Thursday, July 22, 2010

The Best Security for Wireless Networks

Securing a wireless network isn’t a hard task. The cheat sheet is relatively small. However, the technical press continues to be flooded with articles and blogs containing technical mistakes.
Take, for example, everyone’s trusted information source, Consumer Reports Magazine. I’m a big fan of the magazine, having subscribed to the hard copy edition for years. But they seem out of their league, when it comes to computers.
On August 6, 2009 a blog posting at the magazine’s website suggested using WEP security for wireless networks. This is very poor advice. A week after the posting, an editor corrected it, to say they recommend WPA security. This too, is not the best option. Even after being shamed into a correction, they still got it wrong. So, let me try to offer up just what most people (and Consumer Reports) need to know about securing a wireless network.
Starting at the Beginning
To begin with, there are four types of Wi-Fi networks (A, B, G and N). But the security is not tied to any one type. If you can connect to a wireless network without entering a password, then there is no security. In this context, the term “security” refers to encrypting data as it travels over the air.
The idea being to prevent a bad guy from capturing all the information coming into and out of a victims’ computer and, in effect, looking over their shoulder despite being a few hundred feet away. Wi-Fi networks offer three security options: WEP, WPA and WPA2. As a simplistic introduction, think of WEP as bad, WPA as just fine and WPA2 as great.
WEP is the oldest security option and it has been shown to be very weak. It may be better than no security at all, but not by much. Don’t use it. Other than Consumer Reports magazine, the last recommendation to use WEP was issued in 2005.
WPA is technically a certification, not a security standard, but since it includes only one security protocol, TKIP, they are often confused. When people refer to WPA security, they are really referring to the TKIP protocol.
The combination of WPA and TKIP is not the best, but it’s reasonably good. If you have a choice, you should opt for the best security (next topic), but if you don’t have a choice (more later) TKIP is reasonably strong.
WPA2 is also, technically, a certification rather than a security standard. WPA2 includes two security standards: TKIP and CCMP. If you are using TKIP, it doesn’t matter whether the router is WPA or WPA2. TKIP is TKIP either way.
The best security option is CCMP and it’s only available in WPA2, so, here again, the security protocol is often confused with the certification. When people refer to WPA2 security, they are really referring to CCMP.
But no one refers to CCMP (don’t ask what it stands for). For whatever reason, the CCMP security protocol is referred to, incorrectly, as AES. So, when you are configuring a router, you need to first select WPA2, then you need to select AES (rather than TKIP) to get the best possible security and encryption.
The TKIP security protocol (often referred to as WPA) is flawed. The first flaw came to light in November 2008, the second one just last month. But neither flaw is serious.
The first flaw can be defended against simply by disabling Quality of Service (QOS) in your router. Very few people make use of QOS.
The second flaw was described by security expert Steve Gibson as mostly theoretical. For example, it requires that the victim’s computer be out of radio reception range from the router. The bad guy has to connect to the router on one side and the victim on the other side. The bad guy has to be logically and physically positioned between the victim and the router.
Neither flaw lets the bad guy recover the password and they only support decrypting very small data packets. None of these small packets will contain any of your data.