Figure 2.4 Enable WEP on the WRT54G Figure 2.5 The WEP Keys Window Next, select the key (1–4) that you will initially use by choosing the appropriate radio button next to Default Transmit Key. Finally, click Save Settings in the Wireless Security tab to save your settings. www.syngress.com Wireless Security • Chapter 2 23 SOME INDEPENDENT ADVICE Some people will argue that WEP is a “broken” standard and should not be used. Yes, WEP is an easy protocol to hack and allows intruders to gain the encryption key to your wireless network using tools included in the Aircrack suite. However, due to wireless connections by other devices (game consoles, PDAs, and the like), you may be forced to use WEP instead of the more secure WPA. Remember that no security is bad security, and that something is always better than nothing. Enabling WEP encryption on your network may be the difference between your network or your unencrypted neighbor’s being hacked. Enabling Wi-Fi Protected Access An alternative and more secure approach to wireless security on an access point is to use Wi-Fi Protected Access, or WPA. WPA uses an improved encryption process based on the Temporal Key Integrity Protocol (TKIP).TKIP jumbles the keys and incor- porates an integrity-checking feature to ensure that the keys have not been tampered with. WPA also includes client authentication via the Extensible Authentication Protocol (EAP). EAP uses a public key encryption mechanism to ensure that only authorized systems have access to the access point. In late 2004, the Institute of Electrical and Electronics Engineers (IEEE) ratified the 802.11i specification, more commonly referred to as WPA2. WPA2 uses AES as the encryption standard, whereas WPA uses the TKIP standard.This is not to say that WPA is not secure but to acknowledge that wireless security is ever changing. WPA2 also supports a personal authentication implementation (PSK) and an enter- prise authentication implementation (RADIUS).This chapter focuses on the WPA standard. Log in to the WRT54G and click the Wireless tab. Click the Wireless secu- rity subtab to enable WPA. From the drop-down list, choose WPA-Personal,as shown in Figure 2.6. www.syngress.com 24 Chapter 2 • Wireless Security Figure 2.6 The WRT54G WPA Setup Screen Leave the WPA algorithm as TKIP. Enter a shared key of between 21 and 63 characters in the WPA Shared Key: text box. Leave the Group Key Renewal at its default of 3600 seconds (see Figure 2.7). Figure 2.7 WPA Shared Key Click Save Settings to save the WPA settings on the WRT54G. It is still a good idea to follow the previous security steps to enable wireless MAC filters and disable www.syngress.com Wireless Security • Chapter 2 25 the SSID broadcast. Be careful not to set the SSID to anything personal to you, such as your phone number, home address, or name. Filtering by Media Access Control (MAC) Address After you have set a unique SSID, disabled SSID broadcast, and enabled WEP encryption, you need to filter access to the WRT54G by MAC address. Filtering access to the access point allows only those MAC addresses specified in the list the ability to access the wireless network. First, from the main Wireless tab, click the Wireless MAC Filter tab to display the option to enable or disable Wireless MAC filtering (see Figure 2.8). Figure 2.8 The Wireless MAC Filter screen Next select Enable from the Wireless MAC Filter radio buttons.This will reveal the MAC filter options, as shown in Figure 2.9. Figure 2.9 The Wireless MAC Filter Options www.syngress.com 26 Chapter 2 • Wireless Security Choose the Permit Only PCs listed to access the wireless network radio button, and click the Edit MAC Filter List button to display the MAC Address Filter List window (see Figure 2.10). Figure 2.10 The MAC Address Filter List Window In the provided text boxes, enter the MAC addresses of wireless clients that are allowed to access your wireless network, and then click Apply, as shown in Figure 2.11. Figure 2.11 Enter Allowed MAC Addresses Wireless Security • Chapter 2 27 www.syngress.com Finally, click Save Settings in the Advanced Wireless window to save your settings and enable filtering by MAC address. Keep in mind that this should not be the only security measure implemented. Using various tools in Windows and/or Linux, it is easy for an attacker to spoof his or her local MAC address to gain access to your wireless network. SOME INDEPENDENT ADVICE Finding your MAC address is a simple process with any operating system. Using Windows XP, from a command line, you can type: ipconfig /all to show the MAC address of the installed network devices. Linux makes the process just as simple. From a terminal window, type: ifconfig –a And find the HWaddr for the requested network interface. This is the MAC address. Enabling Security Features on a D-Link DI-624 AirPlus 2.4GHz Xtreme G Wireless Router with Four-Port Switch Although Linksys has a sizable share of the home access point market, D-Link also has a large market share. D-Link products are sold at most big computer and elec- tronics stores such as Best Buy and CompUSA.This section details the steps you need to take to enable the security features on the D-Link 624 AirPlus 2.4GHz Xtreme G Wireless Router with Four-Port Switch.The DI-624 is an 802.11g access point with a built-in router and switch, similar in function to the Linksys WRT54G. Setting a Unique SSID The first security measure to enable on the D-Link DI-624 is setting a unique SSID. First you need to log into the access point. Configure your local workstation with a static IP in the 192.168.0.0/24 subnet and point your browser to 192.168.0.1. Use the username admin with a blank password to access the initial setup screen (see Figure 2.12). www.syngress.com 28 Chapter 2 • Wireless Security Figure 2.12 The D-Link DI-624 Initial Setup Screen Next click the Wireless button on the left side of the screen to bring up the Wireless Settings screen, as shown in Figure 2.13. Figure 2.13 The Wireless Settings Screen In the SSID textbox, enter