Having a wireless network in your enterprise is a lot like putting the best locks on your front door but leaving the basement window to the back of your home open. You are inviting trouble, even though you think no one will notice the way into your home. Wireless networks have inherent design flaws that make them wide open for attack and compromise. Making them secure for your organization will take some effort.
All wireless networks include some kind of encryption to keep unauthorized users out of your network and authorized ones in. The trouble is, most people don't make use of these encryption tools -- nearly half of the networks surveyed by the ExtremeTech.com analysts driving around major U.S. cities were found to have no encryption whatsoever. This doesn't bode well for security, especially when you consider that a DHCP server has many access points built in. Anyone driving by your office building -- or even parked in your parking lot -- can easily grab an IP address from your DHCP server and gain access to your network without anything more than a standard laptop and a wireless network adapter. They don't need any special software, they don't need any special skills, and your firewalls and all of your enterprise security probably won't even detect that they are inside your network. The practice is called war driving, by the way, and it has become a popular sport in many cities to see how many unprotected networks can be found.
So, how do you protect
First, you need to connect to your access point via a wired connection and set up its security features. And do it today, before you forget. Each access point has a different way of doing this: Some make use of built-in Web browsers (like the 2Wire and Farallon products), while others come with a Windows or Mac-based installation program that will set this up for you. You will need to set up the following three pieces of information: the SSID, the wireless encryption protocol (WEP) key and the key length.
For purposes of demonstration only (this isn't a recommendation as there are dozens of products out there -- for a complete list, go to http://www.practicallynetworked.com/pg/wireless_guide_index.asp
), I will use the Farallon Wireless Broadband Gateway box as my example. This box has a simple Web interface and is easy to illustrate what you have to do to configure its security properly. On the Farallon box, you need to connect via a Web browser using a default IP address of 192.168.0.1. Go to Configure | Wireless and you'll see an entry for the SSID, the choice of 128-bit WEP key and Shared Key items (meaning that everyone is going to use the same key) and a bunch of numbers for the key itself. You'll need to remember this bunch of numbers and copy these down. Don't pick a key based on your telephone number, street address, or any other identifying characteristic, and while you are at it, don't use these values for the SSID either.
One other matter: You should disable the DHCP server on the access point (if it comes with one), and set up your own series of private IP addresses, using something other than the default address range that came with the access point. This is an extra security measure and some trouble, but worthwhile if you want to protect your network.
You'll also notice that there is one other selection at the bottom of this screen, and that is an additional security feature. You can restrict only certain users with this access point, or you can allow anyone to connect, provided they know the shared key. That is your choice. Obviously, the more you restrict things, the more secure your network will be, but also the more difficult it will be to set up for legit users.
Once you have set up your access point, you'll need to finish up the configuration. Which operating systems you are running will depend on what you do. If you are running Windows XP, it will automatically tell you the access points that you can connect to and their SSIDs. That is a handy feature, but it can be too handy if in the wrong hands, which is why you need to turn on that encryption key.
Go to your Wireless Network configuration screen on the computer with the wireless adapter running XP. You need to highlight the access point name, click Configure, and you'll see two check boxes: WEP enabled and shared mode. You should check both of these. Next, you need to enter the shared key you typed in earlier when you were setting up the access point. Note that sometimes the choices here don't necessarily match. On my Farallon access point, I had choices of key lengths of none, 64 bit or 128 bit keys. XP offers selections of either 40 bits or 104 bits. These are actually the same, just expressed differently. You'll notice that the number of digits typed into the key field on the Farallon correspond to the number of digits shown by XP in parenthesis here (five or 13 characters).
One final thing: Click on OK, and go to the Authentication tab on the Wireless Properties screen, and make sure that the box is checked next to "enable network access control using IEEE 802.11x." If all goes well, you should be able to connect to the access point and wirelessly roam about your enterprise. XP will notify you on the taskbar when it connects to a wireless access point.
If you are running earlier versions of Windows, you will need to know the SSID of your access point to connect to it properly and also the encryption key itself to enter in the appropriate screen. You'll also need the right driver for your wireless network adapter: One of the nice things about XP is that it can operate with many adapters without having to find that driver disc. Make sure that you enable the same key length in your computers as you used in your access point, and hopefully you can make use of the stronger and longer key lengths for improved security.
But you aren't completely done. You should do one more thing, and that is to put on your "hacker" hat and make sure that your network is properly protected. Maybe one of your colleagues has brought in their own access point when you weren't looking. Or maybe you didn't really turn on encryption when you thought you did. You should periodically scan your network interior with a product like NetStumbler.com and make sure that no one can gain access. This piece of software is freely available from their Web site and simple to use. If you come into range of a wireless access point, NetStumbler will pick it up and let you know several things: whether the access point has encryption turned on or not, what its Media Access Control address is, the name of the network or vendor, signal strength and other parameters. What it won't tell you is the packet stream coming from that access point -- but that is easily enough accomplished with other "sniffing" tools that you can load on your laptop such as Ethereal.com and various commercial packet capture products (which can be found here: http://www.packet-level.com/products.htm
Going wireless is a great way to roam about your enterprise. But make sure you protect your network properly, and keep the war drivers out.
About the author
David Strom is president of his own consulting firm in Port Washington, NY. He has tested hundreds of computer products over the past two decades working as a computer journalist, consultant and corporate IT manager. Since 1995, he has written a weekly series of essays on Web technologies and marketing called Web Informant. His second book, entitled "Home Networking Survival Guide," is available through TechTarget's Digital Guru bookstore
. You can send him e-mail at firstname.lastname@example.org.
This was first published in November 2001