There are times when tech publications steer the industry wrong. It is not that they mean to foul up truly basic computer concepts; it is just that they do not know any better. Lately those mistakes have been on wireless networking. Bless their hearts; they are gravely concerned about the state of wireless networking. If you read these publications you have no doubt read numerous stories about how every wireless network in the world will be compromised. They are right to be concerned, although they exaggerate the problem considerably. However, their solutions to the problem are downright wrong. If you are an I.T. Manager considering setting up a wireless network, read this piece closely, and you will know the correct way to secure your bandwidth for airwave use. More importantly, you will know what not to do.
the proper way to go wireless
1 april, 2002
by johnmichael patrick monty monteithWe need to start with some ground rules. I am not even going to address home wireless use because it is a pointless discussion. If you are at home, security is not necessarily a big deal, unless it is for a connection to work (you should be using secure VPN anyway.) Home security is a non issue because home users do not have to be concerned about connectivity with hundreds (thousands) of different computers, and countless types of devices. If what you buy does not connect with your WAP / card, you take it back to the shop and buy another. Unless you have servers running in your basement, setting up a wireless network is no more complicated than plugging the devices in.
For business use, using a wireless network is a dilemma. The goal of having a network instantly available to everyone that visits your network, and the goal of keeping the enemies from causing damage, are at odds.
So, why would we run a wireless network?
1. We need a network where anyone with a computer can turn on their systems and immediately start working no matter their wireless hardware.
2. Our network should give guests instant access to the Internet, but not to our secure network.
3. Employees of our company should be able to turn on their computer, and no matter their hardware, have instant access to the network.
4. Wireless should free the guests and employees from wires (duh) and from any network hassles. No matter where they are, simply turning on the computer should give them instant access to what they need.
5. All of this should happen without a single call to the I.T. Department.Before I explain the correct way to set up a wireless network in a business, let me start by showing why the major publications have the wrong solutions:
Mistake #1: Use WEP
Major periodicals will test a Linksys WEP with Linksys WAP (Wireless Access Point). Or 3com WEP with 3com WAP. Or Apple Airport card with Apple Airport WAP. They do not use a two year old WAP with a brand new different brand wireless PCMCIA card. This is called 'real world' computing, and publications have no idea what that is about. Try using a Linksys wireless PCMCIA card with WEP on a 3com wireless hub, and it will not work. The wireless world, despite their claims of a supposed Wi-Fi standard, is not standardized in any way shape or form. Do not believe the boxes, advertisements, or magazines. We know from experience that these devices do not work well with each other unless you turn off all built-in security. Even Windows XP with built-in wireless support uses a different security methodology. (102bit security? What are they smoking in Redmond?)
The other reason to not use WEP is that it gives a false sense of security. It is the equivalent to using a ten year old radar detector; by making yourself feel secure with a device that offers virtually no security, you are likely to get burnt. The standard song and dance here is that WEP is enough to keep a casual hacker out, even though a serious threat would break the encryption in seconds. Well, a casual hacker is not what you are worried about. Someone casually sitting in your car park stealing bandwidth or probing your networks is something we would prefer not to happen, but unlikely to be a major threat to the security measures you already have on your servers. (You are smart enough to use some form of security on your servers, right?) After all, if this person is not smart enough to beat WEP (which can be defeated with a simple program download from the Internet), then how the hell are they going to destroy your network?
It is the person that will break WEP in seconds that you need to worry about. The fact your run WEP means you have something to hide, and it is likely to make their quest to destroy your network even more enjoyable.
The only people that will be stopped by WEP are the people that you want to use your wireless network. Remember our baseline for wanting to go wireless was to allow guests and employees, no matter their hardware and without a call to the tech department, easy access to the Internet. WEP will stop the people you want to use your network, and hold up a sign to hackers that "I dare you to break us." There are better security methods, and we will get to that shortly.
Mistake #2: Change The SSID
This is the most ludicrous thing being published. Wireless devices use an ASCII character identifier called an SSID. The thought here is that by changing the default SSID from the manufacturer name to some really long, hard to remember SSID that somehow a hacker will be stopped from accessing your network. This is particularly amusing since modern wireless cards can pull all available SSID's out of the air. Do these publications actually believe hackers will not be able to read all of your SSID's? Without any additional software almost all wireless cards automatically do this.
Changing the SSID will not stop any hacker with an IQ above four.
Mistake #3: Turn Off DHCP
Fabulous. I had an extra FTE sitting around waiting to do nothing but set up static IP addresses for staff, and to be on the phone constantly explaining how to switch back to DHCP when traveling or going home. Gee, this won't frustrate our staff. And I really want to program some web based database for tracking used and unused IP addresses for guests. This is a brilliant idea. If you are using crack pipe on your lunch breaks.
A serious hacker will not be dismayed by the lack of DHCP addressing. There are freely available programs that will detect an open IP address on the network in less than a minute. The only thing you are doing by disabling DHCP is wasting an FTE from your department.
Mistake #4: Create WAP Password
The brilliant idea here is that by placing a password on the WAP, your network will be secure. However, in the real world most wireless cards do not recognize different password standards. Use a password on an Apple AirPort and suddenly Linksys users are left out in the cold.
