How Secure Is Your Wireless Network?

By Jim Geier
  • Print Article
  • Email Article
If your business hasn't yet deployed a wireless network, chances are good that you are at least considering the possibility. Wi-Fi networks are becoming well-known and readily available in electronics and office supply stores. A couple of years ago you had to look hard to find wireless LAN products on store shelves. Now, there are full-length aisles full of wireless adapters and routers. With this growing popularity, lots of homes and small offices are deploying wireless LANs.

With this in mind, a couple of my staff members drove through residential and office areas while running a wireless LAN analyzer. The goal was to find out what security issues were commonly present in wireless LAN implementations in the area — what some call a wardrive. Here's what we found:

Home Office WLAN Security Not So Good
After driving through a few large residential areas and capturing details from a couple hundred wireless routers and access points, we found that roughly 50 percent were not using any form of security. Of course the problem with this is that a neighbor or someone who parks in the street can easily access Internet services and retrieve files stored on the homeowner's computers.

A while ago, a friend of mine living in an apartment installed a wireless LAN router (with no security) attached to a broadband Internet service. After a few months, he found that a couple of unknown users were associating with the router and using his Internet service from somewhere else within the apartment complex. He quickly implemented Wi-Fi Protected Access (WPA), which solved the problem. You could also disable SSID (service set identifier) broadcasting (if available on the unit) to limit other users from automatically gaining access.

Also, I'd heard that a friend of our family bought a laptop with an integrated Wi-Fi adapter, took it home, and found it really cool that they could access the Internet wirelessly. This user, however, hadn't yet installed any routers or Internet service. Apparently, the radio card in the laptop was associating with a neighbor's unsecured wireless router, which was graciously providing access.

The funny thing was that this person didn't even realize that you needed any special hardware to make this work. They'd thought that the wireless connection was enabled by only the radio device in the laptop and that the connection to the Internet was magically made available. SSIDs Identify Businesses

In our drive-around testing, we found that many of the home offices and businesses were broadcasting the default SSID, which actually isn't too much of a problem. In most cases, the default value is the hardware vendor's name (except Cisco, which uses "tsunami"). Some of the SSIDs found in our testing clearly indicate company names. In fact, we found several large businesses having the SSID the same as their company name. These companies were not broadcasting SSIDs, but our packet analyzer readily found the SSIDs in user association request frames.

The knowledge of the SSID alone doesn't allow access to a WLAN that employs solid authentication and encryption mechanisms. The issue is that having an SSID the same as the company name may identify a network that a hacker would rather attack than others. I'd argue that it's safer to have the SSID equal to the default vendor name rather than use your company name. In addition, the use of meaningless characters as the SSID draws the attention of hackers and makes them suspicious that it represents a company trying to hide themselves.

Business WLAN Security Not Much Better
In business areas, we found that the usage of wireless security was around 75 percent. This was better than the residential areas, but there were still several rather large, well-known companies operating wireless LANs without any form of security. There was even evidence that a significant portion of these businesses were connecting their access points directly to the corporate network.

A business is a bigger target for hackers wanting to either disrupt operations or steal information. Companies not implementing wireless security are certainly inviting hackers in to overhear e-mail transmissions, access corporate data and change network configurations.

The bottom line is that home offices and small businesses need to secure the network with at least wired equivalent privacy (WEP). Even though WEP has weaknesses, it's better than nothing. If WPA is available, use it. For larger companies, consider the use of a VPN (virtual private network) and/or 802.1x authentication.

Article courtesy of WiFi Planet

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

This article was originally published on June 18, 2004
Thanks for your registration