FAQ - Wireless VDSL/ADSL Router Series
What's the difference between Open System and Shared Key authentication?
Wireless authentication is the process of performing a security check on clients that request access to a wireless network. The 802.11b standard presently supports these two methods of authentication, although many vendor proprietary (and non-interoperable) methods are also in use.
Open System Authentication might better be called No authentication, since it allows any device to join a network without performing any security check.
Shared Key Authentication requires that the Station and the Access Point use the same WEP Key to authenticate. This basically means that WEP must be enabled and configured the same on the AP and client.
What's the difference between 40 and 64 bit WEP?
They are the same. The confusion comes from the way different manufacturers interpret the WEP specification. WEP actually has two parts, a "secret key" (user settable), and a 24 bit "Initialization Vector" which is not under user control.
Some manufacturers specify the length of the "secret key", i.e. user programmable, part of the WEP key, and others use the "secret key" plus "initialization vector" length. Curiously, this confusion is only seen on the lowest level, i.e. 40/64 bit, of WEP... probably for historical reasons.Since all 802.11b products now support 128bit (and sometimes higher) levels of WEP, this problem is moot. If you enable WEP, you should always use the highest bit length available, since there's no performance penalty from using the higher number of bits.
How do I prevent unknown users from using my wireless LAN?In spite of all the negative things you may have heard, the fastest, easiest, and most effective first step to take is to enable WEP encryption. Although WEP can be broken, it takes time and tools that most folks don't have. Think of it as pushing in the knob-type lock on a door. Yes, someone can break down the door or jimmy the lock, but most 'doorknob rattler' type would-be wireless freeloaders will just move on to the next WLAN that isn't encrypted.
Is 802.11a more secure than 802.11b?In spite of all the negative things you may have heard, the fastest, easiest, and most effective first step to take is to enable WEP encryption. Although WEP can be broken, it takes time and tools that most folks don't have. Think of it as pushing in the knob-type lock on a door. Yes, someone can break down the door or jimmy the lock, but most 'doorknob rattler' type would-be wireless freeloaders will just move on to the next WLAN that isn't encrypted.
How should I set up 2 routers to provide untrusted wireless users access to WAN but not expose my internal LAN?
The easiest way is to connect your wireless router (#1) to the WAN, then connect the WAN port of Router #2 to one of Router #1's LAN ports. Make sure the two routers are set to different subnets (base addresses).
- Router #2 can be either a wired or wireless router.
- If Router #2 is wireless take the following precautions on Router #2:
- Use a different clear channel (1, 6, or 11)
- Use a different, non-obvious, non-descriptive ESSID
- Enable the highest level WEP you have and don't use an easy-to-guess key like all 1's or 0's
- Enable MAC address association control
- Disable ESSID broadcast or use a "closed network" option if you have it
- Set Router #2 to be a DHCP client (obtain IP address automatically) on its WAN port.
- You wired LAN clients should all connect to the second router, and you can set them to obtain their IP address information automatically, or use static IP addressing if you wish.
- If you forward any ports on the second router, remember that this will allow any computers on the Router #1 LAN to potentially access the computer that the ports are forwarded to.
How do I keep wireless clients from using my wireless router?It depends on what you mean by "using". Most routers have the ability to prevent groups of users from accessing Internet-based programs and services. This feature goes by different names including, Port Filtering, Access Control, Outbound Firewall Access rules, and others. But they all allow you to block Internet access to things like Web browsing, file transfers, mail, newsgroups, etc. by blocking the port used by the application for particular IP addresses that you program. The Port Filtering feature, however, does not prevent users from connecting to each other through the router's switch for File and Print sharing services. All it does is block access to the Internet-based services that you specify.
Does WEP impact the ability to hold a wireless connection?It shouldn't. It may, however, slow down the connection, sometimes as much as 40 to 50%. This effect has been virtually eliminated in most present-generation 802.11b product designs, however
If I disable SSID (or ESSID) Broadcast on my Access Point or wireless router, is it true that only users who I've given my SSID to will be able to connect?
No. Disabling an AP's SSID Broadcast function just prevents it from transmitting the SSID. The AP will still respond to any client that wants to associate with it and that sends a matching SSID.
For example, WinXP's built-in "Zero Config" wireless utility automatically stores every SSID that it receives. If your AP is using the same SSID as one that the client previously stored, the client will be able to connect to your AP, even if you have SSID Broadcast disabled.
Since the SSID is always sent "in the clear", i.e. unencrypted, it's also possible for anyone using freely available "sniffing" tools to monitor traffic near an AP and grab the SSID from clients that already know it.In spite of all this, it's still good security practice to change the default SSID for your wireless LAN and use the same techniques used for choosing a strong password to keep your WLAN secure from casual snoopers.
