Updated: March 15, 2013

Guide to Wireless Security Basics

Security in Wireless Home Entertainment Systems


Security in wireless networking is becoming more critical as the use of wireless technology is increasing in popularity. This security issue applies irrespective of whether it is a laptop connecting to a wireless network, or setting up a wireless digital media player as part of a home entertainment solution.

In this article, we look at the basics of wireless security, WEP, WPA, and WPA2 encryption protocols. We also explain what WPS is all about and list a few simple steps you can take to help secure your wireless networking.


 

Roku 3 1080p Streaming Player

Roku 3 Wireless Streaming Player
(available from amazon)

Definitely the best wireless streaming player presently available on the market...

It serves more than 750 channels; that's more content than anyone else. Performance is super-fast, and there is also a superb user interface. Other features include dual-band Wi-Fi operation, and an innovative remote control that includes a headphone jack for private listening!

There often comes a time when you will want to set up a wireless media player or put in place a wireless internet-enabled entertainment system because of the various advantageous associated with wireless connectivity.

In particular, there is the added convenience and flexibility of doing away with long interconnecting cables. At the same time, you do not want hackers from tapping into your home network to steal personal information or damage your system.

Unfortunately, the level of security associated with wireless networks is inherently less than that of wired systems. Wired-LANs are somewhat protected by the natural access constraint of their structure - in particular if all parts of a wired network resides inside a building protected from unauthorized access. Wireless LANs, being over radio, do not have the same physical access constraints. This renders wireless LANs more vulnerable to tampering than wired networks.

For this purpose, a number of security protocols were devised to provide an acceptable level of wireless security when transmitting data over radio, by encrypting the data contents over the wireless link. All wireless network gear, irrespective of whether that being a home router, a wireless media player, etc., supports various wireless security protocols intended to make it more difficult for network hackers to tap into your home network. We are saying 'difficult' rather than 'impossible' simply because for the experienced hacker, tapping into someone else network is not impossible; it is true that it can be time-consuming but...

Article continues after this advertisement.



Wireless Security Basics: WEP and WPA/WPA2 Encryptions

WEP

Virtually, all wireless equipment supports a wireless security feature referred to as WEP bit encryption. WEP - short for 'Wired Equivalent Privacy', is a data encryption technique for wireless local area networks (WLAN), defined in the 802.11 standard.

WEP is the original standard for wireless security. It was designed to supposedly provide the 'same' level of security as that of wired local area networks (LANs) by scrambling the information passed between wireless devices. A hacker attempting to tap into your WEP-enabled wireless network would find only meaningless bits. However, the wireless access point and the client device would share an encryption key that is used to scramble and descramble the encrypted information.

There are various levels of WEP encryption - depending on the number of bits within the encryption key; the latter can be 64-bit, 128-bit or even 256-bit. The higher the number of bits, the more difficult it will be to decipher, but actual data throughput will suffer as there is more payload for the same amount of data.

One should be aware that although WEP do provide a significant level of wireless security - especially at 128-bit and 256-bit encryption, nevertheless it is not 100% secure. There are a number of open source utilities that hackers can use to break a WEP encrypted network in minutes. In other words, if a hacker can receive packets on a WEP protected network, it is only a matter of time till the WEP encryption is cracked.

At the same time, it is a fact that while WEP is not perfect, yet with so many unprotected networks, simply having it enabled is often enough to send a hacker away to search for an easier target.

WPA, RSN, and WPA2

Wi-Fi Protected Access - or WPA, is an enhanced encryption technique created by the Wi-Fi Alliance to provide improved wireless security over WEP. It is an early version of the 802.11i standard rectified by the IEEE in June 2004; the latter defines the security mechanism for wireless networks after it was shown that WEP has severe wireless security weaknesses. WPA was mainly designed as an intermediate attempt to provide improvement to WEP by implementing in-the-field firmware upgrades to existing 802.11 gear.

