Benny
07-10-2004, 04:56 PM
Setting up Wireless
Okay, so you've decided to go wireless. What should you know and what should you do?
Wireless Standards
First, a brief into into how 802.11 works.
There are three "modern" standards that have been ratified for use in the UK. You used to be able to buy "802.11" kit, but this was pre-802.11b, and there's no guarantees it'll work correctly.
First up is 802.11b. This is the basic wireless standard, and is based around CSMA/CD MAC using the 2.4GHz ISM band. This standard is supported by probably 95% of the wireless kit on sale in the UK today. It uses a single "channel", and gives you a choice of thirteen different ones to choose from (ETSI configuration). Only three of these channels are non-overlapping, however in a home setup you are unlikely to need to worry about this.
802.11b supports data rates of 1Mbit/sec, 2Mbit/sec, 5.5Mbit/sec and 11Mbit/sec. Data rate is inversely proportional to range, and the standard automatically drops the data rate the further from the access point you are. Typically, the fastest you'll transfer data over 802.11b is around 850Kb/sec.
Next, there's 802.11g. This uses the same radio band as 802.11b (2.4GHz), and is capable of operation at link speeds of up to 54Mbit/sec. The advantage of this is that this standard is directly backwards-compatible with 802.11b, so can support 11b and 11g clients. Handy if you have 802.11b NICs, and as investment protection for the future.
Finally, there's 802.11a. This isn't as popular for a number of reasons - it isn't backwardly compatible with existing 802.11b kit, and also uses the 5GHz radio band for its operation - not an issue in itself, but because of power limitations and poor penetration of this wavelength, coverage is significantly less than 802.11g.
So, for the purposes of this, we'll ignore 802.11a for now, and concentrate on 802.11b and 802.11g kit instead.
Security - The Achilles Heel Of Wireless
Sadly, the media hasn't done wireless any favours. Neither have the legions of people who latch onto what they've seen printed in a magazine of their choice, and wax lyrical about how insecure wireless networks are.
Well, much as I'd love to say that they're talking out of their backsides, this can be the case in a poorly designed wireless LAN.
So, how do you secure a wireless LAN?
Basically, you can't. By its very nature, it will always carry the risk of a security breach, however there are methods you can use to get around this.
The most obvious method is to use encryption. You will have heard of WEP. You will also hear the sharp intake of breath as people mutter to each other about how WEP is insecure, and has been broken...This is not strictly true. There are two "flavours" of WEP - WEP40 and WEP-128. The number denoting the number of bits used to encrypt the frame. Now, most people will think that the higher the level of encryption the better, and usually this is true, however the weakness in WEP is inherent, and involves the way the WEP standard handles the stream cipher at the heart of the protocol - a cipher from RSA security called RC4.
RC4 is secure...however the way it is implemented in WEP is not. And this is a problem which is "solved" by means of the TKIP, or Temporal Key Integrity Protocol, which is shipping with most modern wireless products.
The enterprise method of securing a wireless LAN involves leveraging 802.1x, which is a port-level authentication protocol that requires a form of authentication, which does add an additional layer of security. It is also possible to use a function called WEP Key Rotation, which enables a WEP key to be assigned per connection, and then changed on a regular basis. The "attack" on WEP - demonstrated by Fluhrer, Mantin and Shamir (Google for details). They concluded that in order to recover enough encrypted frames to mount a brute-force attack on WEP-128, you'd need to capture frames between an access point and a single host for around an hour, assuming the connection was heavily loaded. On a lightly loaded connection, this could take many hours, if not days to recover sufficient frames to mount the attack.
Anyway, Google is your friend there - find out all you can - it does make an interesting read.
But this is all a bit much for the home, so what can you do to secure your little network from the prying eyes of the world?
Well, this is actually pretty simple. Just don't be stupid. Change your static WEP keys every few weeks. Don't allow your SSID to be broadcast. Use a switched LAN instead of a hub.
Another good idea is to use VPNs. Set up a VPN service on a machine, and whenever a device connects to the wireless LAN, ensure it needs to establish a VPN connection (known to be secure) before it can talk to other resources on the network.