Will it keep your network secure? Absolutely not. A hacker can sniff the password being sent by an authorized user and will immediately have access to your network. Once again, the only people you will be stopping are those that you want to have access.
Mistake #5: Limit Connections
Many WAP's will accept connections from approved NIC's only, limiting non-approved users from getting on the network. This means hand-programming every WAP on your network, and reprogramming for every change and every guest. Someone coming into your company doing a seminar and needing Internet access will have to wait fifteen minutes or more while you uninstall the persons NIC to find the number and then reprogram the WAP so they have access. If one of your staff use a different laptop or swap out their wireless card or bring in a home laptop, nothing will work until the I.T. Department programs their equipment. This solution defeats the purpose of having a wireless network, of course.
Mistake #6: Placing WAP's On Your Secure Network
All of these publications assume the only way to set up a WAP is by placing them on your secure network. You know, the one where you do not want hackers roaming. This is the biggest mistake you can make. Never, ever, ever, ever place a WAP on a network where someone could cause you harm. You may be asking, "If I don't place it on my network, how will I use it?" We will get to that.
So now that I have thoroughly given a middle finger salute to nearly every wireless security article that has ever been written, I better have an excellent solution that truly addresses these issues. It just so happens, there are four things you need to do to secure your wireless network. These solutions will not only make your wireless network truly secure, they will also leave it open to guests and your staff for easy access and easy swapping of wireless hardware. Best of all, the solutions are simple common sense.
What To Do #1: Place WAP's On DMZ Or Optional Network
DMZ is your "demilitarized zone". This is a network outside of your corporate network on the unprotected side of your firewall. Often this is where companies will place web servers and other devices (a bad idea, but we will save the proper configuration for these devices in another article.) An optional network is a sub network that is protected from your trusted network (where you do not want hackers) by a router / firewall system.
Wireless Access Points should never be placed on your trusted network, unless you want hackers to have access. Even 128bit WEP will not protect a network that has their WAP's on their trusted network. Instead, place these devices on your DMZ or optional network where you can use DHCP to hand out addresses, allow them port 80 (web traffic) to the Internet, and absolutely no connection to your trusted network. This gives your guests instant access to the web when they visit to do a seminar, and stops a nasty little hacker from being able to connect to anything of value. In fact, a hacker might spend hours thinking they are on a trusted network only to discover that they have been given nothing but a connection to the Internet. You have ruined their week and can laugh in their general direction.
What To Do #2: Use VPN To Access Network
Placing your Wireless Access Points on an optional or DMZ network is the ideal solution for stopping hackers and giving instant access to guests, but is worthless for your employees with wireless cards trying to access your servers. Simple solution: Have their laptops automatically connect by VPN. Unlike WEP, almost all Virtual Private Network solutions are truly secure and can not have their encryption algorithms unraveled in seconds. Windows 2000 / XP will automatically connect by VPN, and your employees will never know that they were not directly connecting to the network. This solution is so wonderful that when your staff take their laptop home and plug it into their cable modem or DSL connection, the VPN will connect the exact same way, and their work connection is 'always there' no matter where they are. The promise of wireless delivered, and without the need for hand-holding by your I.T. Department.
What To Do #3: Use Timers To Shut Off WAP's
Most businesses have a set schedule that they are open or closed. Buy a simple timer and place these on all of your WAP's to turn off the devices during non working hours. While you were smart enough to not place your WAP's on your trusted network, you still do not want everyone using your bandwidth for easy Internet connections. If the devices automatically turn off during non-working hours it means that the only time 'guests' can use your bandwidth is when you want them to.
What To Do #4: Monitor Traffic On WAP Network
There are dozens of programs that can monitor the traffic on your DMZ or optional network. Install one or more of them to make certain that the traffic happening on that network looks good. It is not something you need to watch daily, it is merely something to take a peek at on a weekly basis. This will help identify someone who drives into the car park in the morning and surfs for porn all day long on your bandwidth. While this person will not hurt your network, and is probably low priority compared to the other I.T. issues you deal with, you might at least learn some exciting new web sites to visit during your free time. Er .. I mean, you will know to turn off that NIC from having access to your network.
Note that there are companies that incorporate VPN / WAP into the same device realizing that this is the proper way to implement a wireless network. If you want an example of such a product click here for the web site, or here for the pdf.
That is it. Follow these guidelines and you will achieve the ideal wireless network. Now, some people who visit your office may notice how easy it is to get access to the Internet and immediately assume you are an unprotected network. Often publications will drive around a metro area with Wireless Pringles Can Antenna searching for wireless networks without WAP and with DHCP running. These otherwise smart individuals make the assumption that if they can instantly get access to an Internet connection on a wireless network that this means the network is insecure.
You now know that this assumption is as ludicrous as their security solutions. All they have done is discovered an I.T. Department that is using wireless the way it was meant to be used: Simple, easy, and open to employees and guests. Whether their network is insecure depends on whether those devices are on their trusted network, or properly sitting on the outside of the firewall. My guess is that there are a lot of very intelligent CIO's out there that have properly placed their Wireless Access Points on an optional network or DMZ to protect their servers while still being kind to guests. In which case, these CIO's have not only outsmarted the hackers, they have also spoofed all of the major technology publications as well.
