If you are installing a wireless network, you need to
configure wireless security and networking options after installing
your network adapters.
Note This section tells how to
set up a wireless network in a home or small office. On a corporate
wireless network, your network administrator will most likely be the one
to configure the wireless adapter and security settings. |
You really do have to worry about wireless
network security. In my home, I can pick up signals from four separate
wireless networks: mine, the house next door’s, and two others (I can’t
tell whose
they are). It’s not uncommon to find that you can receive signals from
several neighbors. And people do actually drive around with laptops in
their car, looking for free Internet access. To protect against both
freeloaders and hackers, one or two protection techniques are used: encryption, which scrambles data, and authentication,
which certifies that a given computer should be allowed to connect to
the network. You can use either encryption alone, or both encryption and
authentication.
Caution If you want to use file
and printer sharing on your wireless network, you must make the network
secure by assigning a cryptographic “key” to the network. Otherwise,
random people will be able to get at your computer. If
you want to set up an “open” wireless hotspot to share your Internet
connection with friends, neighbors, or the world, that’s great, but you
must not use file and printer sharing on the same network. |
1. Wireless Network Setup Choices
To be able to distinguish your network’s signal
from others and to secure your network, you must make the following
choices when you set up a wireless network:
An SSID (Service Set Identifier)—
A short name that you give your network, up to 32 characters in length.
This could be your last name, your company name, your pet’s name, or
whatever makes sense to you. A security type—
The authentication method that your network uses to determine whether
or not a given computer should be allowed to connect. For Windows 7, the
choices are as follows, in order of increasing security: No Authentication (open)—
No authentication is performed; any computer can connect to the
network. Networks that use WEP encryption should use this option. Shared—
All devices on the network are configured with a common passphrase
(which is a fancy name for a password). Any device that knows the
passphrase is allowed to connect to the network. Due to bugs in the
technology, this option actually creates additional security risks and
should not be used unless you have to use the WEP encryption option
discussed shortly. 802.1X—
An older authentication method that uses a network server, software
certificate, or smart card to authenticate computers. This method is
used on some corporate networks. WPA-Personal—
An improved authentication method that uses a passphrase to validate
each computer’s membership in the network. The passphrase also serves as
an encryption key. The WPA encryption scheme has been broken, however,
and it’s been superceded by WPA2. WPA2-Personal— An improved version of WPA-Personal. WPA-Enterprise—
A version of WPA that uses a network server, smart card, or software
certificate to validate network membership, used on corporate networks. WPA2-Enterprise— An improved version of WPA-Enterprise.
An encryption type— The
encryption method used to secure network data against eavesdropping.
The options that are available depend on the security (authentication)
type that was selected. The choices, in increasing order of security,
are: None— No data encryption is performed. This option is available only when the security type is set to No Authentication. WEP—
Data is encrypted using the WEP protocol, using a 40-, 128-, or 256-bit
key. WEP is available only when the Security Type is set to No
Authentication, Shared Authentication, or 802.1X. WEP encryption can be
broken by a determined hacker. TKIP— An encryption method that can be used with any of the WPA security types. AES— An improved encryption method that can be used with any of the WPA security types.
An encryption key— The key used to encrypt and decrypt data sent over the network. The different encryption methods use keys of different lengths: For
WEP encryption, you must enter a key as a string of 26 hexadecimal
digits—that is, the numerals 0 through 9 and the letters A through F.
(Windows 7 supports 40- and 128-bit WEP encryption, but 40-bit
encryption is not recommended. You can join a 40-bit WEP network but not
create a new one.) Some earlier versions of
Windows let you enter a WEP key as a text phrase, but the text method
was not standardized, and was pretty much guaranteed not to work across
brands of wireless routers and access points, so it’s been abandoned. For
WPA or WPA encryption, enter a passphrase, a word, or phrase using any
letters or characters, of 8 or more letters—the more the better, up to
63. The passphrase is case sensitive and can contain spaces, but must
not begin or end with a space. The
encryption key should be kept secret because, with it, someone can
connect to your network, and from there get to your data and your shared
files.
A channel number—
The channel number selects the frequency used to transmit your
network’s data. In the United States, this is a number between 1 and 11;
the numbers might be different in other countries. The most common
channels used are 1, 6, and 11. Some wireless routers select a channel
automatically, but if you have to choose one, start with channel 6, and
change it if other networks interfere with yours.
Why so many different security methods? Because
thieves, like rust, never sleep, and it seems that as soon as a new,
safer method is standardized, someone figures out a way to break it. WEP
stands for Wired-Equivalent Privacy but it turned out to be an overly
optimistic name. It was found shortly after its release that a
determined interloper can break WEP security in as little as a few
hours. WPA (which stands for Wi-Fi Protected Access) has an improved
encrypting scheme and is strong enough to prevent most attacks. WPA2 is a
further improvement upon that, and it’s the best option we have at
present. It should deter even the most determined hacker (but I wouldn’t
want to bet that it would keep the National Security Agency scratching
its collective head for too long, if you know what I mean).
Which
method should you use? On a corporate network, your network manager
will configure your network or will give you setup instructions. On a
home or small office network, you’re limited by the least-capable of the
devices on your network—your weakest link. So, select the best security
method that is supported by all of your network gear, including any access points or routers.