WPA covers a subset of the defined security mechanism in the final 802.11i standard. WPA was followed by a full implementation of the IEEE 802.11i with the introduction of the WPA2; this is based on the concept of a Robust Security Network or RSN.

In RSN based systems, wireless devices need to support additional security capabilities. A fully compliant RSN network is incompatible with existing WEP equipment, though in the transitional period, WEP equipment will still be supported.

WPA

WPA employs authentication via user ID and password and uses more sophisticated techniques to protect data passing over a wireless link. It distributes different keys to each user; however, it can also be used in a less secure 'pre-shared key' (PSK) mode, where every user is given the same pass-phrase.

The PSK can be anything using an 8 to 63 character passphrase. It may also be entered as a 64 character hexadecimal string. Weak PSK passphrases can be broken fairly easy by experienced hackers using easily available programs. It is therefore essential to select a 'good' difficult-to-break passphrase, or preferably enter a full 64-character hexadecimal key for improved wireless security.

WPA makes use of a Temporal Key Integrity Protocol or TKIP, to constantly change the encryption key. This dynamically changing of keys makes the WPA/TKIP solution more difficult for a hacker to break the key.


The 802.11i standard allows for various network implementations and while it can use TKIP as a wireless security protocol, yet by default, RSN based systems use the Advanced Encryption Standard (AES); this is the preferred algorithm in 802.11i and in WPA2.


WPA2

WPA2 is the Wi-Fi Alliance branded version of the final 802.11i standard. The primary enhancement over WPA is the inclusion of the AES block cipher and the  Counter-Mode/CBC MAC Protocol (or CCMP encryption protocol) as mandatory. It is this that provides for a stronger, scalable wireless security solution. Instead, WEP and WPA use the RC4 stream cipher, and while WPA can be implemented through a firmware upgrade to a WEP device, WPA2 would require a hardware upgrade as well.

RC4 stream cipher makes use of a 128-bit key and a 48-bit initialization vector (IV). However, one major improvement in WPA over WEP is in the handling of the encryption key. Whereas WEP uses the same key, WPA makes use of a temporary key - thanks to the use of TKIP, thus making it more difficult for a hacker to break the system.

AES-CCMP introduces a higher level of security than RC4-based systems by providing protection for the MAC protocol data unit (MPDU) and parts of the 802.11 MAC headers. This protects even more of the data packet from eavesdropping and tampering.

The CCMP encryption protocol used in AES is equivalent to TKIP in WPA. RSN based solutions - like WPA2, defines a hierarchy of limited life keys, similar to TKIP. And like TKIP, master keys are not used directly in CCMP, but are instead used to derive other keys.

The end result: WPA2 encryption is much harder to break than WPA even though the latter already provides significant wireless security improvements over WEP-based devices.

WPS: Wireless Security Configuration Made Simple!

Many home users who know little of wireless security often feel intimidated at the thought of configuring security on their home network and associated connected wireless devices. This is due to the different security options often supported by Wi-Fi certified gear.

For this purpose, in January 2007, the Wi-Fi Alliance officially launched the Wi-Fi Protected Setup, or WPS protocol, to provide a standard that simplifies the establishment of a secure wireless home network. It is also for this reason that the WPS protocol was originally referred to as 'Wi-Fi Simple Configuration'.

WPS emphasis is placed on a user-friendly setup while ensuring security. In order to achieve its objective, the WPS protocol defines three types of devices in the network:

Registrar: A device with the authority to issue and revoke credentials to a network. In a typical home application, this is often integrated into the Wireless Access Point or AP, and takes the form of a wireless router with integrated AP and Ethernet switch.

Enrollee: The device that is seeking to join the wireless network.

Authenticator: This is the AP functioning as a proxy between a Registrar and an Enrollee.

It is not the scope of this article to explain how these devices inter-operate in a WPS scenario. However knowing of their existence will help you better understand how WPS manages to achieve its goal of user usability while ensuring network security.

