WiFi ← Little Reed IT Services

How should I secure my wireless network?

Published Apr 25, 2013 by Alex Doolittle

If you have a wireless network, you may have asked yourself, “Is a wireless network secure enough for data sensitive work, like banking?” This is an excellent question to ask, and the answer is conditionally: “yes, if you’ve adequately secured your connection.” What, then, is adequately secured?

Unsecured Connections

Without enabling any of the security features on your wireless access point, any traffic between your devices and the network is sent without modification. Anyone within range of your wireless network can listen to, or “sniff”, the signal that you’re using and record the data. Everything that you transmit is out in the open, and while some institutions such as banks protect the information you send, it is still undesirable to have this information accessible to anyone within receiving range. Additionally, there is nothing stopping an outsider from connecting to your network and having access to your connected technology resources such as printers and network file shares. Given the right set of tools and time, anything you transfer could be available to those with malicious intent. As a business, it may not only be your information that is vulnerable. Customer payment methods, contact information, and proprietary company data are just a few of the pieces of information that you want protected.

What is encryption?

Encryption is the process of taking some type of information such as text or computer data, and converting it into a different, unreadable form. The data is known as “plain text” until it changes form, and it becomes known as “ciphertext.” This ciphertext is not readable on its own, but requires conversion back to its original form. Conversion of the information is done with the use of a “key”, which is a special type of data that specifies how the information is to be transformed. As long as this key is only known to people who you want to have access to the information, it can be considered secure. Encrypting information makes it unreadable in transit, and helps to ensure only the intended recipient has access to it.

What are my wireless encryption options?

One of the early methods of encryption for wireless networks was known as Wired Equivalent Privacy, or WEP. The problem with WEP was that it didn’t live up to the name. There was a weakness in the way the encryption was implemented, and it wasn’t long before anyone with Google and a little techie know-how could connect to your network. Initially this process could take a long time, but through certain techniques this process has been reduced to minutes, making WEP ineffective at protecting wireless transmissions for the last decade.

Due to the weakness inherent in WEP, the trade association responsible for certifying WiFi products came up with a new standard known as Wireless Protected Access, or WPA. WPA was intended as an intermediate measure to secure wireless networks until the more secure WPA2 was finalized in 2004. While much more secure than WEP, WPA and WPA2 still suffer from vulnerability to “brute-force” attacks which rely on repeatedly guessing different passwords until a match is found. WPA/WPA2 do not have the weakness that existed with WEP, and as of today are still considered secure as long as certain best-practices are followed when implementing networks to mitigate the vulnerability to brute-force attacks.

With WPA/WPA2, there are two options for implementation. The first is known as “personal” mode, where all devices on the network share the exact same key. This would be like having a regular door lock to your office, with a single key and lots of copies for all your employees. The problem here is that if one key is stolen, you have to re-key the lock and give out new keys. This is okay as long as you only have a handful of the same key to replace, but if you have more devices it can become a hassle to change your entire network this way. The second method of implementation is known as “enterprise” mode, and requires an additional piece of equipment that stores credentials. Every device on the network is given its own key to connect instead of sharing a single key. This would be like having a keypad lock on your office, and each employee having their own combination. If one combination is compromised or an employee leaves the company, it is a much easier task to simply invalidate the combination and give the user a new one.

Recommendation

Our recommendation is to implement WPA2, and if you do not have a large quantity of wireless devices, to use it in “personal” mode. This represents a high level of security with lower cost than enterprise mode. If you find yourself having to reconfigure your network regularly due to theft of devices or employee turnover, however, then enterprise mode may be appropriate for you in order to simplify management of the network. In addition, using a strong 13 character or longer value for the key will ensure that brute-force attacks are unlikely, and reading your data would take thousands of man-years.

Remember that regardless of the encryption methods in place, given enough time and resources, your data can eventually be compromised. The intent of encryption, however, is to make the time and resources required unreasonably large. This is what was meant by “adequate” security. Does your attacker really have thousands of man-years to spend trying to crack open your encrypted data?

Why is my wireless network so slow?

Published Apr 22, 2013 by Alex Doolittle

Struggling to figure out why your WiFi connection feels sluggish compared to your hard-wired devices? Perhaps its not the fault of the technology, but an issue with configuration and utilization.

Perfect World, Worst Case

With wireless technology, every device operating in the same frequency shares the bandwidth available. This includes not only the devices connected to your network,but ANY wireless devices operating in the same frequency range as yours, such as your neighbors’ WiFi. Additionally, the rated speed of your wireless access point is not per-device, but a total shared rating. In a simplified perfect-world model, a WiFi router with ten devices utilizing their connection to capacity (worst case) is only capable of providing one tenth that speed per device. Remember those “walkie-talkies” you played with as a kid? Only one of you could transmit your voice at a time. The same concept applies here, which is why the bandwidth is shared.

Real World Problems

In the real world, given the situation above, your connection speed would be much less when taking into account the additional network traffic associated with maintaining the connection and correcting for errors in transmission. Errors are introduced when some bit of information that is sent doesn’t make it to its intended destination or is unreadable, either due to the distance involved or radio interference (noise) that may be interfering with the signal. That microwave oven in the break room next to your office? It operates in the same frequency range as your WiFi connection, making it a direct source of radio frequency (RF) interference. Cordless phones within your business environment? If they are of the 2.4GHz variety, they can be an additional source of noise.

So how you do fix it?

You can reduce interference by relocating things such as microwaves and cordless phones, or simply operate on a frequency with less wireless traffic. The wireless frequency range used by WiFi is split up into channels, which are smaller divisions of the total frequency range. You may have seen the channel setting in your wireless access point and left it set to “auto” or some other default channel value. Each channel uses a particular part of the wireless spectrum, and if you can select the channel with the least noise and least amount of utilization, you should be able to maximize the use of your wireless bandwidth. Software exists that allow you to take an accounting of the wireless networks in your area and provide some easy to read visuals, letting you know which channel would be most advantageous for your network.

Screenshot of inSSIDer, a tool used for analyzing wireless networks. Note lots of overlap in the graph at the bottom, giving us a quick visualization of wireless network channel allocations.

Screenshot of inSSIDer for Home, one tool used for analyzing wireless networks. Note lots of overlap in the graph at the bottom, giving us a quick visualization of wireless network channel allocations and channels to avoid.

Once you’ve determined which channel is most appropriate, you can reconfigure your access point to use that channel. While the “auto” setting on most routers purports to do this, it is typically inadequate for high traffic areas or anything more critical than home usage, and manually setting the channel is preferred. In the screenshot above, you can see that there are lots of networks overlapping in the middle of the 2.4GHz band. It is also important to note that while 2.4GHz is the most widely used frequency, equipment can also be purchased that operates in the 5GHz range with reduced interference. However, this frequency is not without drawbacks, most notably reduced operating range and increased cost. As such, 2.4GHz is usually the better choice overall.

Conclusion

Besides the unrealistic expectations of relocating all your office microwaves to the farthest end of the hall or forcing your company president to stop using the cordless phone in his office suite (both of which will not help your reputation), channel selection is the best option for maximizing wireless bandwidth availability. It is one of the easiest fixes to make, but also one of the easiest to get wrong if ignored. Don’t forget, however, that a hardwired Ethernet connection will always win out in speed and security (which we’ll cover in a future post), and wireless connections should only be used if absolutely necessary.