Académique Documents
Professionnel Documents
Culture Documents
On This Page
Introduction
A Wireless Network Using a Wireless Access Point
A Wireless Network Without Using a Wireless Access Point
Summary
Related Links
Introduction
The utility of wireless networking in the home and small business has obvious benefits. With
wireless networking, you do not have to install cabling to connect the separate computers
together and portable computers, such as laptops or notebook computers, can roam around the
house or small business office and maintain their connection to the network.
Although there are multiple wireless networking technologies available to create wireless
networks, this article describes the use of the Institute of Electrical and Electronic Engineers
(IEEE) 802.11 standards.
IEEE 802.11 Overview
IEEE 802.11 is a set of industry standards for shared wireless local area network (WLAN)
technologies, the most prevalent of which is IEEE 802.11b, also known as Wi-Fi. IEEE 802.11b
transmits data at 1, 2, 5.5 or 11 Megabits per second (Mbps) using the 2.4-2.5 gigahertz (GHz) S-
Band Industrial, Scientific, and Medical (ISM) frequency range. Other wireless devices such as
microwave ovens, cordless phones, wireless video cameras, and devices using another wireless
technology known as Bluetooth also use the S-Band ISM.
For ideal conditions, close proximity, and no sources of attenuation or interference, IEEE
802.11b operates at 11 Mbps, a higher bit rate than 10 Mbps wired Ethernet. In less-than-ideal
conditions, the slower speeds of 5.5 Mbps, 2 Mbps, and 1 Mbps are used.
The IEEE 802.11a standard has a maximum bit rate of 54 Mbps and uses frequencies in the 5
GHz range, including the 5.725-5.875 GHz C-Band ISM frequency band. This higher speed
technology allows wireless LAN networking to perform better for video and conferencing
applications. Because they are not on the same frequencies as Bluetooth or microwave ovens,
IEEE 802.11a provides both a higher data rate and a cleaner signal.
The IEEE 802.11g standard has a maximum bit rate of 54 Mbps and uses the S-Band ISM. All of
the instructions in this article for configuring the wireless nodes apply to IEEE 802.11b, 802.11a,
and 802.11g-based wireless networks.
Infrastructure Mode
The IEEE 802.11 standards specify two operating modes: infrastructure mode and ad hoc mode.
Infrastructure mode is used to connect computers with wireless network adapters, also known as
wireless clients, to an existing wired network. For example, a home or small business office
might have an existing Ethernet network. With infrastructure mode, laptop computers or other
desktop computers that do not have an Ethernet wired connection can be seamlessly connected to
the existing network. A networking node known as a wireless access point (AP) is used to bridge
the wired and wireless networks. Figure 1 shows an infrastructure mode wireless network.
For the encryption of wireless data, the original 802.11 standard defined Wired Equivalent
Privacy (WEP). Due to the nature of wireless LAN networks, securing physical access to the
network is difficult. Unlike a wired network where a direct physical connection is required,
anyone within range of a wireless AP or a wireless client can conceivably send and receive
frames as well as listen for other frames being sent, making eavesdropping and remote sniffing
of wireless network frames very easy.
WEP uses a shared, secret key to encrypt the data of the sending node. The receiving node uses
the same WEP key to decrypt the data. For infrastructure mode, the WEP key must be configured
on the wireless AP and all the wireless clients. For ad hoc mode, the WEP key must be
configured on all the wireless clients.
As specified in the IEEE 802.11 standards, WEP uses a 40-bit secret key. Most wireless hardware
for IEEE 802.11 also supports the use of a 104-bit WEP key. If your hardware supports both, use
a 104-bit key.
Note Some wireless vendors advertise the use of a 128-bit wireless encryption key. This is the
addition of a 104-bit WEP key with another number used during the encryption process known
as the initialization vector (a 24-bit number). Also, some recent wireless APs support the use of a
152-bit wireless encryption key. This is a 128-bit WEP key added to the 24-bit initialization
vector. The Windows XP configuration dialog boxes do not support 128-bit WEP keys. If you
must use 152-bit wireless encryption keys, disable Wireless Auto Configuration by clearing the
Use Windows to configure my wireless network settings check box on the Wireless Networks
tab of the properties of the wireless connection in Network Connections, and use the
configuration utility provided with your wireless network adapter.
