Securing Wireless Networks
Wireless technology is very popular; however, there is common concern over how secure it really is. It is true there are imperfections in some features of wireless technology, but it is also true that you can set up a wireless network that is adequately secure—especially for a library.
There are many different features to look at involving wireless technology. Understanding these features and other common security practices will provide you with enough knowledge to determine the best configuration for your network. When reading this section, it is important to keep in mind that wireless security approaches are implemented on different layers. While each layer may only allow you to choose one approach, a wireless security configuration may utilize various features throughout multiple layers.
Wireless Network Architecture
An access point is the same as a 10/100 BaseT hub except that it connects using an antenna instead of wires. Wireless network cards are installed on workstations to connect to the access points. An access point almost always has at least one 10/100 BaseT port so that it can be connected to a wired network if needed. Access points can also be used to route or bridge to other access points, which allows wireless networks to extend their range.
An ad hoc network is one that doesn't use access points. It is more commonly used for smaller workgroup configurations. A small office with five computers may utilize an ad hoc configuration. In such a configuration, all workstations communicate with each other through their wireless network cards.
Security Features Out-of-the-Box
Most access points these days have a number of security features available, but by default, they are almost always turned off. This is one of the main reasons wireless networks can be so insecure. More often than not, they are configured with default out-of-the-box settings, which mean there is no security at all. Each feature has a weakness, but by using a combination of some or all of the features, you can make a wireless network very secure—secure enough for almost any library environment. The type of wireless security features implemented can widely vary depending on the size and needs of a library. Many of the out-of-box solutions in this section are optimal for smaller libraries with limited IT staff. Please see the section on "Public Wireless Access for Enterprise Solutions" for larger scale solutions.
After connecting to an access point for the first time, the first security consideration should be renaming the default password. Without other security features enabled, anyone could guess the default out-of-box IP address assigned to an access point and then have full administrative access to it. Not changing the default password on an access point is equivalent to leaving your front door open.
The SSID is a 7-digit alphanumeric identifier that is set on the access point. When a client connects to an access point, it transmits a SSID to associate itself with that network. There are two modes, closed and open. In open mode, any client can connect to the access point regardless of what SSID it has. In closed mode, a client must have the correct SSID to connect. There is also a common setting that determines whether or not an access point is to advertise its SSID. By default, most access points use their company name as the SSID (i.e. "linksys" or "3COM"), are in open mode and will advertise their SSID. Therefore, to optimize maximum security using the SSID feature, you should:
- Change the default SSID
- Set the SSID mode to closed
- Set the access to not broadcast/advertise its SSID
Complying with all the above steps is not a foolproof security solution. The SSID is transmitted in clear text unless encryption is enabled (see section on encryption). It is unlikely but possible for someone with the correct knowledge and tools to reveal an SSID.
WEP (Wired Equivalency Protocol) Encryption
WEP is a protocol that encrypts data sent back and forth between the access point and a client. WEP can be enabled at two different levels: 40-bit and 128-bit. Encryption keys (passwords of a sort) can be defined on the access point. One or more keys entered on the client must match those configured on the access point in order to connect. Once connected, the data is then encrypted. This prevents someone from using a packet sniffer program to retrieve data and review its contents.
WEP has security flaws. Articles have been published outlining its weaknesses. Additionally, there are readily available tools that can crack encryption keys. Therefore, using 128-bit encryption compared to 40-bit is not necessarily important. Despite its weaknesses, WEP offers yet another line of defense from attackers breaking in to a network. Because there are so many wireless networks out there with even less security, the average hacker will more likely move on to one of those rather than spend time infiltrating one with WEP.
WPA & WPA2 (Wi-Fi Protected Access) Encryption
WPA (and its more hack-proof successor WPA2) encryption was developed in response to serious weaknesses researchers had found in WEP enryption. WPA2-PSK (Preshared Key) is the strongest and most practical form of WPA because it uses the much stronger AES (Advanced Encryption Standard) protocol for encrypting packets. The encryption key may be from 8 to 63 printable ASCII characters or 64 hexadecimal digits. This means that, unlike WEP encryption, WPA2 offers 256-bit encryption.. To protect against current brute force attacks, a truly random passphrase of at least 20 characters should be used, and 33 characters or more is recommended.
