Wireless connectivity has become an essential business
tool. We expect to be able to connect wirelessly wherever we go and,
increasingly, our expectations are met. But providing wireless access
inside your SBS network is a bit different. You still generally need
to do it, but you need to take serious precautions to ensure that you
don’t compromise security.
We’ve heard arguments on all sides of the wireless security
question, from those who appear to think that simply hiding your
wireless network is all that’s required, to those who claim there is
no such thing as a secure wireless network and we shouldn’t ever use
or allow it. Well, as with most such arguments, the answer is
somewhere in the middle.
Exactly where in the middle is really about your own comfort
level and perception of risk. There are ways to implement full Two
Factor Authentication (TFA) for wireless connectivity, and they can be done even on
a small network if you want and need to spend the resources to do it.
Wireless security has come a long way from the early days of
wireless networking. Initially, there was Wired Equivalent Privacy
(WEP) that came in two levels: 64-bit and 128-bit.
Unfortunately, the algorithm for WEP was seriously flawed, and by 2001 there were widely
available decryption programs that let virtually anyone who wanted to
compromise WEP security. We now believe that WEP is actually worse
than no security at all. It is so easy to compromise that it should be
considered no security at all, but it gives users a false sense of
security.
WEP was replaced with Wi-Fi Protected Access (WPA), and finally by WPA2. WPA2—also known by its Institute of Electrical And
Electronics Engineers (IEEE) standard designation of 802.11i—has two levels of security: WPA2-Enterprise and WPA2-Personal.
WPA2-Enterprise uses an 802.1X or RADIUS server to distribute
different initial keys to every user. This 802.1X server can use Two
Factor Authentication to further increase security.
WPA2-Personal uses a Pre-Shared Key (PSK) of 8 to 63 characters in length, and it can use
either Advanced Encryption Standard (AES) or Temporal Key Integrity
Protocol (TKIP) encryption. TKIP provides backward compatibility with
devices designed for the original WPA standard, but it has been
compromised and we don’t recommend it. When WPA2-Personal is used with
AES and has a minimum 16-character PSK, it provides acceptable
security for most small businesses and can be easily implemented.
Another important requirement is to choose a wireless network name
(SSID) that is not the default on your wireless access point
(WAP).
The basic requirements for secure wireless access to your SBS network are
Use one or more wireless access points (not
routers).
Use a static (or DHCP reservation) for the WAP IP
address.
Disable the DHCP server on the WAP.
Change the SSID of the WAP to one that is appropriate for the
network but isn’t either the default or something that too clearly
identifies your company.
Change the password of the WAP to a password of at least 12
characters.
Enable AES as the only encryption method.
Choose a PSK of at least 16 characters. Longer is better.
Alternately, use a USB key and Windows Connect Now (WCN) if your WAP supports it. WCN will generate a
random 64-character key.
A variety of security strategies for wireless networking have been suggested and used
over the years—some useful and some not. The following list details
our evaluation of several of these strategies:
MAC Address
Filtering This strategy allows only a statically managed
list of MAC addresses to access the wireless network. It’s a
nice idea, but this strategy is easy to defeat with a sniffer
because MAC addresses can be easily spoofed. Plus, a static list
of “allowed” MAC addresses is a hopeless mess to manually
maintain. All in all, it’s a complete waste of time.
SSID Hiding This strategy requires that the client know the
name of the wireless network to be able to connect to it. And
even if the network is known and configured into the Windows
client, that client must continually probe to make sure that the
network is present. This requirement causes all sorts of
problems and limits the ability of Microsoft Windows to manage
connections. The strategy is totally useless because anyone with
access to the packets in the air can read the SSID from the
commonly sent 802.11 management frames in a matter of
seconds—whereas broadcasting the SSID, when combined with
appropriate security, makes the network easier to manage and
easier for users as well. Hiding the SSID is another complete
waste of time.
WEP Encryption The original encryption standard for wireless, this standard uses either a 40-bit
or 104-bit key (along with a fixed 24-bit initialization
vector). It is easily hacked by anyone with bad intentions and
will keep only the most casually curious out of your network.
WEP keys are static keys and must be manually
maintained. Every time a user who has wireless access leaves the
organization, the WEP keys need to be changed. A network
protected with WEP alone should be considered completely
unsecured.
WPA The original WPA encryption standard is based on RC4, which can
be compromised. However, because it changes keys with sufficient
frequency and derives the new keys in an improved way as
compared to WEP, it was a significant improvement over WEP, and
it could generally be implemented without buying new hardware.
With 802.1X authentication and the appropriate
authentication method, the initial encryption keys are
automatically generated.
WPA2 The WPA2 encryption is based on AES and is much more
secure than RC4, while the WPA2 standard incorporates additional
security measures beyond just encryption. Both Pre-Shared Key
(WPA-Personal) and RADIUS/802.1X authentication (WPA2-Enterprise)
scenarios are supported. This is the minimum wireless security standard you should allow on
your SBS network.
IEEE 802.11i This is the underlying standard for WPA2, which
is described in the preceding bullet point.
VPNs One solution to
setting up secure wireless networks is to place the wireless network
outside your main network and use a VPN connection to the main network. This approach
has the advantage of getting around the insecurities of older
equipment, but it has inherent problems. If the external access
point is open and unsecured, it leaves the client exposed to any
other computer in range. It also imposes a performance hit and
requires a VPN connection for every client. Machine group
policies are not applied, and the overall reliability of the
connection and the administrative overhead are significant
issues as well.
IEEE 802.1X Using 802.1X as the authentication mechanism for
WPA2 encryption is an excellent solution, but
implementing it on most SBS networks isn’t realistic.
We know some of these points are a bit controversial, but we
also think that it’s possible to allow wireless clients on your
internal SBS network. But only if you set realistic minimum
standards and don’t use ineffective “security” measures that provide
a false sense of security while actually doing little, if anything,
to protect you from an attack.