Choosing a WEP key
The WEP key should be a random sequence of either keyboard characters (upper and lowercase
letters, numbers, and punctuation) or hexadecimal digits (numbers 0-9 and letters A-F). The more
random your WEP key, the safer it is to use.
A WEP key based on a word (such as a company name for a small business or your last name for
a home) or an easily remembered phrase is subject to easy determination. Once a malicious user
has determined the WEP key, they can decrypt WEP-encrypted frames, properly encrypt WEP
frames, and begin attacking your network.
Even if your WEP key is random, it is still subject to determination if a large amount of data
encrypted with the same key is collected and analyzed. Therefore, it is recommended that you
change your WEP key to a new random sequence periodically, for example, every three months.
WPA Encryption
IEEE 802.11i is a new standard that specifies improvements to wireless LAN networking
security. The 802.11i standard addresses many of the security issues of the original 802.11
standard. While the new IEEE 802.11i standard was being ratified, wireless vendors agreed on an
interoperable interim standard known as Wi-Fi Protected Access (WPA™).
With WPA, encryption is done using the Temporal Key Integrity Protocol (TKIP), which
replaces WEP with a stronger encryption algorithm. Unlike WEP, TKIP provides for the
determination of a unique starting unicast encryption key for each authentication and the
synchronized changing of the unicast encryption key for each frame. Because TKIP keys are
determined automatically, there is no need to configure an encryption key for WPA.
Microsoft provides WPA support for computers running Windows XP with Service Pack 2 (SP2).
For computers running Windows XP with Service Pack 1 (SP1), you must obtain and install the
Wireless update rollup package for Windows XP—a free download from Microsoft.
For more information, see Wi-Fi Protected Access (WPA) Overview.
WPA2 Encryption
WPA2™ is a product certification available through the Wi-Fi Alliance that certifies wireless
equipment as being compatible with the 802.11i standard. WPA2 supports the additional
mandatory security features of the 802.11i standard that are not already included for products
that support WPA. With WPA2, encryption is done using the Advanced Encryption Standard
(AES), which also replaces WEP with a much stronger encryption algorithm. Like TKIP for
WPA, AES provides for the determination of a unique starting unicast encryption key for each
authentication and the synchronized changing of the unicast encryption key for each frame.
Because AES keys are determined automatically, there is no need to configure an encryption key
for WPA2. WPA2 is the strongest form of wireless security.
Microsoft provides WPA2 support for computers running Windows XP with Service Pack 2
(SP2) with the Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information
Element (WPS IE) update for Windows XP with Service Pack 2—a free download from
Microsoft.
For more information, see Wi-Fi Protected Access 2 (WPA2) Overview.
Authentication
The following types of authentication are available for use with 802.11 networks:
• Open System
• Shared Key
• IEEE 802.1X
• WPA or WPA2 with preshared key
Open System
Open system authentication is not really authentication, because all it does is identify a wireless
node using its wireless adapter hardware address. A hardware address is an address assigned to
the network adapter during its manufacture and is used to identify the source and destination
address of wireless frames.
For infrastructure mode, although some wireless APs allow you to configure a list of allowed
hardware addresses for open system authentication, it is a fairly simple matter for a malicious
user to capture frames sent on your wireless network to determine the hardware address of
allowed wireless nodes and then use that hardware address to perform open system
authentication and join your wireless network.
For ad hoc mode, there is no equivalent to configuring the list of allowed hardware addresses in
Windows XP. Therefore, any hardware address can be used to perform open system
authentication and join your ad hoc mode-based wireless network.
Shared Key
Shared key authentication verifies that the wireless client joining the wireless network has
knowledge of a secret key. During the authentication process, the wireless client proves it has
knowledge of the secret key without actually sending the secret key. For infrastructure mode, all
the wireless clients and the wireless AP use the same shared key. For ad hoc mode, all the
wireless clients of the ad hoc wireless network use the same shared key.
IEEE 802.1X
The IEEE 802.1X standard enforces authentication of a network node before it can begin to
exchange data with the network. Exchanging frames with the network is denied if the
authentication process fails. Although this standard was designed for wired Ethernet networks, it
has been adapted for use by 802.11. IEEE 802.1X uses the Extensible Authentication Protocol
(EAP) and specific authentication methods known as EAP types to authenticate the network
node.