How do I let someone access my wireless network, but only when I want them to?
Once someone is given (or finds) your wireless LAN's ESSID, and if you are not running WEP encryption, that person can use your WLAN whenever they want. You can block them, however, by enabling WEP, using a non-obvious WEP key, and not giving out the WEP key information. You can also use your AP or wireless router's MAC Address filtering controls and allow access only to desired clients.
Unfortunately, these capabilities have no time-of-day controls in presently available equipment. So you'll have to manually enable and disable them when you want to control access.However a very low-tech solution is to shut off your router and Access Point when you're not around, or simply put it on a timer (yup, just like the ones you buy to turn lamps on and off).
What is WPA?
WPA stands for Wi-Fi Protected Access and is a subset of the IEEE 802.11i draft standard intended to replace WEP (Wired Equivalent Privacy) as the primary means of securing 802.11-base wireless networks.
WPA consists of methods to strengthen data encryption (Temporal Key Integrity Protocol [TKIP], message integrity check [MIC], extended initialization vector [IV] with sequencing rules, and a re-keying mechanism) and to provide user authentication. There are actually two authentication mechanisms, one for "enterprise" users using 802.1x and Extensible Authentication Protocol (EAP), and another for home users using a Pre-Shared Key (PSK) method.To use WPA, you'll need a firmware update for your Access Point or wirless router, and new driver (and maybe firmware) for each wireless adapter on your network. Note that manufacturers may not offer WPA upgrades for all their existing products, especially older 802.11b-only products. You also won't be able to get upgrades for 802.11a-only products. You may also experience a loss of throughput when WPA is enabled on some older products.
Which is more secure, 64 or 128 bit WEP?With a "doorknob-rattler" type of attacker (someone randomly trying WEP keys) either level will give you better protection than not enabling WEP, provided you choose a non-obvious WEP key. If your WLAN is targeted by a more sophisticated user, using tools such as AirSnort or WEPCrack , then your WLAN could be cracked in as little as a few hours, but more likely a day or so, regardless of WEP mode used.
If a product is 802.11g spec-compliant or 11g Wi-Fi certified does it include Wi-Fi Protected Access (WPA) support?Not necessarily. WPA is not part of any 802.11 specification and currently has a separate Wi-Fi certification process. We're told that the Wi-Fi Alliance is working to add WPA as part of the 802.11g certification test suite, but as of July 2003, it is not included.
Is Wi-Fi Protected Access (WPA) supported in wireless bridges and wireless-to-Ethernet adapters?As of July 2003, WPA is not supported in wireless bridges and wireless-to-Ethernet adapters such as the Linksys WET11 and others based on Ubicom's IP2022 processor platform. Work is in progress, but no firm availability dates have been given.
Is there a way to improve security above WEP in IBSS (AdHoc) mode, since WPA is not supported in that mode?
You could try setting up a VPN tunnel, which would require running a VPN client on one station and VPN gateway/server on the other.For larger networks, however, this would get impractical since each station would need to run both VPN client and server so that it could initiate or terminate a tunnel to each other station.
Does WEP have a negative impact on an 802.11b wireless network throughput?Older 802.11b products can show a throughput reduction of up to 40 - 50% with either 64 or 128 bit WEP enabled. However, this problem has been pretty much eliminated in current generation 11b products and those using the 802.11a or 11g standards.
Is traffic on a Wireless Distribution System (WDS) bridge more secure than other wireless data?
No. Although data in a WDS connection can be WEP encrypted, WDS requires the MAC addresses in each packet's header to be unencrypted.Also, the current version of Wi-Fi Protected Access (WPA) does not handle WDS.
Do any products support Wi-Fi Protected Access (WPA) over a WDS bridged connection?No. In general, you won't find products that support WPA through a WDS-bridged connection. The reason is that WDS uses MAC addresses to communicate, and WPA is designed to encrypt the MAC addresses.
What security precautions should I take when using wireless hotspots?First, be aware that any data you send or receive can be monitored by any other wireless user unless you are using a VPN, secure web browser (HTTPS) or other secured connection. This includes login information, account numbers, etc., so be sure that you use the secured option for webmail, on-line ordering, etc..
The other important precaution to take is to disable File and Printer sharing and Client for Microsoft Networks on your wireless adapter if you have them enabled. Not all public wireless hotspots use technology that prevents wireless client-to-client communication. This writer recently used the free wireless in the food court of Pittsburg's airport and found via a quick browse of My Network Places that the entire drives of numerous fellow wireless users were totally accessible. Both settings can be found in the wireless adapter's Network Properties.