a unique SSID, as shown in Figure 2.14, and click Apply to save and enable the new SSID. www.syngress.com Wireless Security • Chapter 2 29 Figure 2.14 Set a Unique SSID Disabling SSID Broadcast After you have set a unique SSID, enabled 128-bit WEP, and filtered access by MAC address, you need to disable SSID broadcast. From the Advanced Features screen, click the Performance button, as shown in Figure 2.15. Figure 2.15 The Advanced Performance Options www.syngress.com 30 Chapter 2 • Wireless Security Select the Disabled radio button next to SSID Broadcast, and click Apply to save your settings, as shown in Figure 2.16. Figure 2.16 Disabling SSID Broadcast Enabling Wired Equivalent Privacy After you have set a unique SSID, you will need to enable 128-bit WEP encryption. First, choose the Enabled radio button next to WEP, as shown in Figure 2.17. Figure 2.17 Enable WEP Wireless Security • Chapter 2 31 www.syngress.com Next choose 128Bit from the WEP Encryption drop-down box, as shown in Figure 2.18. Figure 2.18 Require 128-Bit WEP Encryption Then you need to assign a 26-character hexadecimal number to at least Key1 (see Figure 2.19).A 26-digit hexadecimal number can contain the letters A–F and the numbers 0–9. Figure 2.19 Assign WEP Keys www.syngress.com 32 Chapter 2 • Wireless Security [...]... the AirPort Admin Utility Click Rescan to locate the Airport if it does not automatically populate the window after a few seconds Figure 2. 28 Launching the Admin Utility and Finding the Airport Base Station Click the appropriate base station, and click Configure to enter the base station properties (see Figure 2. 29) Setting a Unique SSID At the main properties screen, we will set the SSID by changing... 1100 Access Point does not provide an option to enter a 13-character ASCII string and convert it automatically to hexadecimal format Several Web sites will convert ASCII to hex A Google search will reveal many converters; choose one that suits your taste In this case, we have decoded the 13-character ASCII string CiscoRules!!! to its hexadecimal equivalent of 436973636f 527 56c657 321 2 121 , which is 26 characters... Security Figure 2. 35 WPA Settings Ensure that the Password option is set, and enter a password or passphrase of between 8 and 63 ASCII characters.The Encryption Type: may be left at the default WPA and WPA2 option to allow both WPA and WPA2 connections If only WPA clients or only WPA2 clients will be connecting, you may change this option to reflect that fact Leave the Group Key Timeout: at its default of 60... changing the Name text box, under the AirPort Network heading.Type in the SSID, remembering not to include any personal information such as address as part of the SSID At this point, it would also be a good idea to change the Name of the Airport under the Base Station heading, to obfuscate the fact that this is an Apple Airport product (see Figure 2. 30) Click Update to save the SSID www.syngress.com Wireless. .. Figure 2. 20) Figure 2. 20 Enabling WPA Enter a passphrase into the Passphrase text box, and retype the passphrase in the Confirmed Passphrase text box to verify it, as shown in Figure 2. 21 Click Apply to confirm the settings and enjoy added wireless security protection! www.syngress.com 33 34 Chapter 2 • Wireless Security Figure 2. 21 WPA Passphrase Filtering by Media Access Control Address After you have... be wise to set one now Click the Admin Access option Enter and confirm a Default Authentication Password (see Figure 2. 43) Figure 2. 43 The Admin Access Screen to Enter a Default Authentication Password www.syngress.com Wireless Security • Chapter 2 Once you click Apply, the password will be saved and you will now be required to authenticate back to the access point Leave the Username: blank, and enter... name of your choice for each client in the Name text box (see Figure 2. 25) Note that you must click Apply after each MAC address entered Figure 2. 25 Filter by MAC Address Enabling Security Features on Apple’s Airport Extreme 8 02. 11g Access Point In early 20 03, Apple released the Airport Extreme base station to the masses, supporting the 8 02. 11b and 8 02. 11g protocols Even though this access point was... authorized to connect to the Airport must know the SSID beforehand to make the connection (see Figure 2. 31) Figure 2. 31 Disabling the SSID Broadcast Setting a Password on the Airport Because the Airport is in a default configuration, it is wise to set a password on the Airport to disable the ability of anyone making unauthorized changes From the main base station properties windows, click the Change Password…... Password… button and enter and confirm a password for the Airport Click OK to set the password Click Update to save the changes to the Airport (see Figure 2. 32) Figure 2. 32 Setting a Password on the Airport www.syngress.com Wireless Security • Chapter 2 Enabling Wired Equivalent Privacy To enable WEP on the Airport, click the Change Wireless Security… button to open the Properties dialog box (see Figure 2. 33)... Apple PowerBook Once you enable the Airport card, you can reclick the wireless symbol and see any access points broadcasting in your area We want to click the Apple Network ###### listing to connect to our AirPort (see Figure 2. 27) NOTE To ensure that you are connecting to the correct access point, verify that the network number listed in the drop-down list matches the last six characters of your Airport . but to acknowledge that wireless security is ever changing. WPA2 also supports a personal authentication implementation (PSK) and an enter- prise authentication implementation (RADIUS).This chapter. the Wireless button .To enable WPA, click the radio button labeled WPA-PSK next to the Authentication option (see Figure 2. 20). Figure 2. 20 Enabling WPA Enter a passphrase into the Passphrase. Engineers (IEEE) ratified the 8 02. 11i specification, more commonly referred to as WPA2. WPA2 uses AES as the encryption standard, whereas WPA uses the TKIP standard.This is not to say that WPA is not secure