Windows 7 : Creating a Windows Network - Installing a Wireless Network (part 1) - Wireless Network Setup Choices

You really do have to worry about wireless network security. In my home, I can pick up signals from four separate wireless networks: mine, the house next door’s, and two others (I can’t tell whose they are). It’s not uncommon to find that you can receive signals from several neighbors. And people do actually drive around with laptops in their car, looking for free Internet access. To protect against both freeloaders and hackers, one or two protection techniques are used: encryption, which scrambles data, and authentication, which certifies that a given computer should be allowed to connect to the network. You can use either encryption alone, or both encryption and authentication.

1. Wireless Network Setup Choices

To be able to distinguish your network’s signal from others and to secure your network, you must make the following choices when you set up a wireless network:

• An SSID (Service Set Identifier)— A short name that you give your network, up to 32 characters in length. This could be your last name, your company name, your pet’s name, or whatever makes sense to you.

• A security type— The authentication method that your network uses to determine whether or not a given computer should be allowed to connect. For Windows 7, the choices are as follows, in order of increasing security:

  • No Authentication (open)— No authentication is performed; any computer can connect to the network. Networks that use WEP encryption should use this option.

  • Shared— All devices on the network are configured with a common passphrase (which is a fancy name for a password). Any device that knows the passphrase is allowed to connect to the network. Due to bugs in the technology, this option actually creates additional security risks and should not be used unless you have to use the WEP encryption option discussed shortly.

  • 802.1X— An older authentication method that uses a network server, software certificate, or smart card to authenticate computers. This method is used on some corporate networks.

  • WPA-Personal— An improved authentication method that uses a passphrase to validate each computer’s membership in the network. The passphrase also serves as an encryption key. The WPA encryption scheme has been broken, however, and it’s been superceded by WPA2.

  • WPA2-Personal— An improved version of WPA-Personal.

  • WPA-Enterprise— A version of WPA that uses a network server, smart card, or software certificate to validate network membership, used on corporate networks.

  • WPA2-Enterprise— An improved version of WPA-Enterprise.

• An encryption type— The encryption method used to secure network data against eavesdropping. The options that are available depend on the security (authentication) type that was selected. The choices, in increasing order of security, are:

  • None— No data encryption is performed. This option is available only when the security type is set to No Authentication.

  • WEP— Data is encrypted using the WEP protocol, using a 40-, 128-, or 256-bit key. WEP is available only when the Security Type is set to No Authentication, Shared Authentication, or 802.1X. WEP encryption can be broken by a determined hacker.

  • TKIP— An encryption method that can be used with any of the WPA security types.

  • AES— An improved encryption method that can be used with any of the WPA security types.

• An encryption key— The key used to encrypt and decrypt data sent over the network. The different encryption methods use keys of different lengths:

  • For WEP encryption, you must enter a key as a string of 26 hexadecimal digits—that is, the numerals 0 through 9 and the letters A through F. (Windows 7 supports 40- and 128-bit WEP encryption, but 40-bit encryption is not recommended. You can join a 40-bit WEP network but not create a new one.)

    Some earlier versions of Windows let you enter a WEP key as a text phrase, but the text method was not standardized, and was pretty much guaranteed not to work across brands of wireless routers and access points, so it’s been abandoned.

  • For WPA or WPA encryption, enter a passphrase, a word, or phrase using any letters or characters, of 8 or more letters—the more the better, up to 63. The passphrase is case sensitive and can contain spaces, but must not begin or end with a space.

  • The encryption key should be kept secret because, with it, someone can connect to your network, and from there get to your data and your shared files.

• A channel number— The channel number selects the frequency used to transmit your network’s data. In the United States, this is a number between 1 and 11; the numbers might be different in other countries. The most common channels used are 1, 6, and 11. Some wireless routers select a channel automatically, but if you have to choose one, start with channel 6, and change it if other networks interfere with yours.