Usability is ensured thanks to four simple setup modes - or possible setup choices as defined by WPS - that provide the user with a simple way of adding a new device to a secure home network. These setup options are:

PIN Method:
A PIN (Personal Identification Number) has to be read from either a sticker on the new wireless client device (the Enrollee), or a display if there is one, and entered at the Registrar of the network, which in the case of a typical wireless home network, is the wireless access point. Every Wi-Fi Protected Setup certified product must support this setup mode.

PBC (Push Button Connection) Method:
In this case, all that the user has to do is to push a button (physical or virtual) on both the AP or the Network Registrar, and the new wireless client device (Enrollee).

NFC (Near Field Communication) Method:
Here, the user has to bring the new wireless device close to the Access Point or Network Registrar to allow for what is referred to as Near Field Communication between the devices. Near field communication relies on the use of very short range (typical 4 inches), high frequency transmission, to enable a secure mode of exchange of data between wireless devices during the setup process.

USB Method:
In this case, the user uses a USB stick to transfer data between the Network Registrar or AP, and the new wireless device; this method is not covered by the WPS certification, and like the NFC method, is optional.


Wireless Security is preserved as in each of these four possible setup modes, the WPS protocol requires that exchange of security information between the wireless device seeking to join the network and the network registrar or AP, is triggered only by a specific user action. In other words, once device identification takes place at both ends of the wireless link, exchange of security information between the two requires a human trigger to initiate the actual setup session.


Basic Steps in Securing a Wireless Network

What follows are just a few simple basic steps in wireless security - listed in order of importance - you can take to help enhance the security of your wireless networking activity.

Blue bullet

By default, encryption is switched off. Turn it ON. Use WPA2 whenever possible; alternatively opt for WPA as the next best wireless security encryption. WEP is better than nothing.

Blue bullet

Change default passwords required to access wireless devices. Default passwords represent an easy crack for hackers.

Default passwords are set by product manufactures to enable you to access the system on first log-on, but these should be changed once you set up your system to prevent hackers from accessing your network. By simply changing these passwords, you will be doing a lot towards enhancing your wireless security

Blue bullet

 

Change the default SSID (Service Set Identification), or network name used to identify your network.

Hackers know the default names of the different brands of equipment; furthermore, default SSIDs - like default passwords - may serve as an indication for hackers that a network is easy to tap in.

Change default SSID to something that would make it easy for the respective users to find the correct network, BUT that at the same time, would still be difficult for a hacker to guess. In other words, do not use a name that is easily associated with you!

Blue bullet

 

Disable file and print sharing - if not needed.

Disabling the print/file sharing feature can limit a hacker's ability to steal data from your computer in the event s/he manages to get past the encryption.

Blue bullet

 

Limit radio coverage of your Access Points to the desired area only whenever possible.

Any wireless signal spilling outside your desired coverage area represents an opportunity for hackers to get access to your network without entering your home!

Use directional antennas at the perimeter of the covered area to direct your broadcast inward, and do not use more radio power than necessary to avoid signal leakage outside the required access zone.

Blue bullet

 

Use a firewall especially between wired and wireless segments of the network to prevent anyone breaking your wireless network from hacking your wired network.

The following wireless security measures - while ineffective against determined experienced hackers - may still serve a useful purpose against the majority of inexperienced opportunistic users. Furthermore, these may also force experienced hacker to move elsewhere and find an easier target! 

Disable the SSID broadcast:
Hiding the SSID may help prevent unauthorized access from the casual opportunistic user since a user need to know the SSID to connect to a network.

Enabling MAC address filtering:
MAC address filtering will prevent the casual users from connecting to your network by maintaining a list of allowed MAC addresses that can access your network.

At the same time, it is important to keep in mind that hiding the SSID, or enabling MAC filtering alone does not provide sufficient wireless security in that it will not prevent anyone from reading the data transmitted over your wireless network, only encryption will do that.



people like Practical-Home-Theater-Guide.com



Visit Practical Home Theater Guide at Google Plus Visit us at Google Plus


Recommended Guides to Wireless Home Networking

Suggested reference books for your home networking