Basically, you need to make a LAN as secure as your paranoia stretches. To be honest, its unlikely that the average home wireless LAN would be attacked, however it does pay to not take chances.
Internet Connections
So, which products should you use?
This kinda depends on your Internet connection, as the majority of people want to hook wireless up to their LAN and also provide an Internet connection (mobile porn, presumably!).
Now, its important to consider what method you use to connect to the Internet.
If you're on dial-up using a phone line (56k), then...well, there's probably not a lot of point.
If you're using ADSL, you'll be wanting a Netgear DG834...
http://image.ebuyer.com/UK/P0052244_C0000039_P0000000.jpg (http://www.ebuyer.com/customer/products/index.html?action=c2hvd19wcm9kdWN0X292ZXJ2aWV3&product_uid=52244)
This is a very neat box...containing an ADSL modem, a four-port 10/100 Ethernet switch, an IP Router, a stateful firewall, and a 802.11g access point.
If you're using Cable, a Linksys WRT54G would be the box of choice...
http://image.ebuyer.com/UK/P0065373_C0000039_P0000000.jpg (http://www.ebuyer.com/customer/products/index.html?rb=2238249953&action=c2hvd19wcm9kdWN0X292ZXJ2aWV3&product_uid=65373)
Again, five devices in one box...a stateful firewall, 802.11g access point, 10/100 Ethernet switch, IP router and a "WAN" Ethernet connection that you can hook up to your cable modem or STB.
Client Adapters
So, you've got an access point / router in place...now you need something to allow your computer to talk wireless.
Basically, there are three different types of wireless NIC. There's a PCI NIC for desktop machines; a PCMCIA NIC for laptops; and even a USB NIC as well...802.11b for USB1.1, or 802.11g is available for USB2.0 equipped devices.
The brand doesn't really matter...they're all standards based, so will all interoperate together.
I'll add more to this as and when I can be bothered / am asked...hopefully this should be enough for people to start out with though.
B
Okay, so you've decided to go wireless. What should you know and what should you do?
Wireless Standards
First, a brief into into how 802.11 works.
There are three "modern" standards that have been ratified for use in the UK. You used to be able to buy "802.11" kit, but this was pre-802.11b, and there's no guarantees it'll work correctly.
First up is 802.11b. This is the basic wireless standard, and is based around CSMA/CD MAC using the 2.4GHz ISM band. This standard is supported by probably 95% of the wireless kit on sale in the UK today. It uses a single "channel", and gives you a choice of thirteen different ones to choose from (ETSI configuration). Only three of these channels are non-overlapping, however in a home setup you are unlikely to need to worry about this.
802.11b supports data rates of 1Mbit/sec, 2Mbit/sec, 5.5Mbit/sec and 11Mbit/sec. Data rate is inversely proportional to range, and the standard automatically drops the data rate the further from the access point you are. Typically, the fastest you'll transfer data over 802.11b is around 850Kb/sec.
Next, there's 802.11g. This uses the same radio band as 802.11b (2.4GHz), and is capable of operation at link speeds of up to 54Mbit/sec. The advantage of this is that this standard is directly backwards-compatible with 802.11b, so can support 11b and 11g clients. Handy if you have 802.11b NICs, and as investment protection for the future.
Finally, there's 802.11a. This isn't as popular for a number of reasons - it isn't backwardly compatible with existing 802.11b kit, and also uses the 5GHz radio band for its operation - not an issue in itself, but because of power limitations and poor penetration of this wavelength, coverage is significantly less than 802.11g.
So, for the purposes of this, we'll ignore 802.11a for now, and concentrate on 802.11b and 802.11g kit instead.
Security - The Achilles Heel Of Wireless
Sadly, the media hasn't done wireless any favours. Neither have the legions of people who latch onto what they've seen printed in a magazine of their choice, and wax lyrical about how insecure wireless networks are.
Well, much as I'd love to say that they're talking out of their backsides, this can be the case in a poorly designed wireless LAN.
