Académique Documents
Professionnel Documents
Culture Documents
Introduction
Wireless networking provides many advantages over conventional wired networks. For instance the ability to connect to your network resources without the capital costs of installing structured wiring and the ability to roam within the range of your access points or gateway. It also, however, carries a disadvantage over conventional networking systems in that anyone within range of your access points or gateway while sharing your wireless settings may also connect to your network. To combat this security issue, the IEEE standards body 802.11 have provided a mechanism to improve the security of wireless connections called Wired Equivalent Privacy (WEP). This document will look at the security measures built-in to wireless networking, such as WEP encryption and MAC address filtering, and other methods of providing more robust security as well as providing a guide to securing the wireless connections to the OfficeConnect Wireless Cable/DSL Gateway. The following text assumes that you have successfully installed a wireless network using the OfficeConnect Wireless Cable/DSL Gateway installation wizard. If you have followed the instructions then you will have one or more PC clients that are able to connect, via the wireless network, to the OfficeConnect Wireless Cable/DSL Gateway. Communications at this level are insecure but there are some steps you can make to improve security on your network.
SSID
Each wireless network has a name; this is referred to as the SSID (Service Set Identifier) or "Service Area Name". When wireless systems were first installed the SSID was considered to be a security feature, without knowing the name of the network it was difficult to connect to it., however, some wireless NICs now have the ability to scan for available SSIDs and join that group bypassing any security that might have been given by the SSID. This means that anyone can see your network provided they are in range and can also join it if the local network administrator has not taken the appropriate security precautions discussed later in this article. Although having a SSID is essential to setting up and using your wireless network it is not sufficient security for a wireless network.
WEP
Wired Equivalent Privacy (WEP) secures the link between the access point or gateway and the wireless computers and although not specified as part of the IEEE 802.11b standard for wireless networking, almost all wireless equipment comes with WEP encryption built-in to the product to increase security. WEP is an encryption mechanism based upon a static key of either 64 or 128 bits in length, which is used to encrypt the data stream using an RC4 encryption algorithm. It encrypts data between a wireless computer and the access point to improve the security of the connection. (Note: WEP 64bit encryption is commonly called 40/64bit encryption; this is because the user definable key is only 40 bits, but there is a 24 bit static key that is automatically added to it therefore providing a 64bit key.) A WEP key is a string of hexadecimal characters, 40/64bit WEP has 10 characters while 128bit WEP has 26 characters. To be able to use WEP both the wireless gateway or access point and the wireless NIC need to have the same WEP key. This will allow the encryption and decryption of data. However, up to 4 WEP keys can be programmed into a wireless NIC or Gateway, but only one (called the transmit key) will be used for encryption. Different components of the wireless network may have different keys defined as the transmit key, as long as both components have the same keys defined in the same order (1-4) then communication will work. For example, if the Gateway was configured to transmit using encryption key 1 then the wireless NIC that it is transmitting to will use key 1 to decrypt the data. If the NIC is configured to use key 3 to transmit then the Gateway will use key 3 to decrypt the data from the NIC. In this way, the data is encrypted differently in either direction, improving the security of the network. It should however be noted that the weakness with the WEP system is that it has a static key; several studies exist where keys have been cracked where sufficient data has been collected enabling someone to crack into the network. For this reason, higher levels of security have been introduced by some vendors based on dynamic keys. These keys change at regular intervals making it significantly more difficult to crack the keys. There is also further work going on within the IEEE 802.11 committee to develop more robust encryption schemes. This will be covered in greater depth later in this document. The WEP key can normally be entered in several ways, by manually entering the desired number of hexadecimal characters or by using a passphrase. A passphrase is a string of ASCII characters which will be converted into a hexadecimal string. If the passphrase method
is used on wireless equipment from different vendors, ensure that the hexadecimal string created is the same for both this is not always the case.
to be entered by the user. User Authentication can also be used for an even higher level of security by requiring users to enter a username and password for each session. Another way to increase security is by using central authentication to validate the log-in details of any user trying to use the wireless network. The most popular way of doing this is by using a central RADIUS server to validate the user details. All user details are stored on the central RADIUS server and the Access Point will authenticate users using the RADIUS server. Each of these features makes the security of the wireless network more secure. Details of both the 3Com Access Point 6000 and 8000 can be found on www.3com.com.
VPN Tunnel
By using this scenario the local network is seperated by from the wireless network but is still easily accessed by authorised users. This offers a very high level of security for the local network whilst still protecting unauthorised access to the Internet connection using WEP encryption if enabled. Note: The OfficeConnect Wireless Cable/DSL Gateway cannot be used in this scenario although the 3Com Access Point family can.
For more information about VPN technology, refer to the VPN white paper found on www.3com.com
Select the "Active Transmit Key". This selects which of the 4 Keys the Gateway uses when it transmits. You can change the selected key every now and then to increase the security of your network. Make a note of your keys in the table(s) below
Key # 1 2 3 4 Active Transmit Key? y/n y/n y/n y/n 1 2 3 4 5 6 Hexadecimal characters 7 8 9 10 11 12 13 14 15 16
Key # 1 2 3 4
17
18
19
Hexadecimal characters 20 21 22 23 24
25
26
Security Step 4: The next step is to switch on WEP on all of your clients. Using the information you have collected you will now need to consult the documentation for your client wireless NICs and set up the corresponding information: SSID or Service Area Name, 40/64bit WEP or 128 bit WEP. Remember you have to choose one or the other for your whole network. Finally enter all of the keys you generated on the Gateway in the correct order on each client. If you have a wireless client that only supports one key, ensure you enter the active transmit key as defined in the gateway. While you are making the changes to your clients it would be a good idea to note the MAC addresses for each NIC card you are using. The MAC address is recorded as a sequence of twelve hexadecimal characters. This will be useful if you wish to make further enhancements to the security of your network. Make a note of your Wireless NIC MAC (Media Access Controller) addresses below: Client # Media Access Controller Address PC Name or Owner
You may now test the network with encryption enabled. If you encounter any problems go to the trouble shooting section at the end. If you are happy that the encryption settings are working then you can optionally move to the next section for to further enhance security. Security Step 5: The Gateway provides a list of connected PC's, confirm that the PC's on your network that are powered up with a live wireless card can be seen in the list of clients. Verify that all of your clients can still connect to the Gateway. You will need to remember that if MAC address filtering has been enabled, any new device added to the network, or any changes to the existing configuration will need to be recorded in the gateway MAC address table. We also recommend ensuring that you keep the table up to date, accurately reflecting the active devices in your network. Finally, it is also useful to consider that any system using WEP is not unbreakable, therefore regularly changing the keys between the devices is a further precaution you could take.
3Com Corporation, Corporate Headquarters, 5400 Bayfront Plaza, Santa Clara, CA 95052-8145 To learn more about 3Com solutions, visit www.3com.com. 3Com Corporation is publicly traded on Nasdaq under the symbol COMS. The information contained in this document represents the current view of 3Com Corporation on the issues discussed as of the date of publication. Because 3Com must respond to changing market conditions, this paper should not be interpreted to be a commitment on the part of 3Com, and 3Com cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only; 3Com makes no warranties, express or implied, in this document. Copyright 2001 3Com Corporation. All rights reserved. 3Com is a registered trademark and the 3Com logo is a trademark of 3Com Corporation. Windows NT is a trademark of Microsoft. UNIX is a trademark of UNIX Laboratories. Other company and product names may be trademarks of their respective companies. DMA5119-6CAA01 05/02