For information on how to generate random hard-to-hack passwords, see this site.
MAC Address Filtering
Most access points offer a feature that defines which clients may connect determined by their MAC address. A MAC address (media access layer) is a hard-coded identifying address on a network interface card that is different from an IP address. A MAC address is usually static and never changes—even when the card is removed from the computer. With MAC address filtering turned on, a workstation will not be able to connect unless its MAC address has been defined on the access point. This security feature is useful in smaller networks, although keeping a list of updated MAC addresses for a large network can be too difficult to manage.
Although the list of accepted MAC addresses is difficult, if not impossible, to extract from most access points, it is possible but unlikely for someone with the right tools and knowledge to discover one of the MAC addresses already in use on a network. An attacker could then configure a workstation to masquerade as a legitimate workstation with the "stolen" MAC address.
Public Wireless Access for Enterprise Solutions
When wireless access is to be provided to the public on a large scale, the out-of-box security solutions described above become impractical. Encryption passwords can't be provided to the public because anyone can share them, and VPN technology can be a technical nightmare for user account administration and technical assistance for setup. Instead, large scale public access solutions commonly use a form of MAC address registration. These solutions are usually programmed by IT Engineers or third party vendors; however, there are some newer products that offer programmable out-of-box solutions.
Because these implementations are usually customized, it is hard to pinpoint an exact architecture; however, there are certain features that these solutions share in common:
When a new wireless public access user connects, the system needs to determine if the user's MAC address is registered or not. If it is not registered, the system has to have some way to deny access to the user until s/he registers. This can be done in various ways. One is to give a DNS server setting through DHCP that only resolves addresses to a registration page. This way, a user who is not yet registered is automatically forwarded to a registration page.
Registration can be done various ways as well. It is basically a process of associating a MAC address with a user account, library card number, or some other kind of user identification. Once the user has registered, the library then has a record of whom the MAC address belongs to and can trace any malicious activity detected on the network through that MAC address.
Now, with a registered MAC address, the system can let the user fully access the wireless system. This is done by removing the restriction that was created when the MAC address wasn't registered. In the example above, a "real" DNS server would be assigned through DHCP.
Most people agree that the best method of securing your wireless network is by using a combination of the suggestions above. However, the most effective strategy would be to use VPN technology. If a library has data sensitive enough to necessitate higher security than what is provided out-of-box, then VPN technology is probably the answer. To set up such a solution, access points need to be placed in the DMZ (open to the Internet) which are then connected to a VPN server. A wireless workstation connects to the VPN server using the access point and then "tunnels" into the network. The VPN client takes care of the password and data transmission encryption. For more information on VPN technology, see Virtual Private Networking: An Overview.
Other Encryption/Authentication Options
Another method to protect highly sensitive data is by using a RADIUS server to handle authentication and encryption. In this method, authorization software is loaded onto the wireless client. Upon initial communication with an access point, the client software will prompt the user to enter their network credentials, such as a login/password. This information is then forwarded to a RADIUS server via the access point. The RADIUS server processes the authentication request and either allows or denies the workstation from connecting. Under RADIUS, various authentication methods can be used, such as PAP/CHAP and non-reusable One Time Passwords. Upon successful authentication, a set of encryption keys is negotiated between the access point and the client for the duration of the session. This way, the keys are always changing. In the event that a particular session key is compromised, only data captured during that session is vulnerable.
Some access points come with a built-in RADIUS server.
Physical Placement Considerations
As you do your site survey for access point deployment, think about locating the access points toward the center of the building rather than near the windows. Plan your coverage to radiate out to the windows but not beyond. If the access points are located near the windows, a stronger signal will be radiated outside your building, making it easier for people to find you.
Next: Remote Access Security