So, how do you secure a wireless LAN?
Basically, you can't. By its very nature, it will always carry the risk of a security breach, however there are methods you can use to get around this.
The most obvious method is to use encryption. You will have heard of WEP. You will also hear the sharp intake of breath as people mutter to each other about how WEP is insecure, and has been broken...This is not strictly true. There are two "flavours" of WEP - WEP40 and WEP-128. The number denoting the number of bits used to encrypt the frame. Now, most people will think that the higher the level of encryption the better, and usually this is true, however the weakness in WEP is inherent, and involves the way the WEP standard handles the stream cipher at the heart of the protocol - a cipher from RSA security called RC4.
RC4 is secure...however the way it is implemented in WEP is not. And this is a problem which is "solved" by means of the TKIP, or Temporal Key Integrity Protocol, which is shipping with most modern wireless products.
The enterprise method of securing a wireless LAN involves leveraging 802.1x, which is a port-level authentication protocol that requires a form of authentication, which does add an additional layer of security. It is also possible to use a function called WEP Key Rotation, which enables a WEP key to be assigned per connection, and then changed on a regular basis. The "attack" on WEP - demonstrated by Fluhrer, Mantin and Shamir (Google for details). They concluded that in order to recover enough encrypted frames to mount a brute-force attack on WEP-128, you'd need to capture frames between an access point and a single host for around an hour, assuming the connection was heavily loaded. On a lightly loaded connection, this could take many hours, if not days to recover sufficient frames to mount the attack.
Anyway, Google is your friend there - find out all you can - it does make an interesting read.
But this is all a bit much for the home, so what can you do to secure your little network from the prying eyes of the world?
Well, this is actually pretty simple. Just don't be stupid. Change your static WEP keys every few weeks. Don't allow your SSID to be broadcast. Use a switched LAN instead of a hub.
Another good idea is to use VPNs. Set up a VPN service on a machine, and whenever a device connects to the wireless LAN, ensure it needs to establish a VPN connection (known to be secure) before it can talk to other resources on the network.
Basically, you need to make a LAN as secure as your paranoia stretches. To be honest, its unlikely that the average home wireless LAN would be attacked, however it does pay to not take chances.
Internet Connections
So, which products should you use?
This kinda depends on your Internet connection, as the majority of people want to hook wireless up to their LAN and also provide an Internet connection (mobile porn, presumably!).
Now, its important to consider what method you use to connect to the Internet.
If you're on dial-up using a phone line (56k), then...well, there's probably not a lot of point.
If you're using ADSL, you'll be wanting a Netgear DG834...
http://image.ebuyer.com/UK/P0052244_C0000039_P0000000.jpg (http://www.ebuyer.com/customer/products/index.html?action=c2hvd19wcm9kdWN0X292ZXJ2aWV3&product_uid=52244)
This is a very neat box...containing an ADSL modem, a four-port 10/100 Ethernet switch, an IP Router, a stateful firewall, and a 802.11g access point.
If you're using Cable, a Linksys WRT54G would be the box of choice...
http://image.ebuyer.com/UK/P0065373_C0000039_P0000000.jpg (http://www.ebuyer.com/customer/products/index.html?rb=2238249953&action=c2hvd19wcm9kdWN0X292ZXJ2aWV3&product_uid=65373)
Again, five devices in one box...a stateful firewall, 802.11g access point, 10/100 Ethernet switch, IP router and a "WAN" Ethernet connection that you can hook up to your cable modem or STB.
Client Adapters
So, you've got an access point / router in place...now you need something to allow your computer to talk wireless.
Basically, there are three different types of wireless NIC. There's a PCI NIC for desktop machines; a PCMCIA NIC for laptops; and even a USB NIC as well...802.11b for USB1.1, or 802.11g is available for USB2.0 equipped devices.
The brand doesn't really matter...they're all standards based, so will all interoperate together.
I'll add more to this as and when I can be bothered / am asked...hopefully this should be enough for people to start out with though.
B