IEEE 802.1X provides much stronger authentication than open system or shared key and the
recommended solution for Windows XP wireless authentication is the use of EAP-Transport
Layer Security (TLS) and digital certificates for authentication. To use EAP-TLS authentication
for wireless connections, you must create an authentication infrastructure consisting of an Active
Directory domain, Remote Authentication Dial-In User Service (RADIUS) servers, and
certification authorities (CAs) to issue certificates to your RADIUS servers and wireless clients.
This authentication infrastructure is appropriate for large businesses and enterprise organizations,
but is not practical for the home or small business office.
The solution to the use of IEEE 802.1X and EAP-TLS for the medium and small business is
Protected EAP (PEAP) and the Microsoft Challenge-Handshake Authentication Protocol, version
2 (MS-CHAP v2) EAP type. With PEAP-MS-CHAP v2, secure wireless access can be achieved
by installing a purchased certificate on a RADIUS server and using name and password
credentials for authentication. Windows XP with SP2, Windows XP with SP1, Windows Server
2003, and Windows 2000 with Service Pack 4 (SP4) support PEAP-MS-CHAP v2.
WPA or WPA2 with Preshared Key
For a home or small business that cannot do 802.1X authentication, WPA and WPA2 provide a
preshared key authentication method for infrastructure mode wireless networks. The preshared
key is configured on the wireless AP and each wireless client. The initial WPA or WPA2
encryption key is derived from the authentication process, which verifies that both the wireless
client and the wireless AP are configured with the same preshared key. Each initial WPA or
WPA2 encryption key is unique.
The WPA or WPA2 preshared key should be a random sequence of either keyboard characters
(upper and lowercase letters, numbers, and punctuation) at least 20 characters long or
hexadecimal digits (numbers 0-9 and letters A-F) at least 24 hexadecimal digits long. The more
random your WPA or WPA2 preshared key, the safer it is to use. Unlike the WEP key, the WPA
or WPA2 preshared key is not subject to determination by collecting a large amount of encrypted
data. Therefore, you do not need to change your WPA or WPA2 preshared key as often.
Recommended Security Configurations
The following are the recommended security configurations, in order of most to least secure:
• For the home or small business network that contains a domain controller and a RADIUS
server and supports WPA2, use WPA2 and PEAP-MS-CHAP v2 authentication. For more
information, see Step-by-Step Guide for Secure Wireless Deployment for Small
Office/Home Office or Small Organization Networks.
• For the home or small business network that contains a domain controller and a RADIUS
server and supports WPA, use WPA and PEAP-MS-CHAP v2 authentication. For more
information, see Step-by-Step Guide for Secure Wireless Deployment for Small
Office/Home Office or Small Organization Networks.
• For the home or small business network that does not contain a domain controller and a
RADIUS server and supports WPA2, use WPA2 and preshared key authentication.
• For the home or small business network that does not contain a domain controller and a
RADIUS server and supports WPA, use WPA and preshared key authentication.
For the home or small business network that does not contain a domain controller and a RADIUS
server and does not support either WPA or WPA2, use open system authentication and WEP.
However, this is not a recommended security configuration and should only be used temporarily
when transitioning to a WPA or WPA2-based wireless network.
On the surface, the choice of open system over shared key authentication might seem
contradictory because open system authentication is not really authentication and shared key
authentication requires knowledge of a shared secret key. Shared key authentication might be a
stronger authentication method than open system, but the use of shared key authentication makes
wireless communication less secure.
For most implementations, including Windows XP, the shared key authentication secret key is
the same as the WEP encryption key. The shared key authentication process consists of two
messages: a challenge message sent by the authenticator and a challenge response message sent
by the authenticating wireless client. A malicious user that captures both messages can use
cryptanalysis methods to determine the shared key authentication secret key, and therefore the
WEP encryption key. Once the WEP encryption key is determined, the malicious user has full
access to your network, as if WEP encryption was not enabled. Therefore, although shared key
authentication is stronger than open system for authentication, it weakens WEP encryption.
The tradeoff with using open system authentication is that anyone can easily join your network.
By joining the network, the malicious user uses up one of the available wireless connections.
However, without the WEP encryption key, they cannot send or interpret receive wireless frames
that are encrypted.
Wireless APs and Windows XP support open system authentication. One advantage to using
open system authentication is that it is always enabled for Windows XP wireless clients. No
additional authentication configuration is needed.
