Wi-Fi wireless network security (802.11 or WiFi)

October 2016

Adapted infrastructure

The first thing to do when a wireless network is installed is to place the access points in reasonable locations depending on the desired area of coverage. However, it is not uncommon to find that the covered area ends up being larger than desired, in which case it is possible to reduce the access terminal's strength so that its broadcast range matches the coverage area

Avoid using default values

When an access point is first installed, it is configured to certain default values, including the administrator's password. Many novice administrators think that once the network is operational, there is no point in changing the access point's configuration. However, the default settings offer only a minimal level of security. For this reason, it is vital to log in to the administration interface (generally via a web interface or by using a particular port on the access terminal), especially to set an administrative password.

What's more, in order to connect to an access point, it is necessary to know the network identifier (SSID). This is why it is strongly recommended to change the default name of the network and to deactivate broadcasting the name on the network. Changing the default network identifier is all the more important because it can, if left unaltered, give hackers information on the brand or model of the access point being used.

Filtering MAC addresses

Every network adapter (the generic term for a network card) has its own physical address (called a MAC address). This address is represented by 12 digits in hexadecimal format, split up into two-digit groups separated by dashes.

The configuration interfaces of access points generally allow them to keep a list of access permissions (called the ACL, for Access Control List) based on the MAC addresses of the devices authorized to connect to the wireless network.

This somewhat restrictive precaution allows the network to limit access to a certain number of machines. However, this does not solve the problem of securing data transfers.

WEP - Wired Equivalent Privacy

To solve transfer security issues on wireless networks, the 802.11 standard includes a simple data encryption mechanism called WEP (Wired equivalent privacy).

WEP is an 802.11 data frame encryption protocol that uses the symmetrical algorithm RC4 with 64-bit or 128-bit keys. The concept of WEP involves setting a secret 40-bit or 128-bit key ahead of time. This secret key must be declared on both the access point and the client machines. The key is used to create a pseudo-random number of the same length as the data frame. Each data transmission is encrypted this way, by using the pseudo-random number as a "mask"; an "Exclusive OR" operation is used to combine the frame and the pseudo-random number into an enciphered datastream.

The session key shared by all stations is static, which means that to deploy a large number of WiFi stations, they must be configured using the same session key. Therefore, knowing the key is all that is needed to decrypt the signals.

Furthermore, 24 bits of the key are used only for initialization, which means that only 40 bits of a 64-bit key, or 104 bits of a 128-bit key, are actually used for encryption.

For a 40-bit key, a brute force attack (which tries all possible keys) might not stop a hacker from quickly finding the session key. Also, a flaw detected by Fluhrer, Mantin and Shamir in the generation of the pseudo-random stream makes it possible for the session key to be discovered by storing and analysing 100 MB to 1 GB of traffic.

Therefore, WEP is insufficient for actually ensuring data privacy. Nevertheless, it is strongly recommended to use at least a 128-bit WEP key to ensure a minimum level of privacy. This can reduce the risk of intrusion by 90%.

Improve authentication

In order to more effectively manage authentication, authorization, and accounting(AAA for short), a RADIUS server (Remote Authentication Dial-In User Service) may be used. The RADIUS protocol (defined by RFCs 2865 and 2866) is a client/server system which lets user accounts and related access permissions be centrally managed.

Setting up a VPN

For all communications which require a high level of security, it is better to use strong encryption of data by installing a virtual private network (VPN).

Related :

Seguridad de red inalámbrica Wi-Fi (802.11o WiFi)
Seguridad de red inalámbrica Wi-Fi (802.11o WiFi)
Die Sicherheit der drahtlosen Wifi-Netzwerke (802.11 oder Wifi)
Die Sicherheit der drahtlosen Wifi-Netzwerke (802.11 oder Wifi)
Sécuriser un réseau WiFi
Sécuriser un réseau WiFi
La sicurezza delle reti senza fili WiFi (802.11 o WiFi)
La sicurezza delle reti senza fili WiFi (802.11 o WiFi)
A segurança das redes sem fios Wi-Fi (802.11 ou WiFi)
A segurança das redes sem fios Wi-Fi (802.11 ou WiFi)
This document entitled « Wi-Fi wireless network security (802.11 or WiFi) » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.