. | Place it near an outside window. |
4. | Plug it in to a power outlet, but don't connect it to your network. |
5. | Don't point any of your wireless computers or devices at this device. |
You've just built a honeypot. This may engage casual (but not determined) snoops and neighbors. If you live in an area that is densely populated, you may need to experiment with channel settings because you could find that there are not enough available channels to implement this.
Looking for More WPA-PSK Help?
Enterprise wireless installations implement wireless WEP security in conjunction with 802.1x authentication and Radius servers. If you work for a large company, you'll have dedicated IT personnel who configure and manage every wireless device on the enterprise network. Wi-Fi Protected Access for the enterprise resolves WEP vulnerabilities and serves to additionally fortify security. You can learn about WPA for enterprise wireless installations by visiting the Wi-Fi Alliance WPA site.
If you're looking for help configuring WPA-PSK wireless security for the wireless gear you own or are looking for opinions from other end users on what WPA-PSK-enabled hardware to purchase, Microsoft offers two newsgroups where you can post your questions and get fast online help: Microsoft Windows XP Network and the Web Newsgroup or the Microsoft Windows Wireless Networking Newsgroup. See you there!
Barb Bowman enjoys sharing her own experiences and insights into today's leading edge technologies. She is a product development manager for Comcast High-Speed Internet, but her views here are strictly personal.
No comments:
Post a Comment