Windows XP Wireless Auto Configuration
Windows XP Wireless Auto Configuration, enabled through the Wireless Zero Configuration
service, provides a way to automate the configuration of the settings for wireless networks.
When your wireless network adapter, whose driver supports Wireless Auto Configuration, scans
for wireless networks, the names of the found wireless networks are passed to Wireless Auto
Configuration. Windows XP maintains a list of preferred wireless networks. Windows XP tries to
match a found wireless network to the preferred networks list in the order of preference. If a
network name is found, Windows XP uses the settings of the wireless network to attempt a
connection. If a network name is not found, Windows XP prompts you with a notification bar
message, asking you whether or not you want to connect to one of the found wireless networks.
For home or small office wireless networks, you will use Wireless Auto Configuration to
discover your wireless network, but because the default configuration for a wireless network is to
use WEP and automatically determine the WEP key, you will have to manually configure the
settings for your wireless network.
Top of page
A Wireless Network Using a Wireless Access Point
This section describes how to setup a wireless network for a home or small business when you
are using a wireless AP.
To secure your infrastructure mode home or small business wireless network, you must use
WPA2 preshared key authentication with AES encryption (recommended), WPA preshared key
authentication with TKIP encryption (recommended), or open system authentication and WEP
encryption (not recommended).
The following sections describe how to manually configure your wireless AP and computers
running Windows XP. If you are using a computer running Windows XP with SP2, you can
greatly simplify the configuration of strong security for wireless networks in the home or small
office by using the new Wireless Network Setup Wizard.
This new wizard in Windows XP SP2 steps you through the configuration of wireless network
settings and then writes that configuration as a set of files on a Universal Serial Bus (USB) flash
drive (UFD). You then plug the UFD into other wireless devices in the home or small office that
support Windows Connect Now (formerly known as Windows Smart Network Key [WSNK]).
All of the wireless devices that support Windows Connect Now automatically read the settings
from the files stored on the UFD and configure themselves with the same settings as the
computer on which the Wireless Network Setup Wizard was initially run.
This is the recommended method of configuring wireless AP-based wireless networks in a home
or small office, especially if you are using other computers running Windows XP with SP2 or
wireless network devices (such as wireless APs or wireless printers) that support Windows
Connect Now.
For more information, including a step-by-step example with screen shots, see Step-by-Step
Guide for Secure Wireless Deployment for Small Office/Home Office or Small Organization
Networks.
Note
Note The Wireless Network Setup Wizard only supports manually configured WEP keys and
WPA preshared keys. The Wireless Network Setup Wizard does not support configuration of
WPA2 preshared keys.
Configuring the Wireless AP (Without WPA or WPA2)
For open system authentication and WEP encryption, you must configure your wireless AP with
the following settings:
• The wireless network name (SSID)
• Enable open system authentication
• Enable WEP
• Select a WEP key format
If you are typing the WEP key using keyboard (ASCII) characters, you must type 5
characters for a 40-bit WEP key and 13 characters for a 104-bit WEP key. If you are
typing the WEP key using hexadecimal digits, you must type 10 hexadecimal digits for a
40-bit key and 26 hexadecimal digits for a 104-bit key. If you have the choice of the
format of the WEP key, choose hexadecimal. Keyboard characters do not have a lot of
randomness, whereas hexadecimal digits are more random. The more random your WEP
key, the safer it is to use.
• Select the WEP encryption key number
You must specify which key to use. IEEE 802.11 allows the use of up to 4 different WEP
keys. A single WEP key is used when traffic is exchanged between the wireless AP and
the wireless client. The key is stored in a specific memory position. In order for the
receiver to correctly decrypt the incoming frame, both the sender and the receiver must
use the same encryption key in the same memory position.
Although it is possible to configure your wireless AP with all four keys and have different
clients use different keys, this can lead to configuration confusion. Rather, choose a
specific key and a specific memory position to use for the wireless AP and all the
wireless clients.
The choice of a specific memory position is complicated by the fact that Windows XP
with no service packs installed refers to the encryption key memory positions using a
"key index" and numbers the key indexes starting at 0 and some wireless APs refer to the
encryption key memory positions as "encryption keys" and numbers the keys starting at
1. In this case, you must make the Windows XP with no service packs installed key index
number indicate the same encryption key memory position as the encryption key number
on the wireless AP, otherwise the wireless AP and wireless clients will not be able to
communicate. Table 1 shows this relationship.