Of the 24 networks within range of our home, almost 50% are inadequately protected! I see 2 unsecured networks, 8 that are still using WEP, and 1 that is using WPA-TKIP.

Given how much of our lives – social and financial – is happening online, and given the prevalence of wireless network access in our homes, it seems a bit reckless to see that we have the front doors to our networks so wide open for intrusion.

Well, it seems that a lesson in basic wireless security is on the cards.

The most basic networking security options include:

  1. Disable SSID broadcasting
    A wireless client that wishes to access a wireless Local Area Network (WLAN) must first provide the WLAN’s SSID. A common security technique is to have the Access Point stop broadcasting this SSID. Unfortunately, it is easy to discover this SSID by simply monitoring client frames sent across the network, as it is sent in the clear.
  2. Media Access Control (MAC) Address Authentication
    This relies on a white list of MAC addresses of clients that may connect to our Access Point. Again, this information is sent in the clear, so an attacker can sniff these and spoof one of the legal MAC addresses.
  3. Wired Equivalent Privacy (WEP)
    This uses a key that is shared between the AP and its clients. Unfortunately, it is currently very trivial to break WEP and is no longer considered a viable security option.
  4. WPA with Temporal Key Integrity Protocol (TKIP)
    This was a stop gap measure released by the Wi-Fi Alliance, for use until the IEEE finalized its standard. While still workable, there have been some minor vulnerabilities discovered with this scheme. As a result, this should now be considered obsolete

So, what does a law abiding citizen do?

Fortunately, the IEEE has since released their official standard, 802.11i, which incorporates Advanced Encryption Standard – Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP). This was released as WPA2, and is the best encryption possible.

My Access Point shows this option as WPA2-PSK [AES]. The PSK stands for PreShared Key, and refers to the passphrase configured into the Access Point as well as into each client. As long as your PSK is not easily guessed, you are now as protected as you can get.

Of course, in an enterprise setting you would be considering WPA2 Enterprise, which relies on a separate authentication server, but that’s a story for another day.