Why so many different security methods? Because thieves, like rust, never sleep, and it seems that as soon as a new, safer method is standardized, someone figures out a way to break it. WEP stands for Wired-Equivalent Privacy but it turned out to be an overly optimistic name. It was found shortly after its release that a determined interloper can break WEP security in as little as a few hours. WPA (which stands for Wi-Fi Protected Access) has an improved encrypting scheme and is strong enough to prevent most attacks. WPA2 is a further improvement upon that, and it’s the best option we have at present. It should deter even the most determined hacker (but I wouldn’t want to bet that it would keep the National Security Agency scratching its collective head for too long, if you know what I mean).

Which method should you use? On a corporate network, your network manager will configure your network or will give you setup instructions. On a home or small office network, you’re limited by the least-capable of the devices on your network—your weakest link. So, select the best security method that is supported by all of your network gear, including any access points or routers.

Here are the options you should consider, in decreasing order of security; use the first one that your equipment supports:

• If all of your equipment supports WPA2, use WPA2-Personal security with AES encryption.

• If all of your equipment supports WPA, use WPA-Personal with AES encryption.

• If the best method that is supported by all of your equipment is WEP, use No Authentication (open) security with WEP encryption. Use the 128-bit WEP option; Windows 7 doesn’t let you create a 40-bit WEP network.

• If you want to run an open network that anyone can use without any security at all, use No Authentication and no encryption. This is definitely not a good idea if you also have computers that use file or printer sharing on the same network. 

Finally, one more bit of nomenclature: If you have a router or access point, you are setting up what is called an infrastructure network. Windows 7 has a wizard to help you choose the correct settings. We’ll go through this in the next section.

2. Longer Is Better

The strength of any encryption scheme is measured by the amount of effort, time, and resources an attacker needs to break or decipher the encrypted data. The strength of wireless encryption depends on both the encryption method used (WPA2, WPA, or WEP), and also on the length of the private key that you select when you set up the network. Due to the mathematical techniques used, WPA2 is stronger than WPA, and WPA is much, much stronger than WEP. And for any of these encryption methods, the more binary bits in the key, and the more random that they are, the longer it takes a hacker to guess or determine your key. The bottom line is, you should use the strongest encryption method that is supported by all your wireless equipment, and you should use a long, randomly selected key. Long, random keys can be difficult to type and impossible to remember, but think of it this way: If you were trying to guess someone’s cat’s name, which would you stumble across first: Fluffy, or ZGwPEr23?

An encryption key is specified as a hexadecimal number (a number composed of the digits 0 through 9 plus the letters A through F) or as a passphrase, which is a word or phrase using any letters or symbols. If you use the passphrase method, Windows mangles the passphrase characters to construct a somewhat longer hexadecimal key. Table 1 lists the key lengths that can be selected in Windows 7, along with the lengths of the corresponding hexadecimal number or passphrase.

To enter a WPA2 or WPA key, type in a word, phrase, or random string of characters 8 to 63 characters in length (including spaces), or exactly 64 hexadecimal digits. Most people use the passphrase option. For best security, use a long phrase, use mixed upper- and lowercase, and add numeric digits and punctuation to the mix.

To specify a 104-bit WEP key, you could enter 13 ASCII (text) characters, such as the word abnormalities, or a 26-digit hexadecimal number, such as 3F985B1C89E00CDE1234434ED4. You must use the same key on all your computers and on your wireless router or access point, if you have one.

If you are joining an existing wireless network, you have to use the network key that was set by whomever set up that network. If you are creating a new network, use the strongest encryption method and the longest key that is supported by all of the devices and computers on your network. This means that if you have even one computer that doesn’t support WPA, you need to use WEP, and if you have even one computer that doesn’t support 256-bit keys, you have to use a 128-bit key. If you have a router, access point, or network adapter that doesn’t support WPA, it’s worth checking to see if you can update its internal software (firmware) or drivers to support this stronger encryption method.