Note Windows 7, Vista, and XP
with Service Pack 3 all have built-in support for WPA2. If your router
doesn’t support WPA2 or WPA, you might be able to install updated
firmware to get it. If you have computers running Windows XP SP2, you
can update them to support WPA2 by downloading and installing SP 3, or a
hotfix available at support.microsoft.com/kb/893357. |
Here are the options you should consider, in decreasing order of security; use the first one that your equipment supports:
If all of your equipment supports WPA2, use WPA2-Personal security with AES encryption. If all of your equipment supports WPA, use WPA-Personal with AES encryption. If
the best method that is supported by all of your equipment is WEP, use
No Authentication (open) security with WEP encryption. Use the 128-bit
WEP option; Windows 7 doesn’t let you create a 40-bit WEP network. If
you want to run an open network that anyone can use without any
security at all, use No Authentication and no encryption. This is
definitely not a good idea if you also have computers that use file or
printer sharing on the same network.
Finally, one more bit of nomenclature: If you have a router or access point, you are setting up what is called an infrastructure network. Windows 7 has a wizard to help you choose the correct settings. We’ll go through this in the next section.
Note Despite its irritating
length, if you use WEP security, it’s better to use the hexadecimal
format. The reason is that the hexadecimal format specifies the actual
key, whereas a passphrase must be converted by some software scheme into
a hexadecimal key, and for WEP, not every wireless device and OS uses
the same scheme. For example, the passphrase abnormalities might turn
into one key on a Linksys router and a different key on Windows 7. Thus,
you could type the same passphrase into your router and into Windows,
and the network would not work. To be safe, use a hexadecimal key. For
WPA security, the passphrase-mangling scheme is part of the standard,
so it’s fine to use a passphrase; every device will derive they same key
from it. |
2. Longer Is Better
The strength of any encryption scheme is
measured by the amount of effort, time, and resources an attacker needs
to break or decipher the encrypted data. The strength of wireless
encryption depends on both the encryption method used (WPA2, WPA, or
WEP), and also on the length of the private key that you select when you
set up the network. Due to the mathematical techniques used, WPA2 is
stronger than WPA, and WPA is much, much stronger than WEP. And for any
of these encryption methods, the more binary bits in the key, and the
more random that they are, the longer it takes a hacker to guess or
determine your key. The bottom line is, you should use the strongest
encryption method that is supported by all your wireless equipment, and
you should use a long, randomly selected key. Long, random keys can be
difficult to type and impossible to remember, but think of it this way:
If you were trying to guess someone’s cat’s name, which would you
stumble across first: Fluffy, or ZGwPEr23?
Note Instead of making up a
key or passphrase, an even better idea is to let the Windows Wireless
Networking setup wizard make up a random key for you, or find a website
that can generate random passwords for you. For example, the tool at www.yellowpipe.com/yis/tools/WEP_key/generator.php generates random WEP keys, and there is a link on that page to a corresponding random WPA key generator. |
An encryption key is specified as a hexadecimal
number (a number composed of the digits 0 through 9 plus the letters A
through F) or as a passphrase, which is
a word or phrase using any letters or symbols. If you use the
passphrase method, Windows mangles the passphrase characters to
construct a somewhat longer hexadecimal key. Table 1
lists the key lengths that can be selected in Windows 7, along with the
lengths of the corresponding hexadecimal number or passphrase.
Table 1. WEP/WPA Key FormatsEncryption Strength | Passphrase/Key Format |
---|
256-bit WPA or WPA2 | 8–63 text characters (the more the better!) or 64 hexadecimal digits | 104-bit (also called 128-bit) WEP | 13 ASCII characters or 26 hexadecimal digits | 40-bit (also called 64-bit) WEP | 5 ASCII characters (any character) or 10 hexadecimal digits (0–9, A–F) |
To enter a WPA2 or WPA key, type in a word,
phrase, or random string of characters 8 to 63 characters in length
(including spaces), or exactly 64 hexadecimal digits. Most people use
the passphrase option. For best security, use a long phrase, use mixed upper- and lowercase, and add numeric digits and punctuation to the mix.
Note Windows 7 and Vista have
built-in support for WPA2. If you want to use WPA2 on computers running
Windows XP, either install Service Pack 3 or download a hotfix from the
Microsoft Support Site at http://support.microsoft.com. |
To specify a 104-bit WEP key, you could enter 13
ASCII (text) characters, such as the word abnormalities, or a 26-digit
hexadecimal number, such as 3F985B1C89E00CDE1234434ED4. You must use the same key on all your computers and on your wireless router or access point, if you have one.
Note Windows 7 will let you connect to an existing wireless network that uses 40-bit WEP security, but the wireless network setup wizard will not let you create a new network with 40-bit WEP security. |
If you are joining an existing wireless network,
you have to use the network key that was set by whomever set up that
network. If you are creating a new network, use the strongest encryption
method and the longest key that is supported by all
of the devices and computers on your network. This means that if you
have even one computer that doesn’t support WPA, you need to use WEP,
and if you have even one computer that doesn’t support 256-bit keys, you
have to use a 128-bit key. If you have a router, access point, or
network adapter that doesn’t support WPA, it’s worth checking to see if
you can update its internal software (firmware) or drivers to support
this stronger encryption method.
|