STEP 3: Use WPA If You Can, but Use WEP Rather Than Nothing
Wired Equivalent Privacy (WEP), Wi-Fi Protected Access, and WPA's follow-on, WPA2, each provide a cross-vendor framework for access control and for securing and encrypting data sent between a wireless AP and a wireless client. You should enable WEP or WPA for every wireless AP deployment. When you have a choice between the three technologies, choose WPA2 over WPA over WEP. WEP has serious flaws in its design and implementation, and numerous tools can crack the WEP encryption key and defeat its security.
WEP's replacement, WPA, is based on a subset of the IEEE 802.11i standard, and WPA2 is based on the final IEEE 802.11i standard. WPA offers a number of techniques and options, such as Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES), that improve key management and encryption methodologies. Most current wireless APs support WPA, and some older models let you upgrade the firmware to add WPA support, so be sure to check with your vendor. However, keep in mind that you can choose WPA only if both your AP and every client that you want to connect to it support WPA.
WEP and WPA encrypt the data sent between your AP and remote clients. In simple terms, a key (i.e., a string of characters) that's known by both the wireless AP and the client is used to encrypt and decrypt the data sent between the devices. An attacker who gets a hold of this key can decipher data communications between the wireless AP and a client or possibly connect to the wireless AP.
A major shortcoming of WEP is that you must manually enter the actual key used for encryption on both the wireless AP and the client. This is a laborious process and most people enter a key once and never change it. Because of other flaws in WEP, determined attackers can crack this key, then use it to access the wireless AP or decrypt data sent between the wireless AP and legitimate clients. Because the key doesn't change automatically, the attacker could access data for long periods of time until someone manually changes the key.
WPA corrects this deficiency by adding features for key management. Like WEP, a key is used to encrypt the data. However, you enter a key once, and WPA subsequently uses this key to generate the actual key that encrypts the data. And WPA automatically regenerates the key periodically. This means that even if an attacker gets lucky and cracks an encryption key, the key is useful only until the wireless AP and client change the key automatically. By default, the Linksys wireless AP changes the encryption key once an hour.
By default, older versions of the Linksys AP set Wireless Security to Disable. To enable security, click Wireless Security on the Linksys firmware's Wireless tab. In the Security Mode drop-down box, select your desired wireless security configuration. The older versions of the Linksys AP support security modes named WPA Pre-Shared Key, WPA RADIUS, RADIUS, and WEP. In the newest version, WPA Pre-Shared Key and WPA RADIUS are renamed WPA Personal and WPA Enterprise, respectively, and WPA2 has been added. Most other vendors support the same technologies, but they might have slightly different names.
The best setting for small office/home office (SOHO) users is WPA Pre-Shared Key (WPA-PSK), or WPA Personal, because it offers the strong security of WPA and easy configuration. Midsized and large businesses will be better served by Linksys's WPA RADIUS (WPA Enterprise) option, which requires a Remote Authentication Dial-In User Service (RADIUS) server—although these users might want an enterprise-class AP instead of an entry-level model like the one described in this article. For more information about WPA RADIUS, see the "Advanced Authentication" sidebar. Linksys's RADIUS option, like the WEP option, is mostly for legacy deployments, meaning that you should choose it only if you have wireless clients that don't support WPA.
To configure the Linksys for WPA-PSK, select the WPA Pre-Shared Key option, as Figure 2 shows. The Linksys AP supports two WPA algorithms: TKIP and AES. TKIP is a stopgap measure that was designed to solve many of WEP's problems until the next generation of WPA (WPA2) was widely released. Although TKIP uses the same encryption algorithm as WEP, it addresses many of WEP's weaknesses by dynamically changing the key used to encrypt the data, encrypting configuration data that's clear text in WEP, and including a message integrity check. AES is a newer encryption algorithm that's exceptionally strong and supported in the WPA2 802.11i standard implementation but might not yet be supported on all hardware or software. Select AES if you can.
Next, enter a WPA Shared Key. You'll need to enter the same key on any clients you want to connect to the Linksys AP. Choose a long, hard-to-guess key. Linksys supports as many as 63 characters, and I recommend a key at least 20 characters long.
The Group Key Renewal field specifies how often (in seconds) the automatically generated key is changed. As I mentioned, the Linksys AP's default Group Key Renewal value is set to 1 hour, which is sufficient for most SOHO networks.
If your clients don't support WPA, definitely choose to configure WEP over nothing at all. To configure WEP on the Linksys WRT54G, select the Security Mode as WEP and choose a key to use as your default transmit key (i.e., choose a key numbered from 1 through 4) and the WEP encryption type, which is typically 64 bits or 128 bits (the longer the better) and hex or ASCII. In the Key field that corresponds to the default transmit key that you selected, enter the key. (For example, if you chose a 64-bit hex key, you could enter a 10-digit hex key such as af592de129.) Remember that you'll need to match this WEP key configuration on all your clients, so choose something that will work on all your devices.
For details about configuring WEP, see "Configuring Basic 802.11b Security," October 2002, InstantDoc ID 26355. WEP configuration varies across different vendors' products more than WPA configuration does, so you might find it a little more difficult to adapt my WEP instructions to your situation.
Register
What it boils dow to is If someone really wants to get into a wireless network, they will. So, use wires where you can and be very careful where you use eireless.
rustyr30281 December 12, 2005 (Article Rating: